Does data security, or rather the lack of it, keep you up at night? Experts discuss basic measures small business owners can, and should, take to keep sensitive data safe.
In August 2010, the Privacy Rights Clearinghouse published its latest Chronology of Data Breaches, which showed that since 2005 more than a half-billion sensitive records have been breached. Of those breached records -- which contained such sensitive data as customer credit card or social security numbers -- approximately one-fifth came from retailers, merchants and other types of non-financial, non-insurance-related businesses, the majority of which were small to midsized.
An equally scary statistic: approximately 80 percent of small businesses that experience a data breach go bankrupt or suffer severe financial losses within two years of a security breach, according to John Sileo, a professional identity theft consultant and speaker, who knows firsthand about the havoc a security breach can wreak on a small business.
What can a small business owner do to protect her business from a security breach? Small Business Computing spoke with two security and privacy experts and consulted the leading security and privacy sites to find out. The good news: protecting your business from a data security threat is easier than you think. It's also much cheaper than the physical, financial and emotional cost of repairing one.
The 7 Causes of Security Breaches
According to the Privacy Rights Clearinghouse (and other sources), security breaches typically result from one of the following seven causes:
- Unintended Disclosure: Someone in or affiliated with your organization inadvertently posts private or sensitive company or customer information on a website (e.g., Facebook or a blog) or in an email, fax or letter.
- Hacking or Malware: Unauthorized individuals gain access to your computers or servers (often due to inadequate firewalls or weak passwords) and steal or corrupt data by using malicious software programs known as malware.
- Payment Card Fraud: Information is stolen from a point-of-service credit card or payment terminal.
- Bad Employees: Someone who works for you intentionally steals or leaks sensitive information.
- Lost, Discarded or Stolen Paper Documents
- Lost, Discarded, or Stolen Mobile Devices (e.g., laptops, smart phones, flash drives, CDs, etc.)
- Stolen Computers or Servers
15 Ways to Protect Against Data Security Threats
Protecting your business from a security breach isn't just about practicing safe tech. It's about hiring the right people, having a good security policy in place and employing common sense. You can protect sensitive or confidential data by following these 15 steps.
1. Identify what sensitive information you have, what you use it for and where it resides. Translation: inventory your company's potentially sensitive information (e.g., customer credit card information) and document on which computers, servers and laptops it's stored.
2. Isolate/segregate sensitive data. Keep sensitive information on the fewest number of computers or servers, and be sure to segregate it from the rest of your data and network if possible. "The fewer copies of data you have, the easier it is to protect," said Jon Heimerl, the director of strategic security for Solutionary, a security services company that helps companies of all sizes design and manage better security programs and detect and prevent security events.
3. Encrypt sensitive data. According to Heimerl, encryption becomes even more important when your data is mobile. "There are many options to encrypt data via applications, databases or via security suites that can run, for instance, on a laptop. If you can encrypt the data, chances are good that, even in the event of a breach, the information will be safe from ultimate compromise. The HITECH Act, for instance, says you must report breaches of unsecured data. Encrypted data is considered secure."
4. Use Secure Sockets Layer (SSL) or a similarly secure connection for receiving or transmitting credit card information and other sensitive financial data. Using a secure, encrypted connection such as SSL protects sensitive data while it is in transit across the Internet.
5. Do background checks and get at least two references for all new employees. Ask for at least two references from previous employers and take the time to call both former employers to verify previous employment information. You may also want to check if a prospective employee has a criminal record or a problem with his credit history. To learn more about employee background checks and references, review the Privacy Rights Clearinghouses Small Business Owner Background Check Guide.
7. Use good firewall and a secure wireless connection. Sileo called the number of businesses that operate a wireless network in their offices without a secure form of wireless connection overwhelming. "They're still using WEP instead of WPA2 encryption," said Sileo.
