Recently, my debit card was compromised — not at a big box retailer but at a small gift shop that I often frequent. When I had the conversation with my card company and got the fraudulent charges removed, I stated my surprise that a small business would be the victim of hacking — it seemed that only the “big boys” like Target were the goals of these criminals.
What that fraud pro told me was an eye opener. He said that, actually, it is often the small businesses, especially those online, that are the most frequent victims. Why? Because they don’t have the money, the IT team, or the savvy to implement good security measures.
If you are a small-business owner or a solopreneur, take note. Once you have a security breach, and customer data is compromised, you may very well lose those customers forever — their level of trust has just died. Credit card users want to feel that the companies they do business with are protecting them.
First of all, realize that you face the same threats that big businesses do. So the security that you put in place has to be just as rigorous as theirs. This is tough when you are small, but you can find outside security software companies that will work with you and make this as affordable as possible.
Consider the alternative — a security breach that loses customers and costs you a great deal of money to repair. Whether you tackle security by yourself or contract out, here are the 10 key steps that must be taken.
Where is your important data stored? Are you using traditional desktop servers or the cloud? How secure is this storage, really? And no matter which one you are using, have you documented the access permissions that you have given to other employees? And can those employees access your data through BYOD platforms?
This documentation will lay the framework for the rest of what you do relative to security — particularly in terms of disaster and back-up recovery plans.
Bad things can happen. Whether your systems or you cloud server crashes, there needs to be backup. This can be in-house backups on external drives or through storage in multiple cloud servers, which is what many businesses have chosen. It is unlikely that both of them would go down at the same time.
The point is you must have access to your data if these events occur. If you automate that backup, it occurs every day without you having to remember to do it. It’s a rather simple process to put into place and many reasonable software solutions from which to choose.
Unfortunately, banks are far less sympathetic to businesses than they are to consumers when data is breached and customer financial information is compromised. Besides skimming customer data, the other threat is that hackers can access your banking accounts and empty them.
Most cyberattacks occur through “phishing” emails or as a result of using business hardware for personal purposes. Putting spam filters in place helps, but everyone in the office needs to be directed never to open an email that appears the least bit suspicious or not connected to business operations. You should also consider web-surfing controls on all devices. A third option, which you should consider, is the use of only one device for online funds transfers.
If a virus or malware or a hacker attacks one device and you are networked, then all are infected. Even the individual using his/her own device remotely who accesses your data is compromised. To combat this, use technology like “whitelisting” to prevent downloads. And be certain to get outside help to patch any breaches as soon as they are discovered.
It’s the law. Keep updated on the PCI guidelines. If you gather any personal information or engage in any payment card transactions, you have to comply with existing law. If you need legal advice or the services of an outside security tech consultant, pay the price and get it. Ignoring encryption is not an option.
This should go without saying, but be mindful that when you replace hardware, the old has to be wiped. The same goes for any of your team members that have used their BYOD hardware to access company data.
If you’re a solopreneur and you never share access with anyone, you have only yourself to worry about. However, as you scale and add employees, you have to think about this very carefully. You must document exactly the access you are giving to each employee, and each employee must have his/her own unique and uncommon passcodes.
Never have a universal passcode — you will not be able to determine where the data breach came from or who might be an internal bad guy. Some small businesses are now using a dual-authentication system when really sensitive information is accessed.
And never forget — when an employee leaves, passcodes and credentials must be de-commissioned immediately. The same goes for clients to whom you may have given access to any of your non-sensitive data.
Even the big guys are struggling with his. With so many employees working remotely from their own devices, and having access to company data, how do you ensure security? The other issue is a legal one. If an individual is using his/her own device, it is not hardware issued by the company and therefore the company may not have much control or recourse over its use, especially if access to data was freely given by the company. Some large companies are experimenting with data segmentation options, but these are in the early stages and as yet way too expensive for a small business.
Much of this boils down to trust in an employee. Never give any employee access to your data, either in-house or remotely, unless you have complete trust. If they need to access data in-house, provide that through passcodes and credentials that you hold securely.
If you have a small office, there is usually a strong personal relationship among team members. And often, friends and/or family members may stop by. All team members must be trained, under pain of penalty, to close out any screens that hold secure data when an outsider enters, no matter how well they may know that person. It’s just a cardinal rule that must be enforced consistently. And, at the end of the day, all computers are shut down — no exceptions. You don’t know the cleaning crew, for example.
You may be small, or you may be all on your own. But security is critical whether you have 50 customers or 100,000 customers, whether you have two computers or 1,000, whether you use one cloud storage service or another. If you develop good policy relative to security and you and all your employees follow that policy without exception, you have a much better chance of protecting your data. And get the security tools that are best suited for your situation.