Having information about clients and customers is important, but ensuring that private information remains secure might be just as vital to the health of a small business. That’s according to data professionals and others who are marking this year’s Data Privacy Day on January 28.
Many small businesses are not well prepared for the tricks that hackers use to extract data from their information systems or to deal with the fallout from such an occurrence, according to Bindu Sundaresan, a senior security professional for AT&T.
“They feel like ‘Who’s going to come after me?’ Small businesses don’t want to spend their whole IT budget on cyber security,” Sundaresan said.
In reality, small businesses can offer a more attractive target for hackers than larger companies because they don’t invest as many resources in cyber security, she said. That can be especially true for small businesses that are third-party providers for larger companies.
For example, the hackers who obtained credit and debit card information from 40 million Target customers during the 2013 Christmas shopping season reportedly gained access to the national retailer’s systems targeted a smaller business first. Target’s system was compromised using the network credentials of a Pennsylvania contractor who supplies and maintains refrigerating, heating and air conditioning systems for the company.
It is important for small businesses and their employees to be mindful of what kind of sensitive information they have that a hacker might want, Sundaresan said.
“I find that most small businesses don’t understand the impact of a cyber security breach outside of their business. They’re basically a pawn in a larger game,” she said.
“Think about the importance of this data and what could happen if the hacker got his or her hands on it and how is that going to affect your overall business model,” Sundaresan added.
Providing better data security doesn’t have to break the budget. A small business can have “the basics in terms of security” for as little as $15 a month.
“Respecting privacy, safeguarding data and enabling trust” is the theme of this year’s Data Privacy Day, which is held every year to build awareness about the importance of privacy and protecting information.
It is the signature project of the National Cyber Security Alliance. First celebrated in the United States in 2008, it marks the anniversary of the 1981 signing of Convention 108. The document became the first legally binding international treaty dealing with privacy and data protection.
Data Protection Tips for Data Privacy Day 2017
Here are some suggestions for securing your systems and keeping the information of customers and clients private:
1. If you collect it, protect it. Follow reasonable security measures to ensure that customers’ and employees’ personal information is protected from inappropriate and unauthorized access.
2. Have a strong privacy policy. Customers need to know that you are protecting their information. Make sure you have a policy they can refer to explaining how you are keeping personal information safe. Make sure you are straightforward with customers about the consumer data you collect and what you do with it. Being honest with them will help you build consumer trust and show you value their data and are working to protect it.
3. Know what you are protecting. Be aware of all the personal information you have, where you are storing it, how you are using it and who has access to it. Understand the kind of assets you have and why a hacker might pursue them. “You cannot protect what you don’t know about,” Sundaresan said.
4. Don’t underestimate the threat. In one survey conducted by the Alliance, 85 percent of small business owners believe larger enterprises are more targeted than they are. In reality, there have been cases where small businesses have lost hundreds of thousands of dollars to cybercriminals.
5. Don’t collect what you don’t need. The more valuable information you have, the bigger a target you might be. Avoid using social security numbers or other personal information for customer identification. Opt instead for log in identification and passwords. More layers of identification help keep attackers from being able to simulate users. Consider deleting personal information that you don’t really need.
6. Keep a clean machine. Having the latest security software, web browser and operating system are the best defenses against viruses, malware and other online threats. Many software programs will automatically connect and update to defend against known risks. Turn on automatic updates if that’s an available option.
7. Use multiple layers of security. Spam filters will weed out malware and phishing scams — many of which are aimed directly at businesses — keeping your email safer and easier to use. Employ a firewall to keep criminals out and sensitive data in.
8. Scan all new devices. Be sure to scan all USB and other devices before they are attached to your network.
9. Educate employees. Employees are often the handlers of customer data. They therefore need to be kept up-to-date on how to protect that information to make sure it does not accidentally land in the wrong hands. They should be educated about the newest fraud schemes and urged to employ best practices such as not responding to or opening attachments or clicking suspicious links in unsolicited email messages.
10. Protect against mobile device risks. Smartphones, tablets and laptops can add to employee flexibility and productivity, but they can also be repositories of sensitive information, which, if lost, can harm your customers and your business. Impress upon employees and other partners the importance of keeping these devices secure from loss or theft. At the same time, stress that not reporting such an incident, if it happens, is worse.
For more information, the Alliance and the U.S. Small Business Administration Small Business Technology Coalition have compiled numerous tips.
Data Privacy Photo via Shutterstock