Data breaches are on the rise and in the news. Home Depot and Target are just a couple of the global companies that have had sensitive data stolen during the past several months. Hearing that huge corporations are victimized can make small-business owners feel as if securing their online business data is futile. In reality, there are many simple safeguards that businesses can—and must—take.
The biggest mistake small-business owners make? “They say, ‘That’s not going to happen to me,’ ” says Stu Sjouwerman, whose company, KnowBe4, provides online security-awareness training for small and midsize businesses. “In reality, small businesses are the preferred target for hackers because it’s like shooting fish in a barrel.” Half of small-business owners in a 2015 survey by the National Small Business Association (NSBA) have suffered a cyberattack; 19 percent of those had their business credit cards or bank accounts hacked.
Cybercrime can destroy critical data, expose customers’ personal and financial information to theft, and cost your business money; the NSBA reports that in 2014 the average small-business cyberattack cost the company more than $20,000. The increasing risk of customer lawsuits also could expose your business to huge financial headaches if a breach occurs.
“If your business has customers’ credit card, personal, financial or medical information, you must be concerned about data security,” says Andrew Bagrin, CEO of MyDigitalShield, which provides security services to small businesses. “If someone’s identity is stolen because of you, your business is responsible.” That’s a big problem for most businesses—“60 percent of small businesses that have a data breach close their doors within six months,” Bagrin says.
Cloud storage, backup and apps are growing in popularity for small businesses—for good reason, Bagrin says. “Do you keep your money under the mattress or in the bank?” he asks. “Think of the cloud as the bank. The bank spends billions of dollars annually securing your money, making sure it’s always available to you. Keeping your data in the server at your office is like keeping it under the mattress.”
Of course, no method of storage or backup is 100 percent secure. When choosing a cloud service provider, do background research and ask questions, says Jocelyn Baird, content manager at NextAdvisor.com, which provides independent reviews and research on online services for consumers and small businesses. What should you ask a cloud provider?
1. Where is my data stored? Offshore data storage is more vulnerable because it’s less regulated, so look for storage in the United States.
2. What type of backup is done? Ensure that the company that backs up and stores your data also backs up its data.
3. Who can access my data? Employees of any company that provides cloud services to your business should be able to access only the minimum data needed to do their jobs.
4. Ask and verify that a cloud provider complies with your industry’s regulatory standards, such as HIPAA (Health Insurance Portability and Accountability Act) or PCI (Payment Card Industry).
When choosing a cloud-based backup solution, match your goals with their services, says Ian McChord, product director at Datto, which provides data backup, recovery and business continuity solutions. For example, some cloud service providers charge for uploading and downloading data. “Most customer expectations are that downloading their data would be free,” McChord says. “Many get a huge wake-up call when downloading their entire data set costs as much as they’ve paid to store the data.”
Also be aware that not all clouds come with the same “restore” abilities. “Make sure if you expect to get data back that minute or hour, you sign up with a service that offers that,” McChord says. “Some clouds do restores over [a period lasting] days and weeks, which can be very damaging to businesses.”
As long as you do your digital due diligence, cloud backup, storage and cloud-based data security tools are excellent alternatives for small businesses that lack extensive in-house information technology expertise or big hardware and software budgets. “Buying one-time technology equipment that needs regular updating is costly,” Bagrin says. “A bigger savings is to leave it to the experts who monitor the latest security issues and keep your data safe.”
Test Your Security
How secure is your business’s computer network right now? MyDigitalShield offers a 30-second online test to find out at ShieldTest.com. If you lack the in-house knowledge to repair any weaknesses you find, it’s cost-effective to contract with an IT consultant who has expertise in digital security for small businesses in your industry.
Basics for protecting your business include installing a small-business security suite that protects your computer(s) and devices against viruses, hackers, malware and other online threats. Examples include McAfee Small Business Security, starting at $16 per license, and Symantec Protection Suite Small Business Edition, from $40 a year to $101 per license per year.
You should also use encryption, which scrambles data such as customers’ credit card numbers so they’re unreadable; even if hackers get hold of the information, it’s useless to them. Full-disk encryption tools come standard on your operating system; on Windows PCs, the feature is called BitLocker, and on Macs, it’s FileVault. Just turn on the encryption feature, and it will encrypt all of the files on your computer. To secure data while it’s in transit from device to device, update your company’s Wi-Fi network to the latest encryption standard (currently WPA2).
Also set critical software to update automatically and perform monthly security audits, looking for malware, viruses or suspicious financial transactions, payments or bank transfers.
Mobile devices have added new complexity to data security. “The biggest problem with mobile devices is unencrypted data,” Sjouwerman says. Unencrypted data can be captured in transit. Using public Wi-Fi, such as at Starbucks or the airport, multiplies the risk. Any device using public Wi-Fi is essentially open to the public. If you have sensitive information, set up a virtual private network (VPN) and require your employees to use that off-site.
The BYOD (bring your own device) trend is also “fraught with risks,” Sjouwerman says. “People aren’t as security-conscious with their own phones as they are with the company’s. Issue company-provided devices and install mobile-device management software” so you can manage security remotely and shut down the device if it’s lost or stolen.
What about the home office? Whenever you or your employees work at home, it’s vital to use a separate computer only for work, Sjouwerman says. “Don’t let the kids use it. Kids are notoriously click-happy and will give your computer a virus in 30 seconds.” As with mobile devices, use a VPN when connecting to the business’s computer network from home.
The Human Factor
People are the weak link in cybersecurity. One common way that hackers invade businesses’ data is by targeting employees with phishing emails. (Phishing means sending emails that mimic a legitimate vendor or client email and include a hyperlink in order to access sensitive information.) When an employee clicks on the link, hackers install malware on the company’s computers and then use it to gather data from the company’s network. (Sony’s highly publicized hack started with this type of email.) It takes an average of six months for this type of breach to be uncovered—and then it’s too late.
“Security awareness training [for employees] is not a luxury; it’s a must-do,” Sjouwerman says. Train regularly. “You have to create a human firewall.” (KnowBe4’s business security training, for example, costs $10 per user per year.)
Teaching employees secure password use is critical. Use password management and/or generation apps to create complex passwords and to encrypt and store them. Some business Internet security suites include password management; if yours doesn’t, use standalone apps such as Keeper ($9.99 and up per year), Passpack (free to $40 per year), LastPass (free to $12 per year) or RoboForm ($19.95 and up per year).
Cover Your Assets
What if a data breach occurs despite your best efforts? Buy cyber liability insurance, because traditional business insurance policies rarely cover data breaches. Cyber insurance can cover costs of notifying customers, providing them with credit-monitoring services, legal expenses in case of lawsuits related to the breach and more. Talk to your insurance provider or check out cyber liability policies offered by Insureon, Nationwide and Travelers; prices vary widely, so request a quote.
This article appears in the July 2015 issue of SUCCESS magazine.