All businesses face the risk of data breach, but recent studies indicate that small businesses are particularly susceptible. According to a 2016 report from the Ponemon Institute, 50 percent of smaller organizations surveyed experienced a data breach in the previous 12 months. New research by Symantec found that small businesses were victim to 43 percent of cyber attacks in 2015, up from 18 percent in 2011.
Why are small businesses such a growing target? Experts advise that it’s because they often don’t have the security controls in place to keep thieves at bay.
These precautionary measures, together with a small budget and a large dose of vigilance, can help you protect your business.
1. Train your employees.
According to the Ponemon report, employees are the top cause of data breaches in small and mid-size businesses, accounting for 48 percent of all incidents. It’s usually due to an innocent mistake; employees often lack basic awareness of data security and how hackers work. Employee education is one of the most important things you can do to lower the potential of data theft.
Offer mandatory awareness training on the security risks employees face every day. Social engineering is a growing threat for small businesses whereby hackers pose as a trusted source in need of confidential data. Through phishing, employees are invited to click on a link that installs a virus on their computer without their knowledge. Ransomware will hold a computer hostage until the required ransom is paid.
To prevent employees from falling into these traps, advise them to:
- Confirm the legitimacy of the source before giving out confidential information
- Never open attachments from people they don’t know
- Avoid suspicious links in emails, websites and online ads
2. Secure sensitive information.
Sensitive data is the valued commodity that criminals seek to exploit for profit. It includes personally identifiable information (PII) for employees, customers and patients as well as business trade secrets, financial data and other company-confidential information. In the wrong hands, this information can damage your business, customers and reputation.
Limit access to online files based on an employee’s need to know. Store paper files and removable storage devices containing sensitive information in a locked drawer, cabinet, safe or other secure container when not in use.
3. Properly dispose of sensitive data.
Be equally vigilant when disposing of sensitive data. Shred documents containing confidential information prior to recycling. Remove all data from electronic devices—whether computers, tablets, smartphones or storage hardware—before disposing of them.
4. Use strong password protection.
Passwords are under constant attack and hackers use a number of different means to crack their code. To deter their efforts, password-protect your business computers, laptops and smartphones as well as access to your network and accounts. Require employees to change default passwords and set a strong, complex password with a variety of characters that must be changed at least quarterly.
5. Protect against malware.
Malware refers to “malicious” software, such as viruses and spyware, that is installed on a computer with the intent to access sensitive information or cause damage. Malware can be installed when an unsuspecting employee uses a malware-laden USB device or clicks on an infected link in an email or on a website.
To prevent a malware attack, install and use antivirus and anti-spyware software on all company devices and be sure your employees are on the lookout for suspicious links.
6. Control physical access to your business computers.
Create user accounts for each employee to prevent unauthorized users from gaining access to your business computers. Laptops can be stolen easily; make sure they’re locked in place when unattended. Also limit network access on computers located in or around public spaces, such as the reception area.
7. Encrypt data.
Encryption encodes information, whether it is stored on a device, in the cloud or being transmitted over the Internet, and only the person or computer with the proper key can decode it. Encryption is highly recommended for all devices containing sensitive information, including laptops, mobile devices, USB drives, backup drives and email.
Most operating systems and many software applications have a built-in encryption option which you simply need to activate (instructions vary). You may also purchase encryption programs tailored to the needs of your business—whether for an entire drive or one or more files or folders. Secure Sockets Layer (SSL) certificates are the standard way for businesses to encrypt sensitive information, such as those containing credit card details, before it is transmitted over the Internet.
8. Keep your software and operating systems up to date.
Malware continuously evolves and software vendors continuously update or “patch” their programs in order to address new security vulnerabilities. For this reason, it’s vital to install updates to security, web browser, operating system and antivirus software as soon as they are released. They’re your first line of defense against online threats.
9. Secure access to your network.
To prevent outsiders from gaining access to private information on your network, enable your operating system’s firewall or purchase reputable firewall software. Configure a Virtual Private Network (VPN) to provide workers with a secure means of accessing your network while working remotely. If you have a Wi-Fi network for your workplace, make sure it is secure and encrypted, and that your SSID (service set identifier) is hidden so that it can’t be picked up by the public. Also require a password for access.
10. Verify the security controls of third parties.
Most businesses rely on third-party vendors for some aspect of their operation, whether for payroll, credit card processing or to manage their security functions. But there are security risks in doing so. If a breach occurs on the vendor’s watch, your data may be compromised and you could still be held responsible for the loss.
Before engaging the services of a third-party vendor, evaluate their security standards and best practices to ensure they meet your minimum requirements. Look for vendors that:
- Have strong security policies and procedures
- Regularly backup their data on a hard drive as well as the cloud
- Perform routine internal security audits
- Run background checks on employees with access to your data
- Require employees to complete data security training
- Keep up-to-date with the latest security patches and security software
- Have a comprehensive incident response plan for responding to and managing the effects of a security attack
Once you’ve vetted and selected a third-party service provider, put a service level agreement (SLA) in place that details your security expectations and give you the right to audit the vendor to confirm compliance with your policies.