THE BLOG
11/23/2016 02:21 pm ET Updated Nov 24, 2017

How to Make Sure Your Small Business Doesn't Have a Data Breach

Security is arguably the top concern for customers. And, for good reason. In 2015 there was an estimated half a billion data breaches. A data breach can damage your reputation, decrease sales, and even cost you a ton of money in settling lawsuits.

To prevent any of those from happening, you have to take the following steps in ensuring that your small business won't experience a data breach.

Provide your employees with training.


According to a report released by the Association of Corporate Counsel, employee error is the leading cause of data breaches, such as sending an email containing sensitive information to to unauthorized individual outside of the company.

Because of that, it's important that you properly train your employees in security basics and raising their awareness of common scams. One of most effective ways to accomplish this is through social engineering.

"Social engineering involves manipulating workers to voluntarily give up information or access," says Terry Evans, president of Cybersecurity Biz in Rochester, NY, in The Hartford.

Social engineering works like this: Someone posing as a social engineer will someone in your office your office claiming that they're 'testing the system' in order to trick that employee into handing over their password. According to Evans, that social engineers is relying on the fact that employees aren't aware in the value of the information that they possess, so they're lax in guarding it.

Social engineering awareness training, in conjunction with written policies and procedures, can be achieved through;
  • Instructing employees never to click on unsolicited e-mail attachments, or links that are embedded in emails.
  • Training employees to never share sensitive information anyone without first verifying their identity.
  • Refraining from using USB drives that are left out in the open. These devices are often left by hackers and once used, the company becomes infected with malicious software, which gives the hacker access to your system.
"Failing to address the threat posed by social engineering is somewhat like buying a high tech security system and then leaving your front door unlocked," says Evans.

Another way to avoid employee error is by restricting their access to secure data, like customer's payment information or administrative access to things like bookkeeping software and social media accounts.

Limit the amount of personal data you have stored.


As the Federal Trade Commission recommends, you need to go lean and mean in your data collection, retention, and use policies.

For starters, only collect the information that you need from your customers. For example, there's absolutely no need to gather their email passwords when collecting their email addresses when they register for an account. Furthermore, never use their personal information, such as using real people's personal information in employee training sessions.

Also, limit the amount of time that you store your customer's information. Once a transaction is completed, there's no longer a need to hold onto the credit and debit card information that were used to complete the transaction.

Having too much personal information, and holding onto it, doesn't just add unnecessary risk, it could also land you in hot water with organizations like the FTC.

Encrypt your data.


As Andra Zaharia explains in the Heimdal Security blog, "Encryption tools are very useful in keeping valuable information hidden from cyber criminals, because it renders the data inaccessible to prying eyes."

Zaharia explains that, "Encryption is a process that transforms accessible data or information into an unintelligible code that cannot be read or understood by normal means." Thankfully, encryption tools are included on most operating systems. For Windows-based PCs it's BitLocker and on Macs it's FileVault.

There are also free encryption tools like VeraCrypt, 7Zip, and AxCrypt.

Make sure your payment processing network is secure.


Before you start accepting payments online make sure that your network has an adequate firewall and updated virus protection. Also, make sure that the platform you're using is PCI compliant.

Create secure passwords and comprehensive authorization.


I completely understand creating and remembering complex passwords is annoying. However, it's essential if you want to prevent data breaches. When considering possible passwords, make sure that they're strong, contains at least 13 characters, symbols, letters, and numbers. It's also suggested that you change your passwords frequently and lock users out after a certain number of incorrect password attempts.

To make your life easier, there are a number of password managers, such as LastPass, Dashlane, and KeePassX, that will protect your online accounts without having you to memorize a those lengthy and complicated passwords.

You should also consider two-factor authentication. This simply uses a password and another factor, like a pin code sent to a mobile device or a fingerprint, whenever you or your team logs into an account.

Two-factor authentication is useful when you or your employees access data from more than once device, such as a laptop, tablet or smartphone, or when you're working remotely since it requires a second-level of authentication, instead of just a password that can can easily be discovered.

Monitor threats.


Why wait for a data breach to happen in the first place? With monitoring tools like Stealthbits you have real-time threat detection that locates and disables any suspicious activity before databases are attacked.

Don't forget the physical information.


We get so focused on online and cloud-based data protection that we neglect physical property like paperwork, hard drives, laptops, flash drives, and disks. Make sure that these physical items are stored securely and not carelessly left out for anyone to grab, like in your garage or passenger seat of your car.

Like not storing personal data that you no longer need, you should also dispose of information that you no longer need securely. For example, if you're a local pharmacy, then you would want to shred customer's outdated prescriptions.

How to recover from a data breach.

Despite taking the precautions listed above, you can't completely avoid a data breach 100%. If that's the case, here are some of the steps that you should take following the breach;
  • Even after a breach has been squashed, there's still a possibility that your customers will have to deal with issues like identity theft. And, you're going to receive a fair share of questions and complaints from your customers. Guide them through the post-process by being transparent, responding to their concerns, and offering them one year of identity theft prevention.
  • Work with law enforcement and consumer protection agencies by providing them the information that they need.
  • Launch a PR campaign to win back customers.
  • Rethink and update your current security strategy and software.
 

How to Make Sure Your Small Business Doesn't Have a Data Breach was originally published on Due Small Business Blog by Chalmers Brown.