Table of contents
If your business uses the Internet, here are some simple data security steps you can take to protect your sensitive online business information.
Small, Medium and Large Businesses Face the Same Online Data Security Risks – Take the Lead and Protect Your Business With Effective Data Security Steps
Most small businesses depend on the Internet.
Whether it’s email, client logins, taking payments, or a website, then your business data is out there, which means it’s at risk of falling into the wrong hands.
As a small- to medium-sized business owner, it’s important to take a leadership role in protecting your business information.
In the wake of events like the Equifax data breach, it’s important to review a few helpful tips that could save your business headaches down the road.
If you’re a sole proprietor working out of your home, the Equifax breach puts your business information at risk – unless you have an EIN, which may help slow the criminals down.
Nine data security steps to protect sensitive business information
1. Create difficult passwords, change them often, and use a password manager.
For more details, read our blog post about password management
2. Use a paid email service
Look for security features like two-factor authentication, password monitoring, remote-wipe if there’s a lost device, etc. We talk about this a little in this blog post.
If you are hosting your own email server on-site, make sure that server is patched, has current virus protection, and has limited access (online and in-person).
3. Use virus and malware protection on all devices – yes even on a Mac.
I use Bitdefender because it works on Mac, PC, and Android devices, and they have reasonable packages for up to 10 devices
4. Keep your devices up-to-date with effective data security steps.
When you receive a security notice to update your computer, an app, server or phone, these are security updates that protect your device (and ultimately your data). This is your ‘front line’ of defense.
The Equifax breach may have occurred because an application wasn’t patched properly
5. Use a PCI-compliant service to manage payments
The Payment Card Industry (PCI) (e.g., VISA, MasterCard, Discover, etc.) has a set of standards for protecting personally identifiable information (social security number, name, address, financial information, etc.).
Whenever possible, ask the customer to enter their own information through an online portal or your point of sale system. If you are handling paper files with credit card information you are responsible for protecting it.
Both Visa and Mastercard provide lists to help you find a secure service provider (e.g., Stripe)
6. Protect important business documents – on paper and in the cloud
Don’t leave sensitive information lying around the office (money, bank statements, trade secrets, etc.).
Limit access to files so employees can only see what is essential to do their job. Encrypt files on devices (FileVault, BitLocker), in the cloud, or on servers.
Oh, and back everything up
7. Be aware of sophisticated email attacks
Your organization is only as strong as its weakest link – and criminals know it.
One of the more advanced and prevalent email scams is called spear phishing. These messages:
- Appear to be from someone you know
- The request is very urgent; and
- Usually involves handing over information that could be used to harm your organization (e.g., financial information, usernames/passwords).
When an email seems out of character, give the person a call to confirm the request
8. Establish employee guidelines for website and social media use
If you don't create standard operating procedures (SOPs) and brand guidelines, it's easy for employees to make mistakes on social media or website updates.
Protect yourself and your brand by being proactive.
9. Protect your devices – avoid open, unsecured, or public WIFI
I love this SANS OUCH newsletter, which provides some great advice for securing your information while traveling. This information applies if you work in coffee shops or libraries (if everyone knows the network password, it’s not secure).
There are many additional ways to protect your small business from a cyber attack.
The most important thing to remember is to make it difficult for a criminal to access your information, making it more likely criminals will move on to an easier target.
It may seem overwhelming to change your processes to protect your information. But look at the costs of doing nothing.
It costs well over $150,000 for the average small- to medium-sized business to recover from a data security incident. Not only that, but 90% of small- to medium-sized businesses close permanently within 2 years of an attack. These stats, and more, are in the infographic below.
A little leadership goes a long way. Your organization is never too small or too big for an attack.
Don’t be scared, be smart.