The frequency of data breaches is escalating and making headlines. Major corporations like Home Depot and Target have recently faced significant data theft incidents. When small-business owners hear about these large enterprises being compromised, it can lead them to feel that protecting their online business information is pointless. However, there are numerous straightforward precautions that businesses can—and should—implement.
The most common error among small-business owners? “They often think, ‘This won’t happen to me,’” notes Stu Sjouwerman, CEO of KnowBe4, which offers online security training for small to medium-sized enterprises. “The truth is, hackers typically target small businesses because they are soft targets.” According to a 2015 National Small Business Association (NSBA) survey, half of small-business owners experienced a cyberattack, with 19 percent reporting hacking of their business credit cards or bank accounts.
Cybercrime can obliterate essential data, expose customer personal and financial details to theft, and result in financial loss for your business; in 2014, the NSBA revealed that an average cyberattack on a small business cost upwards of $20,000. The risk of customer lawsuits could also inflict significant financial burdens on your company in the event of a breach.
“If your business handles customers’ credit card, personal, financial, or medical information, data security should be a major concern,” emphasizes Andrew Bagrin, CEO of MyDigitalShield, which offers protective services for small businesses. “If an identity is stolen due to your negligence, you bear the responsibility.” This is a substantial concern for many enterprises—“60 percent of small businesses experiencing a data breach shutter their operations within six months,” Bagrin points out.
Control Through Cloud
Cloud storage, backups, and applications have gained traction among small businesses, and for valid reasons, according to Bagrin. “Would you keep your money under the mattress or in a bank?” he queries. “Imagine the cloud as a banking institution. These banks invest billions annually to safeguard your funds and ensure accessibility. Keeping your data on an office server is akin to stashing it under the mattress.”
Nonetheless, no storage or backup method is ever 100 percent secure. When selecting a cloud service provider, carry out thorough research and pose the right questions, advises Jocelyn Baird, content manager at NextAdvisor.com, which provides impartial reviews and assessments of online services for both consumers and small businesses. What inquiries should you make of your cloud provider?
1. Where is my data located? Data stored offshore is more susceptible to security issues due to less stringent regulations; thus, it’s advisable to choose storage within the United States.
2. What kind of backup procedures are in place? Verify that the company responsible for backing up and storing your data also has a reliable data backup process.
3. Who has access to my data? Employees of the cloud service should only be permitted access to the minimum amount of information necessary for their job functions.
4. Confirm that the cloud provider adheres to your industry’s regulatory requirements, such as HIPAA (Health Insurance Portability and Accountability Act) or PCI (Payment Card Industry).
When selecting a cloud backup solution, ensure their services align with your objectives, advises Ian McChord, product director at Datto, a company specializing in data backup, recovery, and business continuity. Many cloud providers impose fees for data uploads and downloads. “Most customers believe that downloading their data will be free,” McChord notes. “Many are shocked to find that retrieving their entire data set may cost as much as what they paid for storage.”
Also, recognize that not all cloud services offer the same restoration capabilities. “If you anticipate needing immediate access to your data, opt for a service that provides quick restoration,” McChord advises. “Some cloud solutions may require days or weeks for restoration, which can severely disrupt operations.”
As long as you conduct your necessary due diligence, cloud backups, storage options, and cloud-based security tools stand as excellent choices for small businesses lacking extensive in-house IT knowledge or substantial hardware and software budgets. “Purchasing one-time tech equipment that needs ongoing updates can be expensive,” says Bagrin. “It’s often more economical to rely on experts who stay abreast of the latest security challenges and protect your data.”
Assess Your Security
How secure is your organization’s computer network at present? MyDigitalShield provides a quick 30-second online assessment available at ShieldTest.com. If you identify vulnerabilities but lack in-house expertise to address them, it’s prudent to hire an IT consultant with specialization in digital security tailored to small businesses in your sector.
Essential steps for safeguarding your business include implementing a small-business security package that protects your devices against threats such as viruses, hackers, and malware. Options include McAfee Small Business Security, starting at $16 per license, and Symantec Protection Suite Small Business Edition, which ranges from $40 to $101 per license annually.
It’s also vital to use encryption to secure sensitive information, such as customer credit card numbers, rendering them unreadable to unauthorized parties; even if hackers access this data, it would be rendered worthless. Full-disk encryption tools are typically included with your operating system; for Windows systems, this feature is referred to as BitLocker, while on Macs, it is known as FileVault. Activating this encryption feature encrypts all files on your computer. To protect data while in transit between devices, update your company’s Wi-Fi to the newest encryption standard (currently WPA2).
Make it a priority to set critical software for automatic updates and perform monthly audits to identify malware, viruses, or unusual financial transactions, payments, or bank transfers.
Concerns with Mobile Devices
The rise in mobile devices introduces additional challenges to data security. “The primary issue with mobile technology is unencrypted data,” Sjouwerman notes. Unencrypted information is easily intercepted during transmission. Using unsecured public Wi-Fi networks, like those found in cafes or airports, heightens this risk. Any device utilizing public Wi-Fi is effectively open to public access. For sensitive data, establish a virtual private network (VPN) and insist that remote employees utilize it.
The BYOD (bring your own device) movement poses its own set of risks, Sjouwerman warns. “Individuals typically aren’t as vigilant about security on their personal devices.” To mitigate this, provide company-owned devices and install mobile device management software to remotely oversee security and remotely wipe the device if it’s misplaced or stolen.
Considerations for home offices? When you or your employees work from home, it’s essential to utilize a separate computer specifically for work tasks, Sjouwerman advises. “Avoid letting children use that device. Kids often hastily click on things without understanding the risk, potentially exposing your computer to viruses.” As with mobile devices, employing a VPN is advisable when connecting to the company’s network from home.
The Human Element
Humans represent the most vulnerable aspect of cybersecurity. A prevalent method for hackers to infiltrate business networks is by targeting employees with phishing schemes. (Phishing involves sending emails that resemble genuine vendor or client communications containing links designed to extract sensitive data.) When an employee clicks on such a link, malware is often implanted into the company’s systems, allowing hackers to harvest sensitive data. (Notably, Sony’s significant breach stemmed from a phishing email.) It typically takes an average of six months to uncover such breaches—and by that point, it may be too late.
“Providing security awareness training to employees is mandatory, not optional,” Sjouwerman emphasizes. Conduct ongoing training to foster a “human firewall.” (For instance, KnowBe4’s security education programs cost around $10 per user, per year.)
Instructing employees on secure password practices is crucial. Utilize password management applications to create robust passwords and securely store them. Some business internet security packages include password management features; if yours doesn’t, consider standalone solutions such as Keeper ($9.99 and up annually), Passpack (free to $40 annually), LastPass (free to $12 annually), or RoboForm (starting at $19.95 annually).
Protect Your Business
What should you do if a data breach occurs despite all precautions? Consider acquiring cyber liability insurance, as conventional business insurance policies seldom cover data breaches. Cyber liability insurance can help cover expenses related to notifying clients, providing credit monitoring services, and legal costs arising from lawsuits associated with the breach. Consult your insurance provider or explore cyber liability options from Insureon, Nationwide, or Travelers; remember that premium costs can differ substantially, so be sure to request quotes.
