Find news, events, articles, videos, and more that answer your questions and keep you up-to-date.
Visit Resource Center
Stay informed on compliance updates
It seems that nearly every day, there is news of yet another large-scale data breach. Retail businesses, for example, are often victims of a point-of-sale (POS) malware attack that exploits the split-second interval when unencrypted data is passed between junction points of the computer networks. This and other threats demonstrate the extent to which cyber-criminals are upping their game to obtain credit card numbers, PINs and other personal information from millions of individuals. Also common are "phishing" attacks, where a user is duped into opening a file within an email that will install malware onto computers and servers.
Any business that collects and stores customer data is vulnerable to a cyber-attack. Granted, theft of customer information from a small business is unlikely to be the lead story across the nation, but for the business (and its customers) the results may be more catastrophic. The costs of a data breach are high—in terms of actual dollars, as well as business disruption and loss of customer trust.
CT Tip: Operating as a corporation or an LLC can help protect your personal assets from the consequences of a data breach. If the business becomes liable for a debt or other obligation incurred by the cyber-criminal, and the business is owned by the corporation or LLC, it is the corporation or LLC that is liable, not you personally. Losing your business due to a cyber-attack is catastrophic enough, without putting your personal assets, such as your home, at risk.
64% of Americans have experienced a data breach
Although the headline-making breaches tend to be highly sophisticated attacks, many cybercriminals are successful due to the lax security practices of their targets. Complacency and human error are among the most common reasons behind a data breach. According to the Pew Research Center, a majority of Americans are not following basic recommendations to protect their data, despite 64% admitting to having experienced some form of data breach, whether it be a fraudulent credit card charge or a hacked email account.
That’s the bad news. The good news is that many security breaches can be prevented by implementing and enforcing basic security best practices, such as having a firewall and securing your Wi-Fi network. In addition to those threshold actions, here are seven other steps you can take to reduce your risk of a data breach.
1. Don't click that suspicious email link.
Phishing is the use of a deceptive email to gather personal information or install malware. It is one of the oldest forms of hacking and is still one of the most employed tactics used by cybercriminals because of its effectiveness. For that reason, every individual in your company needs to be aware of the risks created by phishing schemes and how to identify a phishing email. Some telltale signs include bad grammar and spelling, strange attachments, links to unrecognized sites, or a sense of urgency in the messaging (such as an email warning of suspicious account activity and a request to confirm a password or account details).
2. Enforce a smart password policy.
It may be hard to believe, but “123456” and “password” are still the most common passwords being used today. Protect yourself by enforcing a password policy that requires long passwords (with both letters and numbers) that must be changed periodically without reusing prior passwords. Also, the use of password manager software to store your passwords is recommended overwriting them down on paper.
3. Protect information used remotely.
Poor data practices extend beyond password issues. Bringing work home via a USB drive or by emailing it to a personal email can expose the data to security risks. An employee’s use of personal mobile phone or tablet can also expose your data. Begin by conducting an audit of how everyone in your business accesses data and then develop policies to ensure appropriate safeguards are in place. Require an enterprise-level firewall, anti-virus and malware programs on all devices that access company data.
4. Be aware of social engineering schemes.
You've seen it dozens of times on television—an intruder gains access by pretending to have misplaced his (or her) key. That's a classic example of social engineering: using a pretext to trick an unsuspected person. These tricksters exploit basic characteristics of human nature: the tendency to think well of other people and to want to help. (Two traits often stressed in providing quality customer service.) By implementing a policy that prohibits supplying information—particularly any system credentials—without approval, you provide front-line employees with a way to decline requests that might lead to data compromises.
This tactic is also used in a variant of phishing called "pretexting." In this case, an email appears legitimate (e.g., from a bank, a company officer, or other credible person or institution) in order to obtain personal or sensitive information. Advise employees to make a phone call to confirm the request, using a number other than one provided in the email.
5. Keep your malware protection and all software updated.
Another step small businesses can take to try to thwart attacks is to use commercially available anti-malware programs. In the same spirit, it is essential to keep all your software programs updated. For example, a major security flaw was found recently in one major company’s operating systems, prompting the company to release a patch. But, the software patch won’t help if the end-users do not install it.
6. Back up your data.
Although this step doesn’t prevent an attack, it is critical that you have a backup of your data in case a breach occurs. If possible, a backup of important data should be performed automatically each week and stored in a secure location either offsite or in the cloud.
7. Have a plan, and be proactive.
Unfortunately, cybercriminals are constantly finding new ways to get a hold of your data. Businesses need to be proactive in understanding cyber risk and finding ways to mitigate those risks. Educate your employees on how to detect and prevent potential security breaches, as well as what to do in the event of a cyber-attack. Periodically review and update these guidelines, and issue reminders on following basic data security best practices.
Although there is no perfect solution, implementing these suggestions can help reduce the likelihood of a cyber-attack. If your business requires that you collect and retain a significant amount of sensitive customer data, particularly payment data or medical information, consider hiring a computer security consultant to review your systems and make recommendations for enhancing data security.
More in Business Formation Types
More in Running Your Business