In 2014, the media was abuzz with tales of corporations struggling to retain market share and customer loyalty in the aftermath of some serious data leaks, such as the ones at Sony and Home Depot. Although the big data breaches at international corporations are often the ones that make the news, smaller incidents occur much more frequently – even though you might never hear about the breach that occurred at that accounting firm down the street.
While many businesses believe something like this will never happen to them, unfortunately, it’s becoming more and more likely for small and medium-sized businesses.
Smaller businesses tend to have less time, money and staff to address security concerns and keep their security applications up to date. They are seen as ‘low hanging fruit’ for hackers looking for easy prey. Smaller companies that have larger companies as customers can also be an enticing target as an entry point or a stepping stone to more lucrative information. And if you handle payment cards from customers you may be vulnerable to those looking to steal money from individuals. Attacks on smaller businesses are indeed on the rise: according to Symantec, 31% of all targeted spear fishing attacks were aimed at businesses under 250 users in 2013, compared with 18% in 2011.
We’ve put together the following list with links to videos and websites for more details on our recommendations.
Here are the 10 steps all small businesses need to take NOW to avoid a data breach:
1. Examine your mobile device policies. Decide upon whether or not to adopt a BYOD (bring your own device) strategy for your employees so that you can maintain security and use policies for your business data while allowing your employees the flexibility they want.
2. Enforce your BYOD strategy. Make sure that all devices are secured with passwords so that company data can’t be accessed if the device is lost.
3. Promptly remove system access when employees leave. Ensure that access to the system is removed immediately for any employee who leaves the company. Former employees are the second most common source of security incidents.
4. Ensure employees are educated to prevent unintentional breaches. Appoint an employee (or hire a consultant) to research and do a presentation on best security practices for your staff. They should cover topics such as identifying phishing threats and choosing a secure password.
5. Standardize email and password security policies. Ensure that these policies are outlined in an employee handbook.
6. Limit the places you store data. Consolidate your data into as few places as possible and encrypt when not in use or at rest when possible.
7. Properly dispose of old hard drives. You may want to wipe these before disposal, or hire a reputable company to destroy your drives for you.
8. Keep your computers maintained. All employees should have the same version of anti-virus and anti-malware software and your software should be regularly updated with the latest patches. Your software is a potential source of vulnerability. Software patches help close the doors through which malware can enter. Using a managed services partner can take this task off your plate.
9. Prepare for disaster with a Business Continuity and Disaster Recovery Plan. Include contingencies for a loss of data due to cyber-attack in your Business Continuity and Disaster Recovery Plans.
10. Back up your data offsite. Ensure you have a robust Backup and Disaster Recovery system in place in the event your server is compromised or stolen.
The financial consequences of a data breach include reimbursement to affected customers, charges for recovering lost data and time spent recreating lost data.
Ensuring that you are taking the right steps to guard against internal and external threats is key to maintaining data security.
If you have questions about this list of strategies, or if you’d like some help to follow through on them, give us a call at 416-410-5030 or send us an email at firstname.lastname@example.org.