If you think only big corporations need to defend against online security breaches, it’s time to think again. According to the Verizon 2021 Data Breach Investigations Report, cyberattacks represent a significant and growing threat to small businesses. In fact, a report from the Ponemon Institute documented a 20% rise in security violations at small and medium-sized companies between 2016 and 2019.
With this in mind, let’s ask the obvious question: what is your small business doing right now to protect the security and privacy of your data – especially the valuable information your customers rely on you to keep safe?
This question is especially relevant as more start-ups and in-home e-commerce ventures collect a larger and more diverse audience of customers by going global. Cross-border trade brings big opportunities for small businesses, but it also opens the doors to new threats, and makes the pool of data you need to protect even bigger.
So, if you’re not focused on preventing cyber intrusions, consider that one significant data breach could dramatically damage your reputation with existing and potential customers. It could put your partners, suppliers and vendors at financial risk. And ultimately, it could drastically reduce your revenue for years to come.
To combat evolving security threats today and into the future, you need a comprehensive plan. Here are some key considerations:
Understand the True Risks
With more limited internal IT resources, small companies face big challenges implementing data security plans compared to their larger counterparts. Unfortunately, hackers are well aware of this relative difference, which is the very reason that small businesses are often targeted. As an owner or manager, your attention may be centered elsewhere, and your understanding of how customer data is collected and stored by your company may be limited. Changing the dynamic means that you need to carefully examine your IT infrastructure.
Meet with your IT people or vendors, and talk to your sales team, your legal counsel, and financial planner to determine your risks and liabilities. Examine where and how data is collected and stored. With support of your legal counsel, identify what legal requirements on data privacy and information security are applicable to your company and implement compliance plans for storing and processing data. In addition, only the minimum amount of information needed should be retained after transactions and, when feasible, deleted entirely.
Focus on People and Technology Together
For many small companies, outside IT security providers are usually worth the investment. They bring both advanced security technology, including antivirus software, and critical knowledge. They also offer an ability to make sure your security protocols are constantly adapting to new threats.
But security tools and protocols will be ineffective without awareness and commitment on the part of your entire team of employees. Not only do your people need to be trained on how to manage and protect data, including customer information, they must become true partners in the battle against security intrusions. They must, ultimately, understand in a very real way just how critical security measures are, how common cyberattacks are, and how damaging they can be.
Just how important is it to train your employees, and to consistently communicate security procedures with them? According to the Verizon report, 85% of all security breaches involve a human element. In many cases, employees are the direct route for intrusions, as hackers target them to gain access to passwords and systems. According to Proofpoint, phishing attacks that target employees and outside contractors are the avenue most likely to result in a data breach.
Prioritize Passwords, Data Access and Downloads
It has been said many times but merits repeating: make sure your employees use strong passwords, and require them to change their passwords frequently. Also, implement two-factor authentication to access the most important applications and databases.
It’s also important to impose strict limitations on access to data and downloads. Employees should be allowed to access only data that they use for their work and should not be allowed to download and install software without permission.
If you sell merchandise online, you should be reviewing systems to make sure there aren’t any anomalies, just as you would review checking accounts at the end of each month. In addition, your online storefront should be designed for security. Your e-commerce platform should include SSL certificates, encrypted payment gateways, and authentication protocols.
Ultimately, data security should not be just a check on your operational to do list, but a core element of your company’s business strategy.
What is your company doing to protect your data? Let us know on Twitter @DHLUS.