What BSCs Need to Know About Data Protection and Privacy
There is a distinction between data protection and data privacy, and building service contractors (BSCs) need to know how they are different in these trying times. Data protection is about securing data against threats such as theft or destruction. By contrast, data privacy focuses on guarding against unauthorized third-party access and use.
Data privacy is especially important because, in order for individuals to be willing to engage with your business in any online manner, they must trust that their personal data will be handled with care. Organizations use data protection practices to demonstrate to their clients that they can be trusted with this personal data. BSCs should be no different, according to 4M Building Solutions’ information technology professional Keith Schroeder.
How important has it become for BSCs to keep their data safe? “It is more important than ever,” Schroeder states. “As our company and industry grows, the amount of data created by our team members and SAAS (software as a service) vendors increases exponentially. Between that level of data being generated and its transportation to and from the cloud, it leaves everything more exposed than ever.”
To this end, Schroeder urges the deployment of multi-factor authentication (MFA) “for all profiles on your environment and monthly penetration testing.” More immediately, he urges BSCs need to “implement the best endpoints you can afford, make sure all profiles are MFA enabled, [and be] in contact with your vendors ensuring that your connections to them are encrypted and hardened. Most, if not all, our data is being held in the cloud or with our accounting SAAS.”
Schroeder speaks with the voice of experience. He has worked for 4M Building Solutions for the past 15 years. The first nine of those years, he spent as the company’s network administrator. The remaining five-plus years, he has been the IT director. For three of those latter five-plus years, he ran the IT department by himself.
So, was there some advice regarding data privacy that was given to him at some point in his career that has really stuck? Schroeder was quick to reply, stating, “Implement yearly penetration/intrusion testing by an independent, third-party vendor.”
Training and equipping employees to recognize cybersecurity risks and threats has also been a must. To this end, he recommends bi-yearly cybersecurity training.
In terms of cyber threats specific to our industry that BSCs should be aware of, Schroeder singled out phishing e-mails that specifically target the interests and/or concerns of someone working in building maintenance.
“For example, e-mails that mention sales of PPE, chemicals used in our field, cleaning equipment, etc.,” he says.
Finally, BSCAI had the benefit of interviewing Schroeder here in the first quarter of a new year. During that interview, Schroeder was asked: “Are you generally optimistic, pessimistic, or mixed about the rest of 2022 with regard to data privacy matters and why?”
His answer: “I would say I am mixed. I have done tons of things here at 4M in the last several years to protect our environment. Those things include hardened, state-of-the-art, Cisco Meraki firewalls/switches, implementing MFA to all our 4M employee profiles, bi-yearly cybersecurity training, yearly phish testing and monthly pen tests.”
Such actions have proven necessary considering 4M Building Solutions ranks as one of the largest janitorial-related service suppliers in the Midwest and Southeast regions of the United States. The privately owned company has been serving clients since 1978. Today, its operations span more than a dozen states with offices in such markets as Indianapolis, Miami, Nashville and San Antonio, with a corporate headquarters in St. Louis.
As a result, vigilance is perhaps Schroeder’s most pressing duty and responsibility.
“Unfortunately, as we all know, the hackers are usually ahead of the curve when it comes to circumventing everything you put in place,” he concludes. “It is an ever-evolving battle to stay current on the latest attacks that are being perpetrated on that environment. In some cases, even after every bit of the training you give everyone, it only takes one person with a decent level of access to click on a malicious link to turn a good day into a bad day.”