Only high-profile cyber attacks and breaches, such as those committed against Equifax, NHS, and Uber, may make it to the headlines. But the latest reports and trends show that small businesses are especially at risk
- More than 60% of data breaches target small businesses according to the 2017 Verizon Data Breach Investigation Report. The rate has gone up from the previous year’s 53%
- Meanwhile, cyber attacks on small companies can cost anywhere between $84,000 and $148,000 says UPS Capital. About 60% of these businesses were forced to close down only six months after the attack
- If you have an office in Europe or are thinking of expanding into the continent, data breaches can have more severe financial consequences. Under the GDPR, data breaches will cost you 4% of your annual turnover or €20 million in penalties, whichever is greater
Your customers trust you enough to give you their names, credit card details, and other sensitive information. Pay that trust back in kind. Read this short guide and learn what you must do and avoid to keep prying eyes and hands away from your customer’s data.
Don’t Use Easy Passwords
Passwords are your first line of defense against hacktivists, cyber terrorists, competitors, and other people trying to gain unauthorized access to your data
However, businesses don’t pay enough attention to their passwords according to a study.
The 2012 Global Security Report by Trustwave found that “Password1” is the most common password for business users. It has more than eight characters, an uppercase letter, and a number. “Password1” is also one of the easiest codes to guess
Using easy pickings like “Password1” will put your data at risk. You should also stay away from other big password no-no’s like
- Using your birthday, phone number, and any piece of information people can look up
- Using a close variation of your username (ex: username123)
- Words found from the dictionary
- Adjacent key combinations (ex: 123456
Check out the next section to learn how to make your accounts a tougher nut to crack.
Do Create Usernames And Passwords According To Industry Best Practices
Secure passwords are at least eight characters long, but you can go up to 12 characters to make your code even harder to guess. You should also use both lowercase and uppercase letters, and be sure to throw in numbers and symbols for good measure.
Here’s a cool tip:
You can turn an otherwise easy-to-guess password to a secure one by replacing some of the letters with numbers and symbols.
Change “username” to “[email protected]” The second version is still easy to remember, but it’s impervious to brute force attacks using words in a dictionary.
And one last reminder:
Use two-factor authentication whenever possible.
Don’t Make Sensitive Data Accessible To Everyone
A flat organizational structure brings many business advantages.
The structure eliminates time-consuming and expensive layers of management and reporting. Not to mention the smaller hierarchy of a flat organization means a business can pivot and adapt to the circumstances faster than peers with non-flat structures.
On the other hand…
Taking the flat approach to data access can spell disaster.
The lack of hierarchy in the organization often means everyone has the same level of access to data. This way, people can get the information they need for the projects they initiate.
But should someone’s login credentials fall to an outsider’s hands, the latter gains access to every piece of information the company is keeping!
Do Segregate Data And Control Access
In particular, you want to have oversight on employees’ access to personally identifiable information, healthcare information, and intellectual property.
Make sure that only the employees who absolutely need to access sensitive data are given access.
Meanwhile, you should only give access across networks and systems to administrators as tech and systems maintenance are part of their job. But be sure to put robust security controls and ‘round-the-clock monitoring in place.
If you need to grant temporary access to, say, third-party vendors or service providers, you must have stringent policies and procedures for allowing access, as well as a process for revoking their rights after completion of their work.
Don’t Take System Maintenance For Granted
System maintenance is the process of keeping computer systems in good shape, and updating applications is an essential component of this process.
On the other hand, delaying routine maintenance may seem like a good idea especially with everyone’s hands full. But don’t give in to the temptation.
Did you know?
When WannaCry infected personal and commercial computers across 150 countries a few years ago, its victims were mostly systems with out-of-date software. If the outbreak taught us anything, the lesson is:
Always patch your software to the latest version as soon as possible!
Do Update To The Latest Software Versions ASAP
Proper system maintenance starts by auditing every computing device in your organization, and making sure they have the latest version of the operating system along with the most current security features.
