As large retailers and brands find their names splashed across headlines for data breaches and cyber security fails, many small-to-medium size businesses (SMBs) owners may be left with the false sense that their companies are too small to be victim of a breach. Not true.
All businesses must be prepared to face a data breach; however, the consequences of a data breach can be even more disastrous for a small business.
Any business that collects customer data, such as dates of birth, social security numbers, or processes credit card payments is subject to cyber attacks and data breach losses.
Each year an estimated 92% of holiday shoppers will go online to either research or purchase gifts this season. As we head toward the holiday shopping season, here are some mistakes you'll want to avoid to protect your business and your customers.
Collect only the information you need.
Collect only the information that is absolutely necessary to service your customers. For example, if age-verification isn’t required and you don’t plan to send out specials or discounts on customer birthdays, then don’t require it in order for a purchase to be made.
Only retain information for as long as absolutely necessary to conduct business or to satisfy minimum liability protection.
Using encryption technology is another way to really safeguard customer information. Invest in the latest encryption software and keep it updated. It’s also wise to encrypt your email if you’re sending/receiving sensitive data.
Control access to data sensibly.
Limit administrative access to sensitive data. Limiting the number of employees with system-wide access reduces your exposure to data loss. Performing a root cause analysis also becomes easier in the event of data loss or breach.
Verify PCI compliance.
If your business runs any form of e-commerce or handles credit card transactions online, be sure that the way you’re storing, processing and transmitting cardholder information is compliant with Payment Card Industry Data Security Standards (PCI DSS). By implementing the basics of PCI compliance, customers can feel safe knowing that their personal information is being handled securely.
Require secure passwords and two-factor authentication.
Insist on unique passwords that are complex but not complicated. Avoid using the same password for every platform or application – this includes minor variations on a password like ‘Password2015’ for ‘Password20!5’.
Store passwords securely and avoid automatic log-ins. It may be more convenient, but should your computer is ever hacked or compromised, this makes all of your information more vulnerable.
Consider using two-factor authentication – like a mobile SMS notification with multi-digit pin number – to help protect against unauthorized access.
Change your passwords every six months or more. This will keep your system(s) more secure and prevent them from being forgotten.
Guard against brute force attacks – attacks by typing endless combinations of characters – by limiting the number of login attempts allowed.
Store sensitive personal information securely throughout the business lifecycle.
Examine every stage of your data process from your website, to your physical location, to your email, and determine if there are any gaps in security, authentication, or configuration.
Segment your network and monitor who’s trying to get in and out.
When designing your network, consider using tools like firewalls to segment your network, thereby limiting access between computers on your network and between your computers and the internet. Another useful safeguard: intrusion detection and prevention tools to monitor your network for malicious activity.
Use a secure network and limit remote access.
Invest in a secure, dedicated server used only by your business and your employees. While it may be cheaper upfront to share your server, by using a secure network you significantly lower the risk of leaving your customers’ information open to hacking.
With the increasing popularity of remote working and the mobile workforce, your risk of a data breach also increases.
If you give employees, clients, or service-providers remote access to your network, make sure those access points are secured.
Back up your all of your data.
By having backups of everything, you won’t be devastated by “ransomware,” a type of malware that blocks access to your data until you pay a ransom.
Having backups of everything will also protect against one of the most common breaches that can occur – lost or stolen laptops, tablets, and storage devices. If you provide this equipment to your employees, have a secure data backup and emergency plan in place.
Offer cybersecurity awareness training for employees
If employees don’t know how to recognize a security threat, how can they be expected to avoid it, report it or remove it? They can’t.
According to a recent survey, more than 30% of employees didn't even know what phishing or malware was. Employees, not technology, are the most common entry points for phishers.
Your employees need online cybersecurity training to protect themselves and the company against cyber attacks. By making employees aware of security threats, how they might present, and what procedures to follow when a threat is identified, you’re strengthening the most vulnerable links in the chain.
When hiring new staff, you should apply sound security practices when training new employees or implementing new procedures. It’s tempting to use real customer data or information but a more secure method would be to develop a training course or process that obscures and substitutes those real scenarios with representative data.
Make sure your service providers implement reasonable security measures.
If you use a 3rd party provider for any stage of your business, make sure you have an updated copy of their policies and procedures for data security and more importantly, their liabilities in the event of a data breach or data loss.
Verify their security compliance wherever possible – don’t just take their word on it.
Consult with your independent Trusted Choice agent to cover any potential gaps between your liability and the liability of your service providers.
Keep your security current and address vulnerabilities as they arise.
Update and patch third-party software or applications on a regular basis.
When you fail to update or install security patches, you are leaving your website, application, or system open to vulnerabilities that a hacker will not hesitate to exploit.
If you can’t retain a 3rd party security firm, schedule time each month to review the release notes and change-logs for your critical business applications or website platforms.
Remember, a hacker’s best tool is the lazy, uninformed business owner.
Upgrade and secure paper, physical media, and devices.
If you operate a point of sale system or accept credit cards in-store, make sure you’ve upgraded to the new EMV technology or ‘Chip Cards’.
Prior to October 2015, banks would absorb the cost if a business owner ran a fraudulent card. Now if someone pays with a fraudulent chip card, and you’re not set up with an EMV card reader, the banks will no longer be liable.
If you physically store customer information, ensure the area is secure from a physical break-in and safeguarded against fire and water damage.
When sending files, drives, disks, etc., use a mailing or transportation method that lets you track where the package is. Limit the instances when employees need to be out and about with sensitive data in their possession. But when there’s a legitimate business need to travel with confidential information, employees should keep it out of sight and under lock and key whenever possible.
Dispose of sensitive data securely.
There are many eco-friendly document and equipment disposal companies that will shred, burn, or pulverize documents and wipe devices that are no longer needed.
These tips are a great start to begin reducing your risks, but the truth is that no system is completely secure –
It’s not a question of if, but when a cyber attack or data breach will occur.
Cyber security and data protection is an on-going measure.
None of the prior suggestions on this list matter if you just sit on your hands and hope for the best. Every business with a web presence, especially e-commerce based brands, needs to continually put itself through the ringers when it comes to ensuring its security is failsafe.
Consider bringing in ethical hackers or cybersecurity experts/firms that can root out any issues they find when examining your setup. They’re invaluable resources when it comes to finding and snuffing out coding bugs or unresolved backdoors in your systems. Run daily virus and malware scans on your work machines and encourage a culture of security and carefulness within your organization. A dam is only as good as the engineers maintaining it. Make sure you don’t miss any cracks in its foundation.
To offer a final cyber security mistake, thinking your business doesn’t need or can’t afford cyber liability coverage and data loss protection is the primary mistake.
It’s affordable and with a variety of coverage limits to meet your needs, we can provide:
- First-Party Privacy Breach Expense
- Third-Party Cyber Liability
- Regulatory Proceeding Claim Expense
- Optional First-Party Business Interruption
In addition, we offer value-added proactive services to help minimize the occurrence of a data breach and post-breach services to provide expert assistance if one occurs.
- Data Breach counseling
- Crisis management
- Notification assistance
- Remediation planning
- Evidentiary support
- Online resources for proactive data breach risk assessment and planning
All businesses are at risk, but small- to mid-sized businesses are the most vulnerable to cyber security breaches and data loss. The Ross Maghan Agency, a Trusted Choice Independent Agent, can help you find the best coverage for your cyber liability coverage and data loss protection.
Call (732) 566-0003 today or visit us online at www.maghanco.com.