If you take a look at hacking incidents covered in the news over the last year or two, you’ll notice that every organization targeted seemed to be large with a balance sheet in the billions of dollars. It’s only logical, therefore, for one to assume that hackers are solely concerned with breaking into the systems of big businesses. Yet, news coverage is a significant distortion of reality.
Every day, media organizations have to make decisions on what events are newsworthy. Big entity news will always win over incidents affecting smaller organizations. Nevertheless, while going after a bigger target means a potentially bigger payoff for an attacker, small organizations are just as vulnerable. They are attacked numerous times a year, it just doesn’t make the headlines.
Therefore, as a small business, data security is essential if you want to keep your confidential information away from the wrong hands. Here’s how you can do that.
Know Your Data
You can’t actively protect your business’ confidential data if you don’t know it exists in the first place. So before doing anything else, develop an inventory of all the confidential data in your possession. That would mean, for example, customer names, phone numbers, billing information, employee payroll, employee medical information, passwords, and detailed strategic plans. For each type of information, indicate where it is currently stored.
This data inventory must be as detailed as possible since it will form the foundation of your entire data security program. Remember to capture not just data stored in electronic form but also any confidential information in physical copies.
Data security is not just keeping your data safe from external parties but also insiders. In fact, insiders such as employees and trusted contractors can cause the most havoc to the safety and integrity of your business’ information. Ergo, you should grant users access to business systems and data based on the principle of least privilege.
This implies a user should only have access to systems and data they need to effectively discharge their role and no more. Whether it’s a server, computer, application, database, shared drive, filing cabinet or room, ensure as few people as possible have access.
Promptly Patch Your Systems and Install an Antivirus
When a developer releases an application to end-users, that doesn’t mean the software is perfect. The best applications are the result of years of continuous improvement that includes sealing any security gaps identified.
Developers regularly release security patches for their software. To ensure your systems are protected, always apply these security patches as soon as they become available. These updates are often a response to recently discovered vulnerabilities. The longer you wait to apply the patch, the more time you’ll be giving someone out there keen on breaking through your system defenses.
Patches should be complemented by the installation of reputable antivirus software that detects and eliminates threats before they cause significant damage.
Enforce Strong Passwords
The average working adult has a hectic daily routine that forces them to make the most of every minute. It’s, therefore, not surprising that people will take shortcuts when they are able. Passwords are the perfect example.
Instead of coming up with a character string that’s difficult to remember, users will opt for commonly used passwords such as ‘12345678’, ‘abcdefgh’, or ‘password1’. This is not a practice you can afford if you want to keep your business’ data secure. Easily guessed passwords open the front door of your organization to attackers.
Instead, enforce strong security policies that require passwords have at least eight characters and be a mix of lowercase and uppercase letters, symbols, and numbers. Where possible, implement two-factor authentication.
Spam and Phishing Filter
Email is the primary channel of modern business communication. Unfortunately, this also means that email is the most common avenue through which confidential data finds its way into hackers’ hands. Educating employees on how email can be used by unauthorized third parties to gain access into your network is important. They should be aware of how a seemingly innocent inquiry could be the starting point of a malware infection.
However, disseminating such knowledge can only be effective if it is complemented by a robust spam and phishing filter. Technical controls can reduce the amount of spam and phishing emails that actually land in your employees’ inboxes.
Data protection is not just about data loss prevention but also data integrity and availability. Despite your best efforts at securing business data, a catastrophic incident could destroy or corrupt it. You must be prepared for this worst-case scenario. Backup solutions ensure that in the event that something happens to your business’ data in the production environment, the data will be available once backups are restored.
To prevent the backup media from being exposed to the same destructive threat as the production environment, backups should never be stored onsite. Instead, they should be moved to the cloud or an off-site facility that’s physically far removed from the onsite location.
Robust data security isn’t beyond the reach of small businesses. Apply these tips and you’ll be well on the way to creating a data security program that keeps your most confidential information safe.