Is your business in danger of a data security breach? Small businesses don’t have the resources of big companies but are just as exposed to a potential data breach. Learn how to protect your business with these tips.
One of the fastest-growing threats to your business may be lurking right under your nose. The worst part is that if you’re like most business owners, you’re not prepared to deal with it.
The threat? Data security. The 2021 Verizon Data Breach Investigations Report found that there were 5,258 confirmed data breaches, which was a third more than the previous year. The report found that 43% of all data breaches involved small- and medium-sized companies, and that phishing and ransomware attacks increased by 11 percent and 6 percent respectively because of the large number of people working from home.
The losses from data breaches can be devastating — especially for small businesses. According to the 2018 Cost of a Data Breach Study: Global Overview from IBM Security and Ponemon Institute, the global average cost of a data breach is $3.86 million, and the average cost, globally, for each lost or stolen record containing sensitive and confidential information is $148 per record.
How can a data leak affect your business?
- Damage to reputation/brand: If your company is the victim of a cyberattack, it can cost you much more than money. Imagine all the trust and goodwill you spent years building between your company and your suppliers, customers, and employees vanishing in the blink of an eye.
- Lost revenue: In addition to the out-of-pocket cost incurred as a result of a breach, revenue loss due to fewer customers, fewer sales, and declining customer loyalty is typical following a serious security incident. You may be responsible for reimbursement to customers. In fact, if even one employee loses a laptop, you’ll feel the pain. According to one study, the average value of a lost laptop is an astonishing $49,246.
- Potential liability: In response to the rash of major data breaches, lawmakers have scrambled to put stronger measures in place to protect consumers. If you fail to safeguard sensitive information, you could put yourself at risk for expensive lawsuits. According to CYREBRO, small businesses spend anywhere from $25,000 to over $100,000 to recover from a single cyber attack.
- Lost productivity: Data breaches and other security incidents cause serious losses in productivity. Consider some of the fallout from a data breach. There’s downtime. You may also have to recreate lost data from scratch, engage in PR activities, contact individuals affected by the breach, go through litigation, and many other time-consuming activities that will distract you from your main focus.
- Resolution may require outside help: Another pitfall caused by data breaches is that small businesses lacking in-house IT expertise will likely have to depend on an outside entity to help them sort out their problems.
You may wonder why more entrepreneurs aren’t doing something about data security if it poses such a big threat to businesses.
Why aren’t business owners doing more?
There are three key reasons that businesses — small businesses, in particular — aren’t prepared for the devastating effects of a data breach.
- Lack of knowledge: If you don’t know there’s a looming disaster, you can’t prepare for one. Many business owners who are aware of the data breach epidemic don’t know what to do about it, and thus, they do nothing. As a small business owner, you should get up to speed on the things you can do to minimize your risk for a data breach. Start by reading the information the US Federal Trade Commission (FTC) has provided information on cybersecurity.
- No plan to protect data: 43% of U.S. small business owners have no formal cybersecurity plan, and 91% haven’t purchased cyber liability insurance according to a report in CyberSecurity Magazine.
- Lack of resources: The average small business owner has nowhere near the resources that large companies have at their disposal to secure their sensitive information. Typically, small businesses lack security awareness, technical expertise, and budget. Nonetheless, there is help available for data security for small businesses.
So what can you do to keep a data security incident from crippling your business?
How to Protect Your Business from a Data Breach
If you want to protect your business, you don’t need a massive war chest and a team of security experts. You will have to invest some time and effort to secure your business, but you owe it to yourself to get started today.
Get educated: You’ve already taken the first step to protecting your business from a data breach by reading this article. Continue to seek out the latest factual information about data security incidents and how to best protect your business. You can also use these tips to help prevent hackers from attacking your computers and making you a victim of cybercrime.
Make your business PCI compliant. If your company processes, stores, or transmits credit card information, you need to be sure your operation is compliant with Payment Card Industry Data Security Standards (PCI DSS). Failure to be in compliance could lead to stiff fines and penalties if you are breached.
Get clear on what data you have and where it’s located: Most companies store data in a variety of locations. But leading security experts’ top concern is not knowing the location of sensitive or private data. In fact, more than 40% of companies don’t know where their data is stored. Spend some time identifying sources of risk.