8. Keep anti-virus and anti-spy ware software up to date. Most small businesses have anti-virus and anti-spy ware software in place, but they forget or neglect to make sure they have the latest versions or the latest updates, which can open them up to all sorts of data security breaches.
9. Protect sensitive data with strong passwords and change passwords on a regular basis. In addition, have computers (including laptops) return to the login screen after five minutes of inactivity.
10. Make sure you and your employees only download applications that come from reliable sources. Because applications (e.g., games, mobile apps) may contain viruses, spy ware or Trojan horses, it's important to know and trust the source of an application before downloading it.
11. Lock filing cabinets and rooms where you keep sensitive data, and only give keys to trusted employees. "Oftentimes locked boxes keep people honest," said Sileo. "They're a great way to take away the crime of opportunity."
12. Use paper shredders, and place them in strategic places around your office. One of the leading sources of credit card information and social security number theft is trash cans or dumpsters.
13. Protect laptops, and be careful where you use them. Password-protect laptops and mobile devices and keep them locked in cabinets or drawers when not in use. If you store any sensitive data on such devices (both Heimerl and Sileo advise against this) make sure it's encrypted. Also, when using your laptop on the road, tether it to your smart phone, i.e., use your smart phone as a modem, so information goes directly through your (more secure) phone versus over a public Wi-Fi hot spot.
14. If you outsource any critical functions, vet third-party security practices. Don't be fooled into thinking that just because you outsource critical applications or store information offsite, at a supposedly secure datacenter or cloud provider or ISP, that you are not responsible for that data. "If you are outsourcing any of your operations or data management to a service provider you should be asking that provider how they address [data security]," cautioned Heimerl.
NOTE: You are still 100 percent liable for any customer-related information that is breached, even if it does not reside on a server at your business or under your control.
Therefore, before you outsource any business functions, such as payroll, Web hosting or customer service, investigate each company's security and data privacy practices, and make sure they are adequate.
15. Consider outsourcing security or hiring a consultant to make sure your business is safe and secure. "You might consider, for instance, outsourcing firewall management, intrusion testing, vulnerability management, compliance management, especially when related to financial services (PCI) or to healthcare (HIPAA and HITECH)," said Heimerl. "Chances are that a qualified managed security service can provide better security than you
and do so at a lower cost, while allowing your IT staff to concentrate on the business."
What to Do in the Event of a Security Breach
Here are the four steps you need to take when a security breach occurs:
- Do not panic
- Contain the breach
- Get help
- Make sure you protect your business so it doesn't happen again
Once you have identified that there has been a breach, it's critical that you isolate and contain it. If it's IT-related, that may mean shutting down a server (or multiple servers) or disconnecting from the Internet for a while, until the threat has been eliminated. If you have been hacked, make sure you have eradicated all malware (e.g., viruses, worms, spy ware) from your systems and take steps to recover any lost information, such as restoring data from backups.
Next (or simultaneously), contact your lawyer and/or a security expert. Note: Forty-six states, as well as the District of Columbia, have security breach notification laws (you can also visit Privacy Rights Clearinghouse for a list), but these laws differ from state to state. If a crime has been committed, contact your local police department or, if you feel they are unequipped to deal with cyber crime or information theft, contact your local FBI office. For incidents involving mail theft, contact the U.S. Postal Inspection Service.
Also, in some cases, you may need to notify your customers if their personal information has been compromised. But before you do this, consult with your attorney and law enforcement contact as to when and how. Similarly, you should designate a person within your organization -- or hire a public relations or crisis management consultant or firm -- to be the point of contact for information about the breach, your response and how affected individuals can get help (if necessary).
The bottom line: It's much more expensive to fix a breach than to prevent one. And most of the time, you can prevent data security breaches by practicing safe tech, as outlined in the steps above.
The following sites are excellent resources for security and privacy information, including when, where and how to get help:
Jennifer Lonoff Schiff is a regular contributor to SmallBusinessComputing.com and writes a blog for and about small businesses.
|Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today! |