October is National Cyber Security Awareness Month, so we wanted to bring you all a comprehensive guide to the biggest threat to small businesses in today’s world: data breaches. Unfortunately for many unprepared small businesses, 2013 was the year that data breaches took off. According to the annual Internet Security Threat Report from Symantec, 552 million customer identities were stolen (493% increase from 2012) from small business data breaches. That’s a lot of angry customers. Alarmingly, data breaches are exponentially on the rise, with a 62% increase of incidents from 2012 to 2013.
While the data breaches of large companies such as Target attracted the most media attention, small business was actually quite a big juicy target for data thieves as well. According to the National Small Business Association’s annual Small Business Technology Survey, nearly half of all small businesses reported being the target of a cyber-attack. As an increasing number if businesses turn to online software, applications, and cloud storage to reduce operating costs and increase productivity, there is now more online data at risk than ever before. Among those targeted, the average cost associated with a cyber-attack was $8,699.48!
According to Vercode research, 66% of small businesses depend on the internet for day to day operations and 72% of the known hacker breaches in 2011 affected business with 100 employees or less, yet 50% of small business think they are too small to be a hacker target. Given that small businesses are very closely tied to their communities, experiencing a data breach could permanently destroy your company’s local reputation, and future as a business.
Given the extremely high threat level of small business data thieves, you’re most likely at greater at risk than you realize. What can you do to protect yourself? There are numerous ways to thwart data hackers, from practicing a little common sense to completely locking down your entire digital and physical facilities. Continue reading for our three-tiered guide to see which level of security suits you best.
I. Foundation of Security
No matter what level of security your small business needs, you’ll need to complete the first basic steps.
Complete a data inventory. Just as with physical merchandise, it’s important to know what your digital store-room holds. For each set of data (anything from stored credit cards to email lists) you have, write down who has access to it and what measures are in place to protect it. Also classify each type into one of the following categories:
- Highly Confidential: All of your most sensitive data should be placed in this tier. In general, anything that, if disclosed, could negatively impact your customers, company, business partners or vendors should be considered highly confidential. Examples include credit-card information, full names and addresses, passwords, social security information and medical information.
- Sensitive: This classification is intended for information that is intended for only internal use and is considered private information. Examples include employee performance evaluations, internal financial reports, marketing plans or business contact information. According to the federal CAN-SPAM act of 2003, as a business you are obligated to protect your customers’ emails as sensitive, private information.
- Internal Use Only: This classification is intended for information that may be widely available to employees in your company, but still shouldn’t be available to the public. This information may not severely hurt the company if released, but should still be barred from public disclosure.
Once you have each database categorized, take a look at the security measures for all items within the same category. Is all of your “highly confidential” data secured the same way? If not, this is a good time to find obvious weak links and “catch up” data sets that may not be as secure as others within the same category.
Even if you outsource data security, you should still safeguard everything stored within your immediate facility and devices, regardless of vendor guarantees. When your customer’s data is stolen, it will do you no good to attempt to solely blame your vendor, it will be your business that will suffer.
Don’t forget the basic importance of safeguarding your digital devices, period. According to the Symantec study, data being accidentally made public, theft or loss of computer drives, and insider theft together accounted for 62% of all data breaches in 2013.
II. Threat Level 1 Protection
- Limit access! The fewer people who can access sensitive data, the less likely it is to get stolen. It’s pretty simple– if someone doesn’t need access to a certain database to perform the function of their job, there is absolutely no reason for them to be able to access it. It’s better the ere on the side of caution here– someone can always find someone with credentials to help them with a single task if need be.
- Train all of your employees about the basics in digital security. They should be able to recognize social engineering (conning someone into willfully giving access to data), as well as class online fraud and password phishing schemes. Make sure they don’t download any fake antivirus software or malware in general, and always have anyone answering the phone verify the identity of telephoning information seekers.
- If employees don’t regularly or remotely need access to sensitive data, you should consider storing it on a computer that is not connected to the network. Financial systems or payroll software can easily be stored on a single machine with no internet access, and accessed by those who need that data when they are physically present at the machine.
- Make use of freeware! For basic security check-ups, look over this list of free security scanning tools from the Department of Homeland Security’s National Cyber Security Alliance.
- Update on time! I know, I know– shutting down and restarting in the middle of that brainstorming session seems like such a hassle. But in the world of cyber security, selecting that oh-so-tempting “in four hours” option could be fatal. Cyber criminals know that the iron only stays so hot after discovering what is called a zero-day vulnerability (a previously unknown chink in digital armor). Your security providers will quickly release patches and updates to combat now-known threats, but they’ll only work if you install them via updates!
III. Threat Level 2 Protection
- Use two factor authentication on the most sensitive data. This means that on top of protecting general access to a database with a password, your employees will need to do one more level of authentication. This can be simple as each employee entering a PIN. Using a physical item that an employee would have on them, such as an ID card, can also work. And then there are the famous retina and fingerprint scanners. All acceptable forms of two factor authentication!
- Encrypt the most sensitive drives, folders or files. Encryption scrambles the data contained on the drive to look like mumbo-jumbo to an outsider. Only someone with a key that unscrambles the data will be able to read it, rendering your most sensitive data useless to would-be thieves or hackers. Beware, though: the very clever can break sub-par encryption without a key. For that reason, make sure whatever encryption you use meets the Federal Information Processing Standard (FIPS-certified) that meets the government’s security standards. While encryption can be found for free, even high quality encryption products probably won’t break the bank.
- Designate an employee the security compliance officer. Give this person a stipend if you can afford it. Alternatively, give this position to someone with an interest in the subject or who could use a few more things in their workload. This person should be in charge of periodically auditing all of the company’s security protocols and making sure employees are following them. Additionally, this person can be responsible for vetting your vendors. Have she or he read the fine print for all cloud computing or other essential technology. If your cloud isn’t secure, you aren’t secure! Oftentimes technology providers can offer extra security features– have the compliance officer research these and present on the cost/benefits. You can either decide to pay a little extra, or keep these extra features in your back pocket to request for free when you’re renewing the contract on your service.
IV. Threat Level 3 Protection
- Lock down your facility. Remember that data theft isn’t always digital– even the Great Firewall of China won’t protect you if someone can pick the lock on your front door. Much will depend on your level of risk and tolerance for spending. Investigate tough locks, shatter-proof windows, security cameras and a high-tech alarm system. If you have some highly sought-after data, investing thousands here could save you tenfold down the road.
- Hire an outside firm to conduct periodic security tests. White-hat hackers can be your best friends. Contract an outside company to try to hack your system. If they succeed, you don’t lose anything and you have identified a weak spot.
- Establish strict security protocols for employees bringing personal electronic devices to work. If your employees are lazy about their own digital security, they could be bringing a whole mess of trouble with them right onto your network. Depending on your risk level, it might be a good idea to have your employees check their personal electronic devices at the door (power them down first!). Alternatively, you can have your IT team set up minimum security requirements that prevent at-risk devices from getting on the network in the first place.
Small businesses have especially close ties to their communities; their business usually depends on the local population. Experiencing a data breach could permanently destroy your company’s local reputation, and future as a business in that area. You cannot rely on third party security providers alone. When your customers’ data is stolen, it will do you no good to attempt to solely blame your vendor, and it will be your business that will suffer from the lost trust in the end.