Put systems in place to minimize risk and protect your business: Establish data protection policies and communicate them clearly to employees, strategic partners, and customers.
Safeguard sensitive data: Take steps to protect confidential information. Data loss prevention software can block sensitive information from being sent through email. Confidential business information should be encrypted or safeguarded by DLP technologies.
Use layered security: Security experts recommend using many different tools and techniques. A great first layer you can add is anti-virus and anti-malware software. Consider adding a well-configured firewall. Restrict access to your data only to people you trust. Keep your software and patches up-to-date. You also want to physically secure your data and regularly backup all your data. Ideally, you want to put an automated backup and recovery strategy in place.
Keep an eye on your inner circle: You can still be a victim of a data breach despite your best efforts if the companies you do business with aren’t protected. Banking institutions, cloud storage providers, suppliers, and even your employees can expose you to data leaks. Establish clear policies governing data shared with third-party vendors, employees, and contractors. Employee negligence can also cause data leaks. Bring-Your-Own-Device (BYOD) necessitates protecting not only business technology but employees’ personal devices.
Have an Incident Response Plan in place in case your company is breached: In the unfortunate event that your company is the target of a cyber attack you’ll be able to respond faster and much more effectively if you have a preexisting plan in place. Not having a plan can raise the already staggering cost of a data breach. Don’t wait until disaster strikes to deal with your company’s data security.
Insist on good security measures for all devices: Employees appreciate having work-issued laptops, tablets, and smartphones. Unfortunately, it’s easy to lose track of these devices or to be careless about where and how they are stored. Insist that employees follow certain protocols. Company policy should prevent leaving devices out in the open in vehicles or taking them to unsecured places. Lost and stolen devices are a huge security concern, so warn your workers accordingly.
Mandate appropriate password protocols: Staff may think it’s a pain to use passwords on all devices, even those that never leave the office, but passwords are among the best methods for ensuring that no one can gain access to the company’s systems. Creating strong passwords is an art, and the company should initiate a policy regarding how many characters each password has. Also, it’s best to periodically change these passwords.
Defend the network: Employees should be aware of all of the security tools that are in place to safeguard the company network. Firewalls, a VPN, encryption, penetration testing, and other tools all protect sensitive data. It’s advisable for employees to be aware of the measures that are being used and how they work so that everyone can ensure that these methods are up and running.
Regularly update software: Security software needs to be updated each time such an update becomes available. This is because these updates usually repair holes and vulnerabilities. Software that is up to date isn’t as easy to hack or penetrate, thereby ensuring data security. Make it company policy that software updates should be regularly sought and implemented.
Limit access: The company’s computers, servers, and other devices all may contain sensitive data that is not available to the public. Much of this data may be private information pertaining to clients. Having this data fall into the wrong hands would be a disaster. This is why it is rarely a good idea to allow too many people to have access to the server room and company computers. Lock doors when appropriate and ask visitors to sign a log before entering sensitive areas.
Keep only what you need: This solution refers both to data and to devices. Generally, it’s not wise to hold onto a great deal of data that is no longer relevant. Whether it pertains to former employees or customers, a data purge may occasionally be necessary. As technology improves, new devices become available. This may mean that old devices must be disposed of before upgrading to new ones. Your company needs a policy for the disposal of all outdated data and devices. Then, you must ensure that your workers know it and follow it to prevent a data breach.
Remind workers about phishing scams: Phishing scams are still prevalent, even in the business world. Remind your employees to be on the lookout for suspicious links, and to be wary of clicking on these links without investigating them first. Ask employees to call the sender to verify the message before clicking on any links. In a recent interview, Lucas Johnson of Privacy Australia indicated that over 32% of cyber attacks came in the form of phishing emails, of which almost all were opened and clicked on inadvertently by employees.
Now that you’re armed with the basics, spend a few minutes auditing your business to determine what data you have and where it’s located. Once you have a handle on that, you’ll be better prepared to come up with a plan to protect your business and the data it handles.
Disclaimer: The content on this page is for informational purposes only, and does not constitute legal, tax, or accounting advice. If you have specific questions about any of these topics, seek the counsel of a licensed professional.