Top 10 Tips to Prevent Data Theft for Your Small Business
All businesses face the risk of data breach, but recent studies indicate that small businesses are particularly susceptible. According to a 2016 report from the Ponemon Institute, 50 percent of smaller organizations surveyed experienced a data breach in the previous 12 months. New research by Symantec found that small businesses were victim to 43 percent of cyber-attacks in 2015, up from 18 percent in 2011.
What is the reason small businesses are a growing target? Experts note that it is because more often than not, they don’t have the cyber security in place to keep hackers away.
The precautionary items below, in conjunction with a smaller budget and some vigilance, can protect your business and keep you safe.
1. Employee Training.
A Ponemon report notes, employees are the number 1 cause of data breaches in small and mid-size businesses, accounting for 48 percent of all incidents. Usually due to a innocent mistakes; employees often fall short of basic data security awareness and how hackers operate. Education is the number one, most important thing you can do to lower the potential of data theft.
Offer mandatory cyber security awareness training on the risks that employees face every day. It’s not just for your benefit but could be considered a job perk as it will teach them tools that can use in their personal lives. Phishing, Ransomware and Social engineering are growing threats for small businesses, this is where hackers pretend to be a trusted source in need of confidential data. Through phishing, employees are invited to click on a link that sends them to a fake website and asks them to enter there password or it installs a virus on their computer without their knowledge. Ransomware, we all know, will hold a computer hostage until the required ransom is paid.
Help prevent employees from falling into these traps by advising them to:
- Check the legitimacy of the source before giving out sensitive information
- Never open attachments from people they don’t know
- Avoid suspicious links in emails, websites and online ads
- Sign up for Net X Computers Cyber Security Training or Phishing Training.
2. Secure sensitive information.
The valued commodity that criminals seek to find for profit is sensitive data. This includes personally identifiable information (PII) and patient health information (PHI) for employees, customers and patients as well as patented trade secrets, financial data and other confidential information. In the hacker’s hands, this info can damage your business, customers and reputation.
Audit your company’s digital file and folders, limit access to files based on an employee’s need to know. Store paper files containing sensitive information in a locked drawer, cabinet, safe or other secure container when not in use. Don’t use removable storage devices, unless absolutely necessary. Disable USB and Disc drives on computers so employees can’t use them.
3. Dispose of data properly.
Be aware when trashing sensitive data. Shred documents containing sensitive data prior to recycling. Data from electronic devices should be physically destroyed, data should NOT be just deleted or formatted—whether on computers, tablets, smartphones or storage hardware—before disposing of them.
4. Use strong password protection.
Passwords are always under attack and hackers can use a number of different options to crack them. To prevent them from winning, password-protect all of your devices whether they are computers, laptops or smartphones, you should also password protect your network and all accounts. Require all passwords be changed from default passwords and be set strong, complex and with a variety of characters that must be changed at least quarterly.
5. Protect against malware.
Malware is “malicious” software, like viruses and spyware that gets installed on a computer with the purpose to steal sensitive information or damage it. Malware can be installed when an employee clicks on an infected link in an email or on a website or uses a malware infested USB device.
To prevent malware, install and use antivirus software on ALL devices and be sure your employees are trained to lookout for suspicious links.
6. Physically control access to your computers.
Create user accounts for each person to prevent unauthorized access and an audit trail for who used what when. Laptops and tablets can be stolen easily; make certain they’re locked in a safe place when unused. Lastly, limit network access on computers located in public spaces, such as the reception area.
7. Encrypt data.
Almost all devices offer this feature, encryption encodes information, whether it is stored on a device, in the cloud or being transmitted over the Internet, and only the person or computer with the proper key can decode it. Encryption is highly recommended and should be required for all devices containing sensitive information especially laptops, mobile devices, USB drives, backup drives and email.
Most systems and many software applications have an encryption option which simply needs to turned on (instructions vary). You can also purchase encryption programs tailored to your needs whether for an entire drive or just one file or folder. Secure Sockets Layer (SSL) certificates are the standard way to encrypt sensitive information, especially on the web, in fact Google won’t even rank you in a search if you don’t have one.
8. Make certain your operating systems and software are up to date.
Viruses and malware continuously change and software creators must continuously update or “patch” their programs in order to stay secure. This is the reason it is so vital to install updates to web browsers, security updates, operating system updates and antivirus software as soon as they are released. They are the first line of defense against cyber security threats.
9. Secure access to your network.
To prevent hackers from getting access to sensitive information on your network, make sure you have a firewall in place and turned on or purchase reputable firewall router or software. Use a Virtual Private Network (VPN) to provide individuals with a secure way of accessing your network while outside of it. If you have Wi-Fi (who doesn’t), make sure it is secure and encrypted, and that your wireless name is hidden so that it can’t be picked up by outsiders. Also require a password for access and change that password quarterly.
10. Verify the security controls of third parties.
Many companies rely on third-party vendors for some part of their day to day operation, whether for payroll, IT support, credit card processing, line of business software, or to manage their security functions. But there can be security risks in doing so. If a breach happens on your vendor’s system, your data could be compromised and you could very well be held responsible for that loss.
Before hiring a third-party vendor, ask them how they will keep your and your customers data safe? Investigate their security standards and question their best practices to be sure they meet your minimum requirements. Look for vendors that at least:
- Have a strong password policy
- Have strong security policies and procedures
- Regularly preform backups on a hard drive as well as the cloud
- Perform quarterly or biannual internal security audits
- Run background checks on employees
- Require employees to complete phishing and data security training
- Regularly keep up-to-date with the latest security patches and security software
- Have an incident response plan for responding to and managing the effects of a security attack
Once you have investigated and selected a third-party provider, put a service level agreement (SLA) in place that explains your security standards and gives you the right to inspect the vendor to confirm compliance with your standards. Also have them sign a business associates agreement (BAA) to ensure that you are protected, all companies should be doing this now days. Even Google and Microsoft has this option available for you.
As Always, if you need any help or have any questions, Net X Computers is here to help. Feel free to call us any time for a Free 1 Hour Consultation 🙂