Cybercriminals have been increasingly going after smaller businesses in the United States. Criminals know that a small firm often has weaker data security than that of a large company and is more likely to be unprepared to halt an attack once it starts, if it even notices the intrusion.
A small company also can have intellectual property that's just as valuable as that held by a big business: sensitive customer and employee records aren't just available from huge corporations. And if your small business is a vendor for a bigger firm, the bad guys may try to use your company as a back door to the data trove at the larger company.
Does a small business even have a chance to fend off cyberattacks if giant companies like Target, Sony Pictures and even the Internal Revenue Service have been victims? Actually, yes. Your company’s small size can be an advantage. You don’t have to secure complex, far-flung computer networks or hundreds of mobile devices used by workers or try to impose security policy on thousands of employees.
So if you decide to make data security a priority, you can more readily impose tight security controls and ensure your team follows them. Here’s a guide on how to get started.
Low- or non-tech vulnerabilities: Changing employee behavior
Human behavior, not just weak technology, is a major cause of security fails, experts say, and they're referring to your employees, not the cybercriminals. It could be something as simple as an employee putting a password on a Post-it note and sticking it on their computer for an outsider to see. Or even a high-level staffer may fall victim to one of the newer business email scams: a fake email supposedly from the CEO with instructions to transfer money or release sensitive information.
Don’t forget to lock up physical data
This includes active paper files in-house and in the field as well as old files, hard drives and unused computers. While this makes sense for all businesses, it is particularly vital for those in healthcare, even if you're not a large hospital, like a dental practices, psychologists, or chiropractic offices. Protecting customers’ healthcare information (electronic or written) is mandatory under HIPAA, the federal law that protects the confidentiality and security of healthcare information.
The tech side: Create a data security policy
If you create a policy before it's needed, this will make clear to your team the company’s expectations for data security, the actions required to keep the company’s data safe, and the consequences if they are not followed. A clear example is a retail merchant that uses a point-of-sale system to process customer credit and debit cards. For this type of small business, a breach can cause a lot of damage that needs to be remedied quickly. It may have lower-level workers spread out in different store locations so communication can easily break down without a plan.
The Federal Communications Commission recommends starting with an inventory of the data you create, collect and store. Next classify each type by its security needs. Spell out who is allowed to have access to it and what layers of security it will require.
Create a checklist for the rules to follow for each type of data, both digital and physical. Make the policy a centerpiece of your company’s culture and onboarding for new employees. And keep it up-to-date! Keeping your data safe is an ongoing process that's never really completed.
Secure your servers, desktops, laptops, and tablets
Don’t overlook the basics -- they make a difference! While these steps apply to all small businesses they are extra critical for businesses like law firms, accounting firms, and other professional service firms that handle large volumes of sensitive customer information on their work computers.
- Schedule regular data back-ups and password changes. Automate the back-ups and consider backing up data to both a remote server and an external hard-drive, which should be stored in a secure spot away from your business.
- Install antivirus software. There are free versions, including one from Comodo. But if your business has 10 or more computers on its network, a paid service makes more sense, according to a recent TechRadar.Pro report that recommended several, including Avast Endpoint Protection and Symantec Endpoint Protection. Both cost around $500 for a two year contract.
- Automate software updates and regularly check for updates for your computer operating system and browser.
- Use encryption software to protect your data files and external drives. Some programs are free. The FCC suggests looking for one that is FIPS-certified, a federal information processing standard that meets federal security protocols.
Protect your mobile devices
A free public wi-fi network is convenient to use when working from outside the office, but you should know that it’s rarely secure. Criminals find it just as convenient to use these hot spots to steal your data.
Many small businesses have employees who regularly work in the field, including business consultants and salespeople, who might be tempted to use a public wi-fi hotspot to send or receive company information, customer orders, or communicate with vendors or colleagues. Train them to check to see if a public hotspot uses the latest wi-fi protected access security, WPA2. If not, and your company doesn’t have its own virtual private network for employees to use when they are working remotely, you can buy a VPN such as HotSpotVPN or WiTopia to let employees access the internet securely. Annual fees range from about $50 to $140.
Legal requirements specific to your state
States have different rules about what you have to do if you have a data breach. So check to see what your responsibilities are under your state’s laws. A single national rule under proposed federal legislation is currently stalled.