Updated January 3, 2022 . AmFam Team
It may surprise you to learn that nearly half of all cyberattacks target small businesses. One reason they make appealing targets to data thieves is that small businesses often don’t have the defense systems in place or haven’t put money put aside to effectively manage cybercrimes.
“Often, the hackers get away with it because small businesses don’t have the resources to combat it,” notes Terry Evans, president of Lighthouse Business Consulting Services (Opens in a new tab), and an expert in cyber security for small businesses.
One common way cyber attackers target small business is through spear-phishing campaigns using deceptive emails to get at sensitive information. These are emails sent to employees from known senders — they spoof an email address familiar to the recipient — and request exploitable data to be emailed back. There has been a steady increase in attacks targeting businesses with less than 250 employees, targeting small business employees specifically, according to the internet security company Norton (Opens in a new tab).
Whether you sell products at a brick-and-mortar store or through a website, the good news is knowledge is power. By now it should be clear that technological safety in today’s workplace is more important than ever. So, take these steps to keep your customer data safe. You'll not only retain more customers, but they’re also going to feel safer doing business with you as well.
Running anti-virus, anti-malware and/or anti-spyware software is your first line of defense. But you must make sure it is regularly updated. “One of the problems I see with small businesses is that they buy into a product they either don’t need, don’t want, don’t understand, or they don’t use, and it just kind of sits there,” says Evans. “Or they’ll buy a product and won’t update it and then it’s worthless.” Because hackers are constantly revising their tactics, your odds of beating them are best if you update frequently. If given the option, always select the "update automatically" setting to be sure you're running the latest and greatest software version.
Invest in a secure, dedicated server used only by your business and your employees. While it may be cheaper up front to share your server, by using a secure network you significantly lower the risk of leaving your customers’ information open to hacking. And always back up all your data. By having backups of everything, you won’t be devastated by ransomware, a type of malware that blocks access to your data until you pay a ransom.
Using encryption technology is another way to really protect your customer’s information. Invest in the latest encryption software and keep it updated. It’s also wise to encrypt your email if you’re sending/receiving sensitive data.
Almost all businesses gather and store customer information, employees, and business contacts. With data breaches on the rise, hackers are keen on exploiting any vulnerability — an easy target is frequently “easy money.” Look at these ideas to tighten up your data security, which can help deter or prevent a data breach.
Ditch the four-letter, easy-to-remember passwords. Make them strong and long. “Passwords should be at least eight characters long, but I would advocate for 13 or 15 characters,” says Evans. “They should not be a word; they should be random with symbols, numbers, capitalization, and all of that.”
If your business is handling credit card transactions, be sure the way you’re storing, processing, and transmitting cardholder information is compliant with Payment Card Industry Data Security Standards (PCI DSS). By implementing the basics of PCI compliance at your group, customers can feel safe knowing that their personal information is being handled securely.
Many times, small businesses take measures to protect their digital data, but fail to work safely with physical data and the electronic devices that store this information. Look at these ideas to learn how to keep customer data secure, whether it’s a hard copy or electronic.
Some data breaches occur right out of your dumpster in the alley. Recycling old files and paper copies is a great practice but be sure to crosscut or shred these files before discarding. If you’re going to be reusing a computer that previously held customer sensitive information, wipe the drive clean by using software designed specifically for that purpose. If a computer’s being decommissioned, be sure to pull the hard drive and physically destroy it to protect any customer data on the device.
Look at the kinds of data you’re keeping and consider whether you really need to store this information. Customer names may be important, but do you really need their birthdates? Consider purging any data that does not directly relate to your business needs. You also may want to think twice about storing customers’ credit card information. “Those are clients’ credit cards; you don’t need to hold on to them, and once you do, you create an enormous problem for yourself,” Evans adds.
Safeguard your files, papers, and records behind a locked door. Adding additional measures like a numeric keypad or even biometric verification can really boost increase data security. It also can help to build confidence when prospective investors are touring your business.
Flash and USB drives should be tightly controlled. Require users to check these media in and out and be sure to encrypt data saved on these drives. Company cell phones are another potential data security risk and can expose your network to vulnerability — most frequently when these devices are charging or syncing with a networked computer. Again, installing encryption software on smart phones can help to keep your network and customer data safe.
Having a plan in place when you first notice a data breach is just as important as any other preventative measure. If you’re well-prepared to respond to a breach you can lessen its impact on your business.
Managing an emergency means knowing what to do when, regardless of the disaster type. Seek out a well-referenced cyber-security company now and inquire about a maintenance contract. They’re often able to help bolster your current data security plan and lessen the impact of an active data breach.
You may want to consider consulting an outside expert to assess the damage and get a handle on what — and how — the event unfolded. Establishing internal processes for cybersecurity prevention and emergency response is only half of the preparation process. Practice makes perfect, and because so much of cyber-security may be difficult for your employees to grasp, it’s a great idea to have them go through a few dry runs so they’re familiar with the cyber incident process should they ever need to act on it.
Be clear on each step to take and consider the source of the breach. You may have several scenarios that mandate a different action to be taken, depending on the breach. “You can spend a fair amount of money on software and other security measures, security cameras, and all of that, but if you leave your backdoor open, you’ve wasted your money,” says Evans. You may want to consider consulting an outside expert to assess the damage and get a handle on what — and how — the data breach event unfolded and how best to respond. Work with your security consultant to understand where the potential risks are.
Appoint an on-site data manager that can act as a point person who’ll be responsible for making decisions when it comes to customer data breaches and readiness for emergencies. High-ranking executives, senior database managers, even someone elected by your board of directors to perform this role all make great candidates.
Often, the weakest link between customer information and a data breach is the small business’ employees. “I’ve walked into brick-and-mortar stores, into what should be a secure area — their accounting area — and computers are up and available and logged in,” says Evans. “I also see people scribble passwords down on a Post-It note or desk blotter making the password visible to folks.” Train employees about data and consumer information protection to at every entry point, from computers on-site to and cell phones. Two-factor authentication measures for off-site access to protected files can help to prevent a breach as well.as secure company data at every entry point, from computers on-site to and cell phones. Two-factor authentication measures for off-site access to protected files can help to prevent a breach as well.
Chances are, there will always be thieves targeting customer data. But you have the power to protect your customer information and help ensure your future sales by taking this job head-on. While you’re building up your business’ cyber-security profile, remember to check with an American Family Insurance agent (Opens in a new tab) and review any changes that you’ve made to your inventory — even software updates and electronic purchases — that help protect you from hacking or customer data breaches. Your business will be more secure, and that’s as good as money in the bank.
This article is for informational purposes only and based on information that is widely available. This information does not, and is not intended to, constitute legal advice. You should contact an attorney for legal advice specific to your situation.