A good reputation takes a lifetime to build, but a minute to lose. Small-business owners can spend years making a good name for themselves and creating goodwill among customers, but a single data breach that results in the theft of their customers’ personally identifiable information (PII) – such as Social Security numbers, credit card information, and health-related data – can undo it all in an instant. Who wants to do business with a company that can’t secure its data?
And when data is compromised, small businesses often pay an enormous price. In 2021, the average cost of a data breach at companies rose from $3.86 million to $4.24 million, the highest average total cost in the 17-year history of “The Cost of a Data Breach Report” by the Ponemon Institute and IBM Security, based on a study of 537 organizations that suffered a data breach between May 2020 and March 2021.
The loss of data, including the company’s own intellectual property (IP), can bring business to a screeching halt. In some cases, hackers may demand a ransom for the return of stolen data or systems. Regulatory fines can be steep for not properly securing consumer data. And the public relations outreach required to communicate with customers and reestablish credibility can be costly as well.
“While you might only think data protection applies to large organizations, it's essential for small businesses, as well,” stated an October 2021 blog post by cloud storage company Box. “Hackers and other bad actors regularly target small businesses to steal sensitive data, making data protection a must-have for any organization. When you implement data protection strategies, you can ensure you maintain an excellent reputation, avoid operational downtime, keep your data secure, and guard your business against legal action.”
Data Security Tips
The challenges of data security may be greater for smaller businesses than their larger counterparts because many don’t have a dedicated IT or cybersecurity team who handles this responsibility. But by following the data security tips below, business owners may sleep better at night knowing they’ve covered bases.
1. Inventory your data.
Conduct an audit that identifies where your data comes from, the different types of data you have – such as confidential information about customers, proprietary company research, and financial records – where it resides, who can access it, and how it’s being used. Should a breach occur, you’ll be able to pinpoint what has been stolen and narrow down the field of users. It may also help to categorize different data as public, confidential, or restricted.
2. Identify possible data security risks.
Email, for example, is a favorite weapon among attackers. Cybercriminals often send messages that at first blush may appear legitimate in order to trick recipients into taking an action that enables attackers to gain access to the company network and steal data. Employees pose another risk. For example, workers may mistakenly click on a malicious link in a seemingly authentic email or log into the company network over public Wi-Fi while working remotely.
3. Learn the signs of a data breach.
There are certain telltale signs that a business’s computer systems have been hacked. For example, abnormal network, computer, or program behavior, unusual file changes, and locked accounts could indicate that your system has been infiltrated.
If a user reports opening a suspicious file or if malware is detected, investigate thoroughly to see whether other computers or systems in your organization have been breached. It may also be a good idea to check your company’s credit to ensure an outsider hasn’t gone on a spending spree.
4. Educate and train your employees.
Take the time to regularly educate your employees, suppliers, and customers about all aspects of data security and how they can prevent loss. Teach them the signs of a breach, explain how often they should change their passwords, and describe what a strong password includes. Send any IT personnel you may have on staff for periodic training, too, so they can stay abreast of the latest protective measures and risks.
5. Back up your data.
Don’t let a breach make you realize you hadn’t backed up your data properly or your system ran out of storage space. There are many ways to back up and store data, including:
- Direct-attached storage (DAS), such as an external drive, which plugs directly into a computer or laptop.
- A network-attached storage (NAS) device, which connects directly to a company’s network to store data throughout the organization.
- Cloud storage, which houses data in off-site servers maintained by a cloud computing service provider. Data can be accessed 24/7 via any internet-connected device, and a company pays for the amount of storage needed.
6. Have a disaster recovery plan in place.
You’ve done everything you can to secure your data, but no security measure is foolproof. What will you do if an attack actually occurs? Having a detailed plan in place, crafted in advance of an emergency, is crucial. This plan should lay out the steps for how to handle a breach, including who does what, whom to alert (employees, customers, suppliers, etc.), what details to share, and what is being done to address the situation.
7. Manage the data life cycle.
Determine how data should be handled when it’s created, stored, archived, and destroyed. Sometimes, regulations dictate how long information must be retained. For example, U.S. tax records and securities transactions should be maintained for at least seven years. Businesses should also consider the benefit of retaining the data versus deleting it. The latter may reduce data storage fees and lower the risk of the data being stolen.
8. Establish data security controls.
This is where the concept of “least privilege” comes into play. Least privilege governs who can access certain types of data – namely, employees are given access only to the data they need to do their jobs. For example, an employee who handles marketing wouldn’t necessarily need access to the company’s financial records.
Other important measures you could put in place include:
- Implementing multifactor authentication, which requires users to provide two or more verification factors before being granted access to data.
- Requiring remote employees to use a virtual private network to log into your network.
- Protecting websites with Secure Sockets Layer (SSL), a security protocol that provides authentication, encryption, and decryption of data sent over the internet.
- Encrypting sensitive data, so that only those with the proper credentials have access to the decryption key or password.
9. Keep up with data security regulations.
For small businesses, it can be daunting to stay on top of new and ever-changing data security and privacy legislation, such as the California Consumer Privacy Act, Health Insurance Portability and Accountability Act (HIPAA), Gramm Leach Bliley Act governing financial data, and Europe’s General Data Protection Regulation (GDPR), to name a few. Not only is it critical to stay apprised of what’s going on in your company’s industry and in the state and country it is headquartered, but also anywhere else the company does business. If practical, assign the task to one or more employees or consider working with a consultant to ensure your business remains in compliance and avoids fines. Other options include setting up web alerts and subscribing to relevant websites, publications, and legislation trackers to stay informed about regulation changes.
10. Monitor, test, and audit.
Ensure data systems are working properly, software is up to date, and vulnerabilities are patched on a regular basis. You may even decide to periodically test your employees’ ability to spot potentially malicious activity by monitoring their responses to a planned phony email, for example. By auditing systems on a regular basis, companies can proactively find and address any vulnerabilities.
The Takeaway
The last thing you want to do is inform customers that their data was stolen from your business. It’s bad news for them, and it’s bad news for you, too. Data security should be a top priority even for the smallest of the business. As an old saying by Benjamin Franklin goes: An ounce of prevention is worth a pound of cure.
Photo: Getty Images
