All businesses face the risk of data breach, and small businesses are particularly susceptible.
According to a report from the Ponemon Institute prepared in 2016, 50 percent of smaller businesses surveyed experienced a data breach in the previous 12 months. New research by Symantec found that small businesses were victim to 43 percent of cyber attacks in 2015, up from 18 percent four years earlier.
Experts say small businesses are targeted because they often don’t have the security controls in place to keep data thieves at bay.
With that in mind, here are some things you can do with a small budget and a large dose of vigilance, to help you protect your business. This information is from an article written by Kathy Simpson for The Hartford Small Biz Ahead newsletter.
The 10 tips
1. Train your employees.
According to the Ponemon report, employees are the top cause of data breaches in small and mid-size businesses. They’re responsible for 48 percent of all incidents. It’s usually due to an innocent mistake; employees often lack basic awareness of data security and how hackers work. Arming your employees with knowledge is one of the most important things you can do to reduce data theft risk.
Offer mandatory awareness training on the security risks employees face every day. Social engineering is a growing threat for small businesses whereby hackers pose as a trusted source in need of confidential data. Through phishing, employees are invited to click on a link that installs a virus on their computer without their knowledge. Ransomware will hold a computer hostage until the required ransom is paid.
Advise your employees to follow these practices:
Confirm the legitimacy of the source before giving out confidential information
Never open attachments from people they don’t know
Avoid suspicious links in emails, websites and online ads
2. Secure sensitive information.
Sensitive data is the valued commodity that criminals seek to exploit for profit. It includes personally identifiable information (PII) for employees, customers and patients as well as business trade secrets, financial data and other company-confidential information. In the wrong hands, this information can damage your business, customers and reputation.
Limit access to online files based on an employee’s need to know. Store paper files and removable storage devices containing sensitive information in a locked location when not in use.
3. Dispose sensitive data properly.
Be equally vigilant when disposing of sensitive data. Shred documents containing confidential information prior to recycling. Remove all data from electronic devices—whether computers, tablets, smartphones or storage hardware—before discarding them.
4. Use strong password protection.
Passwords are under constant attack and hackers use all kinds of different ways to crack their code. To deter their efforts, password-protect your business computers, laptops and smartphones as well as access to your network and accounts. Require employees to change default passwords and set strong, complex passwords with a variety of characters that must be changed at least quarterly.
Learn more in our blog “the recipe for super password security.”
5. Protect against malware.
Malware refers to “malicious” software, such as viruses and spyware, that is installed on a computer with the intent to access sensitive information or cause damage. Malware can be installed when an unsuspecting employee uses a malware-laden USB device or clicks on an infected link in an email or on a website.
To prevent a malware attack, install and use antivirus and anti-spyware software on all company devices and remind employees to never click on links that are suspicious.
6. Control physical access to your business computers.
Create user accounts for each employee to prevent unauthorized users from gaining access to your business computers. Laptops can be stolen easily. Make sure they’re locked in place when they’re unattended. Also limit network access on computers located in or around public spaces, such as the reception area.
7. Encrypt data.
Encryption encodes information, whether it is stored on a device, in the cloud or being transmitted over the internet, and only the person or computer with the proper key can decode it. Encryption is highly recommended for all devices containing sensitive information, including laptops, mobile devices, USB drives, backup drives and email.
Most operating systems and many software applications have a built-in encryption option which you simply need to activate (instructions vary). You may also purchase encryption programs tailored to the needs of your business—whether for an entire drive or one or more files or folders. Secure Sockets Layer (SSL) certificates are the standard way for businesses to encrypt sensitive information, such as those containing credit card details, before it is transmitted over the internet.
8. Keep your software and operating systems up to date.
Malware continuously evolves and software vendors continuously update or “patch” their programs in order to address new security vulnerabilities. For this reason, it’s vital to install updates to security, web browser, operating system and antivirus software as soon as they are released. They’re your first line of defense against online threats.
9. Secure access to your network.
To prevent outsiders from gaining access to private information on your network, enable your operating system’s firewall or purchase reputable firewall software. Configure a Virtual Private Network (VPN) to provide workers with a secure means of accessing your network while working remotely. If you have a Wi-Fi network for your workplace, make sure it is secure and encrypted, and that your SSID (service set identifier) is hidden so that it can’t be picked up by the public. Always require a password for access.
10. Verify the security controls of third parties.
Most businesses rely on third-party vendors for some aspect of their operation, whether for payroll, credit card processing or to manage their security functions. But there are security risks in doing so. If a breach occurs on the vendor’s watch, your data may be compromised and you could still be held responsible for the loss.
Before engaging the services of a third-party vendor, evaluate their security standards and best practices to ensure they meet your minimum requirements. Look for vendors that:
Have strong security policies and procedures
Regularly backup their data on a hard drive as well as the cloud
Perform routine internal security audits
Run background checks on employees with access to your data
Require employees to complete data security training
Keep up-to-date with the latest security patches and security software
Have a comprehensive incident response plan for responding to and managing the effects of a security attack
Once you’ve vetted and selected a third-party service provider, put a service level agreement (SLA) in place that details your security expectations and give you the right to audit the vendor to confirm compliance with your policies.