All businesses face the risk of data breach, but recent studies indicate that small businesses are particularly susceptible. According to research done in 2019, 43% of online cyber attacks are aimed at small businesses. Proving that small business owners increasingly need to make data security a high priority.
Why are small businesses such a growing target? Experts advise that it’s because they often don’t have the security controls in place to keep thieves at bay.
These precautionary measures, together with a small budget and a large dose of vigilance, can help you protect your business.
1. Train your employees.
According to the Ponemon report, employees are the top cause of data breaches in small and mid-size businesses, accounting for 48 percent of all incidents. It’s usually due to an innocent mistake; employees often lack basic awareness of data security and how hackers work. Employee education is one of the most important things you can do to lower the potential of data theft.
Offer mandatory awareness training on the security risks employees face every day. Social engineering is a growing threat for small businesses whereby hackers pose as a trusted source in need of confidential data. Through phishing, employees are invited to click on a link that installs a virus on their computer without their knowledge. Ransomware will hold a computer hostage until the required ransom is paid.
To prevent employees from falling into these traps, advise them to:
- Confirm the legitimacy of the source before giving out confidential information
- Never open attachments from people they don’t know
- Avoid suspicious links in emails, websites and online ads
2. Secure sensitive information.
Sensitive data is the valued commodity that criminals seek to exploit for profit. It includes personally identifiable information (PII) for employees, customers and patients as well as business trade secrets, financial data and other company-confidential information. In the wrong hands, this information can damage your business, customers and reputation.
Limit access to online files based on an employee’s need to know. Store paper files and removable storage devices containing sensitive information in a locked drawer, cabinet, safe or other secure container when not in use.
3. Properly dispose of sensitive data.
Be equally vigilant when disposing of sensitive data. Shred documents containing confidential information prior to recycling. Remove all data from electronic devices—whether computers, tablets, smartphones or storage hardware—before disposing of them.
4. Use strong password protection.
Passwords are under constant attack and hackers use a number of different means to crack their code. To deter their efforts, password-protect your business computers, laptops and smartphones as well as access to your network and accounts. Require employees to change default passwords and set a strong, complex password with a variety of characters that must be changed at least quarterly.
5. Protect against malware.
Malware refers to “malicious” software, such as viruses and spyware, that is installed on a computer with the intent to access sensitive information or cause damage. Malware can be installed when an unsuspecting employee uses a malware-laden USB device or clicks on an infected link in an email or on a website.
To prevent a malware attack, install and use antivirus and anti-spyware software on all company devices and be sure your employees are on the lookout for suspicious links.
6. Control physical access to your business computers.
Create user accounts for each employee to prevent unauthorized users from gaining access to your business computers. Laptops can be stolen easily; make sure they’re locked in place when unattended. Also limit network access on computers located in or around public spaces, such as the reception area.
7. Encrypt data.
Encryption encodes information, whether it is stored on a device, in the cloud or being transmitted over the Internet, and only the person or computer with the proper key can decode it. Encryption is highly recommended for all devices containing sensitive information, including laptops, mobile devices, USB drives, backup drives and email.
Most operating systems and many software applications have a built-in encryption option which you simply need to activate (instructions vary). You may also purchase encryption programs tailored to the needs of your business—whether for an entire drive or one or more files or folders. Secure Sockets Layer (SSL) certificates are the standard way for businesses to encrypt sensitive information, such as those containing credit card details, before it is transmitted over the Internet.
8. Keep your software and operating systems up to date.
Malware continuously evolves and software vendors continuously update or “patch” their programs in order to address new security vulnerabilities. For this reason, it’s vital to install updates to security, web browser, operating system and antivirus software as soon as they are released. They’re your first line of defense against online threats.
9. Secure access to your network.
To prevent outsiders from gaining access to private information on your network, enable your operating system’s firewall or purchase reputable firewall software. Configure a Virtual Private Network (VPN) to provide workers with a secure means of accessing your network while working remotely. If you have a Wi-Fi network for your workplace, make sure it is secure and encrypted, and that your SSID (service set identifier) is hidden so that it can’t be picked up by the public. Also require a password for access.
10. Verify the security controls of third parties.
Most businesses rely on third-party vendors for some aspect of their operation, whether for payroll, credit card processing or to manage their security functions. But there are security risks in doing so. If a breach occurs on the vendor’s watch, your data may be compromised and you could still be held responsible for the loss.
Before engaging the services of a third-party vendor, evaluate their security standards and best practices to ensure they meet your minimum requirements. Look for vendors that:
- Have strong security policies and procedures
- Regularly backup their data on a hard drive as well as the cloud
- Perform routine internal security audits
- Run background checks on employees with access to your data
- Require employees to complete data security training
- Keep up-to-date with the latest security patches and security software
- Have a comprehensive incident response plan for responding to and managing the effects of a security attack
Once you’ve vetted and selected a third-party service provider, put a service level agreement (SLA) in place that details your security expectations and give you the right to audit the vendor to confirm compliance with your policies.
Take your understanding of Data Breach and Cyber Security one step further. Download your free copy of How to Safeguard Your Business From Data Breaches below:
This comprehensive e-book will help you learn the latest strategies hackers are using to attack your data, common ways business owners leave themselves exposed to data breaches, how to best secure your business from a breach and much more.
Next Steps: Are you looking to keep up with the latest research and trends in talent management? We’ve got you covered with the weekly Small Biz Ahead Newsletter. Sign up today and start receiving the weekly newsletter chock full of the latest tools and resources to help you run a successful business.
View Comments (13)
I would also suggest adding a layer of email protection to block phishing attempts.
Thanks for sharing, Nick!
It doesn't matter whether your business is small or big, I believe it always has potential threats of being hacked, which is why taking all the possible measures to prevent that is highly important, because we wouldn't want any sensitive data being leaked to competitors. This is one of the main reasons our company decided to get a VPN, to increase our security, so far been quite happy about it. The best part is that they have unlimited device log in's so we only got a couple of accounts, which can be used by the whole office.
Thanks for the comment, Steven!
It was really interesting for me how you talked about that for criminals, sensitive data is valuable so that it can be exploited for a profit. In my opinion, one should always be careful when using the internet and technology to store important information, whether it be personal or for a company. My husband is trying to start his own small business to be able to help people with financial planning, so I think he should focus on keeping his data safe with the help of a professional.
We are glad you enjoyed this article, Faylinn. Thank you for the comment.
Starting using ExpressVPN when I turned remote. I have it on both my laptop and phone. If you're doing work stuff on a public network, it helps to have a VPN.
Thank you for this data.
Thanks for the comment!
Thank you for sharing wonderful tips regarding data theft prevention.
Thank you for your comment!
this is great, I am fired up!
Thanks for reading Randall!