You want to update all applications in your systems, of course. But you want to take extra care of the operating system as it hosts other applications and serves as the link to the hardware.
Patching anti-virus software frequently should also be a priority in your system maintenance to-do list. These applications scan and protect your computers from malicious software, but they will miss threats if their virus definitions are not up to date.
Other office and IT equipment can be just as vulnerable as regular computing devices.
Multifunction printers, for example, can store documents, connect to the internet, and print documents from the cloud. As such, you will want to include these machines in your audit and keep their software current.
If you are leasing or a managed print service client, talk to your provider to make sure they upgrade the printers to the latest patch as soon as it’s released.
Don’t Leave Customer Data At The Mercy Of Ransomware
Ransomware is a type of malware that locks the victim out of their data (using encryption), while the perpetrators demand a ransom to be paid before the victim regains access.
In 2015, a ransomware held the Lincoln County police department’s data hostage. Sheriff Todd Becket’s initial reaction was a firm “no.” But after 48 gruelling hours and realizing they’re not getting by their data otherwise, the sheriff had to relent.
“We are cops. We generally don’t pay ransoms,” said Brackett with a sigh.
While the police department only had to pay hundreds of dollars to free their data, Nayana had to pay about 3,000 times more. When a ransomware locked them out of their over 150 servers, the South Korean hosting company was forced to pay $1,000,000 in ransom.
Do Create Onsite And Offsite Backups
Cybersecurity Ventures’ 2017 Ransomware Damage Report predicts global ransomware damage costs to exceed $11.5 billion annually in 2019.
If you don’t want to be part of that statistic, then you should backup your data.
Sure, backups won’t stop ransomware attacks. But they allow your organization to still function. With reliable backups in place, you can clean or get rid of the infected machines, restore the latest backup data, and continue working.
Easier said than done for sure. Not to mention you still have to reckon with productivity loss and equipment costs. However, such losses are far easier to recover from than what organizations without backups have to endure.
Don’t Enforce A BYOD Policy Willy-Nilly
Bring Your Own Device (BYOD) became a workplace trend and then the norm, thanks to the rising popularity of smartphones.
For employers, a BYOD policy allows them to eliminate the need (and the cost) of buying computing devices for every staff member. Not to mention it works hand in hand with a cloud-centric IT strategy.
Employees, on the other hand, boost their workplace satisfaction and productivity as they use a device they are comfortable with.
However, a BYOD approach can lead to serious security and privacy risks – from lost or stolen devices, insecure usage, to compromised device integrity due to malicious apps.
If you want to adopt a BYOD policy, you better think it through!
Do Manage Mobile Devices Responsibly
While mobile devices carry security risks, you may find that the perks of BYOD are too good to pass up. If so, here are some tips to help you better manage mobile devices and minimize the risks.
Remote wiping, as the name suggests, erases all of the data in a device. And you want to be able to remote wipe an employee’s smartphone or laptop should it get lost or stolen.
Today’s smartphones have this feature. Apple’s “Find My iPhone” feature offers a remote wipe option, while Android devices can use an app to get the job done. But you have to set it up before you lose a device.
Encrypting data on mobile devices is also a must.
This way, even if the device gets into the wrong hands, an unauthorized person can’t read what’s inside like an open book. One needs massive amounts of computing power to decrypt an encrypted device, and most run-of-the-mill criminals won’t have it.
And last but not the least:
You want a central administration platform to manage all of the mobile devices in your company.
Central administration lets you set requirements users must meet before accessing company data. It also allows you to remove confidential business information should an employee leave the organization, all the while leaving other data intact.
And now we wrap up our brief, one-page guide to protecting customer data in this day and age. While we have covered quite a lot, this guide to data security is anything but complete. So we want to involve you in the conversation.
So, mogul moms, what data security best practices do you rely on to keep your business’ confidential information safe and sound?
Let us hear your answers in the comments section below.
Nathan Sharpe is the entrepreneur behind Biznas, a blog where he serves practical business advice and tips to readers. Learning and helping others learn is his passion.