How To Protect Your Small Business From a Data Breach
Data security is arguably the fastest growing threat for your business. And, for good reason. Despite all of the attention on high-profile data breaches, like Target or JPMorganChase, 9 out 10 data breaches involve small businesses.
Why would cyberciminlas go after a small business though? In most cases, small business owners aren’t educated about these risk and they don’t have the resources to thwart these attacks.
Ultimately, being a victim can damage your reputation, decrease your revenue, and you may even be held liable if it was found that you didn’t take the appropriate precautions.
Instead of waiting until it’s too late, here’s how you can protect your small business from a data breach.
Educate yourself and your employees.
“Cyberattacks are becoming more and more sophisticated and it’s easy to be fooled by emails, links and attachments that look like everyday business requests,” says Norman Guadagno, chief evangelist, Carbonite. “It only takes one click for malware, viruses and ransomware to in infiltrate your system, compromising important business data.”
With that in mind, “the first step in protecting your data from cyber attacks is educating your employees to make sure they’re up to date on the latest methods being used by cybercriminals,” he says. “One of the best ways to do this is by creating real life scenarios to test employees’ ability to detect a phishing email or suspicious links. This will help you gain insight into common mistakes and identify areas for improvement.”
Christopher Roach, managing director & national IT practice leader, CBIZ Risk & Advisory Services, also suggests that you think about “hiring a third-party to conduct social engineering or facility breach exercises, [which] can help you understand whether your security policies and awareness programs will actually prevent outsiders from obtaining valuable client information directly from your employees.”
Know what data you have and where it’s stored.
If you’re like a majority of companies you have data stored in multiple locations. However, not knowing the exact location of this sensitive or private data, such as such as credit card numbers, as well as any personally identifiable information (PII) that can be linked to an individual, is a major concern among security experts.
In fact, a mere 16 percent of organizations know where all of their sensitive structured data resides, “and a miniscule seven percent knowing the location of all sensitive unstructured data, including data in emails and documents.”
Steve Robb recommends on PCI Compliance Guide that you assign a specific individual to be responsible and accountable “for monitoring and protecting the sensitive data your business handles.”
You can also create “a simple spreadsheet that documents the various types of sensitive data your business is handling, its location, and who has responsibility for it. Be sure to review this spreadsheet on a quarterly basis at minimum, to ensure that the information it contains remains current.”
And, never “store cardholder data, period.”
Never transmit data that isn’t encrypted.
“Encryption tools are very useful in keeping valuable information hidden from cyber criminals, because it renders the data inaccessible to prying eyes,” says Andra Zaharia for the Heimdal Security blog. Most operating systems already come with encryptions tools, such as the Windows-based BitLocker and the Macs FileVault.
However, if you ever have to transmit data, such as through email, make sure that it’s encrypted. And, never, ever transmit this information over public Wifi networks.
Outsource payment processing.
“Nearly every major attack against credit card data in the past few years has exploited a single, glaring vulnerability in the current payment industry infrastructure.
The fact that merchants are still permitted to handle actual credit card data in their systems,” says Dave Oder, President/CEO of Shift4 Corporation.
He adds that merchants need to “properly combine point-to-point encryption and tokenization technologies” whenever a card is swiped. This means that “the business never handles actual card data as the transaction is processed through the merchant environment. With only a secure token returned to the merchant along with the authorization, there is no more risk of storing vulnerable cardholder information because the onsite database only holds tokens that are meaningless and valueless to thieves.”
If that seems too complicated for the time being, then avoid handling credit card data on your own and rely on reputable vendors – regardless if it’s for point-of-sale or web payments. These companies have a security team that can protect sensitive data far better than you can.
Use layered security.
The first place to start when it comes to securing your systems is by creating strong and complex passwords that use combination of numbers, upper and lower case letters, and special characters.
It’s also recommended that passwords should be changed at least every 90 days and never shared or written down.
After that, you may want to use multi-factor authentication which uses a password and another factor to verify your identity, such as a series of questions or a fingerprint.
“Cybercriminal use all types of malware, including Trojans, Man-in-the-Middle, Man-in-the-Brose, and keyloggers, to get what they want, including personal data and payment details,” says Due co-founder Chalmers Brown. “Continue updating your tools to detect malware that may be present. You may also need to invest your time in understanding how malware is used in terms of patterns used by cybercriminals. Focus on using malware detection solutions that can work in the background rather than relying on those options that involve user downloads or registrations.”
Don’t forget about physical information.
“We get so focused on online and cloud-based data protection that we neglect physical property like paperwork, hard drives, laptops, flash drives, and disks,” says Brown.” Make sure that these physical items are stored securely and not carelessly left out for anyone to grab, like in your garage or passenger seat of your car.”
Chalmers adds, “Like not storing personal data that you no longer need, you should also dispose of information that you no longer need securely.
“For example, if you’re a local pharmacy, then you would want to shred customer’s outdated prescriptions.”
Purchase adequate Data Breach Insurance.
“If you are in business long enough some type of accident is going to occur. It is not a matter of if, but when,” says Mitchell Sharp, Marketing Associate for Workers Compensation Shop.com. “That is no different in the case of a data breach. Most small businesses can have data breach insurance bundled with their other insurance for a relatively small amount,” he says.
“Depending on the size of your business this can cost as little as a few hundred dollars. That pales in comparison to the thousands it will cost to repair your business after a data breach occurs.”