The first installment in our series examined the financial and reputational consequences of data breaches and the cybercriminals that prey on the specific vulnerabilities of small businesses. This second and final installment offers a practical, proactive, and cost-conscious guide for small businesses to fight back against cyberattacks.
Contrary to widespread perception that somehow they don’t provide enough payoff, small businesses are commonly the victim of cyberattacks. Like the physical world, cybercriminals aren’t necessarily looking for the biggest score. Rather, they seek the path of least resistance.
Small business owners should make data security part of the regular routine, just like locking your doors at night. The following are ten best practice processes, technologies, and strategies for small businesses to best protect your business from a data breach.
Read on to learn how to protect your business
Develop a comprehensive cybersecurity plan. Fraudsters may operate outside the law, but they act with a plan. Criminals seeking to breach your systems are sophisticated and organized. The threats they pose demand a plan in response.
Small business cybersecurity plans don’t need to be elaborate or expensive, but they should be tailored to fit the unique needs of each individual business. Use best practices listed here. Enlist the help of a cybersecurity expert when possible. Start with the big picture and work down to the details.
The Federal Communications Commission offers a Cybersecurity Hub as well as a Small Biz Cyber Planner that offers customized plans to assist small business owners and managers navigate the ever-changing world of cybersecurity. Best of all, it’s free.
Install and maintain anti-virus software that can protect your business systems from viruses and malware. Malware (malicious software) attempts to damage, disable, or disrupt computer systems. Malicious programs such as worms, spyware, and Trojan horse programs are potentially serious threats to your business. Criminals use malicious programs to essentially pick the lock to your electronic safe.
Installing and maintaining the latest version of antivirus software is a common sense, inexpensive best practice that should be followed on all of your business systems and access points. Affordable and easy-to-use anti-virus software is available from well-known companies such as Symantec, McAfee and Microsoft.
Regularly update all software, including applications, browsers, and operating systems. Software providers are continually upgrading their software in response to specific security vulnerabilities as they are uncovered. These efforts are of little use if the updates aren’t installed on your systems.
In 2017, a major credit reporting agency suffered a large and costly data breach that resulted in the exposure of critical personal data for millions of Americans. Hackers were able to access the data through a web application vulnerability that had been discovered and fixed, but not updated by the company.
Conducting routine updates of all business software will ensure that you have the latest defenses. All means all—don’t guess which software should be updated. Following this best practice will reduce the risk of a data breach and help safeguard your business.
Create a regular data backup routine in order to reduce the vulnerability of your business to ransomware attacks. Data breaches are no longer limited to the unauthorized exposure of confidential data. Ransomware is a type of malware that criminals use to block your access to your own data. Criminals will then demand payment to release or unlock your data.
Ransomware attacks can cripple business operations—imagine not being able to access your customer or accounting databases for an extended period of time. The best defense against ransomware is developing a comprehensive data backup and recovery procedure that safeguards your essential data off-site.
Cloud data solutions and automated nightly backups are simple and more affordable than ever. Establishing a routine data backup procedure helps to ensure the continuity of your business operations in the event of a ransomware attack.
Conduct ongoing security training for your staff. Develop rigorous security policies and conduct mandatory training of all staff designed to thwart phishing schemes and other “social” data breaches. Protect confidential data by limiting access to internal systems and data on a need-to-know basis. You needn’t train your entire staff to become cybersecurity experts, but anyone with any system access should be trained in basic security measures.
Fraudsters target our human vulnerabilities as the likely weakest link in any system. Introducing simple, consistent, easy-to-follow security measures to the regular training and routines of your staff will help keep your business safe.
Implement strong authentication for all system access. Complex passwords are a must. Poor password management leaves individuals and businesses extremely vulnerable to data breaches, account takeover, and other forms of system penetration. Eliminate the use of simple (or especially default) a passwords. Always use a different password for each account you have across systems. Never share your passwords with anyone.
Strong passwords and password management practices are important as a minimum baseline. Even the best password management practices, however, are cumbersome for users and vulnerable to determined attackers. The cutting edge of security is seeking to solve the password problem through multifactor and biometric authentication. When it comes to authentication, follow the best practices of today and keep an eye on the latest in this rapidly-evolving area.
Follow wireless security best practices. Wireless networks have transformed the way all of us work and communicate. Wirless networks open many doors for small businesses, but easy access to systems can be a double-edged sword. Far too often, the unprotected wireless system of a small business is the open door criminals seek.
Following a few simple wireless security best practices is time well spent. Be sure to disable remote logins to wirelss networks, as they pose unnecessary security risks. If you offer any open wireless services, install a firewall around secure networks and systems. Change default names and passwords for your Service Set Identifier (SSID). Secure physical network access such as Ethernet ports.
Establish strong physical security procedures. Securing your digital assets is a necessary but not sufficient condition for keeping your business safe. You need to safeguard your physical assets as well.
Create strict access controls for all areas of your business on a work-needs basis. Install locks and security systems that monitor all access points and establish redundant communications systems. Create photo ID access where appropriate.
The threats from data breaches and other cybercrimes have created a new layer of security concern for the small business owner. It’s critical that this new threat doesn’t divert attention from old-fashioned physical security.
Become PCI-DSS complaint. Payments data is among the most highly priced data that cybercriminals seek. If you accept credit and debit cards, you’ll need to become compliant with the Payment Card Industry Data Security Standards. Following PCI-DSS compliance for the possession, transmission, and storage of credit card data is more than an obligation—it can protect your business from the costly consequences of a data breach.
Develop strong data encryption routines both “at rest” and “in motion.” Employing the latest encryption and tokenization technologies will help reduce the scope of PCI compliance, reducing costs. Conduct regular vulnerability scans by an authorized scanning vendor, understand the role SSL plays in staying compliant, and consider retaining a PCI-certified Qualified Security Assessor (QSA).
Partner with a credit card processor who understands small business security. Credit card processing is often viewed as a commodity business that serves an essential function, much like an electric utility. That’s changing. Small business owners are learning that credit card processing companies are differentiated by many factors including reliability, price, customer service, and critically, defenses against a wide array of security threats.
Selecting the right credit card processor will help your business implement the latest in secure payment technologies such as EMV chip cards, contactless payment methods such as NFC, and the latest in eCommerce security.