Security is arguably the top concern for customers. And, for good reason. In 2015 there were an estimated half a billion data breaches. A data breach can damage your reputation, decrease sales, and even cost you a ton of money in settling lawsuits.
Make Sure Your Small Business Doesn’t Have a Data Breach
To prevent any of those from happening, you have to take the following steps in ensuring that your small business won’t experience a data breach.
Provide your employees with training.
According to a report released by the Association of Corporate Counsel, employee error is the leading cause of data breaches, such as sending an email containing sensitive information to unauthorized individuals outside the company.
Because of that, it’s important that you properly train your employees in security basics and raising their awareness of common scams. One of the most effective ways to accomplish this is through social engineering.
“Social engineering involves manipulating workers to voluntarily give up information or access,” says Terry Evans, president of Cybersecurity Biz in Rochester, NY, in The Hartford.
Social engineering works like this: Someone posing as a social engineer with someone in your office claiming that they are ‘testing the system’ to trick that employee into handing over their password. According to Evans, social engineers rely on the fact that employees aren’t aware of the value of the information they possess, so they’re lax in guarding it.
Social engineering awareness training, in conjunction with written policies and procedures, can be achieved through;
- Instructing employees never to click on unsolicited e-mail attachments or links that are embedded in emails.
- Training employees to never share sensitive information with anyone without first verifying their identity.
- Refraining from using USB drives that are left out in the open. Hackers often leave these devices, and once used, the company becomes infected with malicious software, which gives the hacker access to your system.
“Failing to address the threat posed by social engineering is somewhat like buying a high-tech security system and then leaving your front door unlocked,” says Evans.
Another way to avoid employee error is by restricting access to secure data, like customer’s payment information or administrative access to things like bookkeeping software and social media accounts.
Limit the amount of personal data you have stored.
As the Federal Trade Commission recommends, you need to go lean and mean in your data collection, retention, and use policies.
For starters, only collect the information that you need from your customers. For example, there’s absolutely no need to gather their email passwords when collecting their email addresses when registering for an account. Furthermore, never use their personal information, such as using real people’s personal information in employee training sessions.
Also, limit the amount of time that you store your customer’s information. Once a transaction is completed, there’s no longer a need to hold onto the credit and debit card information used to complete the transaction.
Having too much personal information, and holding onto it, doesn’t just add unnecessary risk; it could also land you in hot water with organizations like the FTC.
Encrypt your data.
As Andra Zaharia explains in the Heimdal Security blog, “Encryption tools are very useful in keeping valuable information hidden from cybercriminals because it renders the data inaccessible to prying eyes.”
Zaharia explains that “Encryption is a process that transforms accessible data or information into an unintelligible code that cannot be read or understood by normal means.” Thankfully, encryption tools are included in most operating systems. For Windows-based PCs, it’s BitLocker and on Macs, it’s FileVault.
There are also free encryption tools like VeraCrypt, 7Zip, and AxCrypt.
Make sure your payment processing network is secure.
Before you start accepting payments online, ensure that your network has an adequate firewall and updated virus protection. Also, make sure that the platform you’re using is PCI compliant.
Create secure passwords and comprehensive authorization.
I completely understand creating and remembering complex passwords is annoying. However, it’s essential if you want to prevent data breaches. When considering possible passwords, make sure that they’re strong, contain at least 13 characters, symbols, letters, and numbers. It’s also suggested that you change your passwords frequently and lock users out after a certain number of incorrect password attempts.
To make your life easier, there are many password managers, such as LastPass, Dashlane, and KeePassX, that will protect your online accounts without having you memorize those lengthy and complicated passwords.
You should also consider two-factor authentication. This simply uses a password and another factor, like a pin code sent to a mobile device or a fingerprint, whenever you or your team logs into an account.
Two-factor authentication is useful when you or your employees access data from more than one device, such as a laptop, tablet, or smartphone, or when you’re working remotely since it requires a second-level of authentication, instead of just a password that can easily be discovered.
Why wait for a data breach to happen in the first place? With monitoring tools like Stealthbits, you have real-time threat detection that locates and disables any suspicious activity before databases are attacked.
Don’t forget the physical information.
We get so focused on online and cloud-based data protection that we neglect physical property like paperwork, hard drives, laptops, flash drives, and disks. Make sure that these physical items are stored securely and not carelessly left out for anyone to grab, like in your garage or passenger seat of your car.
Like not storing personal data that you no longer need, you should also dispose of information you no longer need securely. For example, if you’re a local pharmacy, you would want to shred customers’ outdated prescriptions.
How to recover from a data breach.
Despite taking the precautions listed above, you can’t completely avoid a data breach 100%. If that’s the case, here are some of the steps that you should take following the breach;
- Even after a breach has been squashed, there’s still a possibility that your customers will have to deal with issues like identity theft. And, you’re going to receive a fair share of questions and complaints from your customers. Guide them through the post-process by being transparent, responding to their concerns, and offering them one year of identity theft prevention.
- Work with law enforcement and consumer protection agencies by providing them the information that they need.
- Launch a PR campaign to win back customers.
- Rethink and update your current security strategy and software.