Last year, there were 2,164 seperate breach incidents in the US which exposed over 822 million records. We are always looking to stay up on all technology/processes to help protect ourselves from a breach, yet it can be disconcerting to keep watching the biggest and most trusted businesses and organizations fall to data breaches, like Home Depot, Adobe, New York Times, Facebook, Sony, Pinterest, the Washington State Court System… And of course, the infamous Target breach, just to name a few of the high-profile breaches. Small business are at an even higher risk, due in part to (often) limited resources for IT and security measures. Yet, huge coorporations with sophisticated security measures are constantly losing to hackers. Clearly, data breaches are becoming inevitable.
So, what do we do about it? Forbes has a few potent suggestions for small businesses that we would like to share. First, they say to not be daunted by the lack of expensive technology that big companies have access to. Then, follow these three steps: Minimize, Monitor, and Manage.
1) Minimize your risk of exposure
(This is perhaps the most obvious of the three.) Be proactive about your security, regardless of your business type, budget, or size (even you, sole proprietors). Hire an IT tech. This is not a waste of money.
-
Train your employees. They may not know the importance of not leaving unsecure devices or files unattended, and your employees should be instructed on identifying phishing emails. They also should not check personal accounts using company computers.
-
Limit access to systems and databases to only those who need it. Assign discrete passwords and never allow the same password to be used on multiple systems.
-
Employ and train your employees to use two-factor authentication.
-
Use a seperate computer for financial systems, banking and payroll.
-
Establish security protocols for any and all devices you or your employees bring in to work, like smartphones, tablets, laptops, etc.
-
Be sure to have the appropriate physical security
-
Make it a requirement to completely destroy old documents or computers
-
Set up outside security reviews, and find out if you’re as safe as you think you are.
2) Monitor your security
So, your system you set up last year is still up and running? That does not make it reliable this year!
-
Hire a trustworthy firm to do penetration testing of your network. If an unauthorized user can gain access, fix it immediately.
-
Set up (or have your IT guy set up) automatic email/text alerts for any unusual activity on your networks.
-
Keep an eye on your employees – designate a compliance officer to be sure they are following your security policies.
-
As a part of your procedures, install all security updates (for software and OS) in a timely fashion on all devices.
-
Scrutinize and vet your vendors as you do your own employees.
3) Manage the Damage
Planning on being breached does not mean you’re planning on being irresponsible with your security. Rather, having a plan means you’re responsible enough to realize that anyone can, and probably will, be breached at some point. You will minimize the risk with the above procedures, but if you want to keep your business out of hot water you also need a swift, honest, and transparent response. You don’t want to lose your customers, but any data breach will deteriorate trust and it’s up to you to earn it back. Much depends on the thought-out message of urgency and empathy you extend to your clients, customers, or employees.
-
Contact your insurance carrier and find out if you are covered by cyber liability coverage. If you already are, that’s great. If not, get some more information and get covered.
-
Does the aforementioned coverage cover ALL the costs of a data breach, like notifying the victims about their exposed data? (see below) Find out how and to what extent the plan will help your business recover.
-
Find out what deadlines and reporting requirements are mandated after a breach to maintain your coverage.
-
-
Figure out your post-breach media; designate either an employee to represent your company on email/social media and manage phone calls, or determine a company to oursource to.
-
Determine the extent of credit monitoring or other services you will offer to those affected by the breach. You need a person or company to either help the victims through reporting and resolution or take over reporting for them.
There is lots of information availble to help educate small businesses, be sure to take a closer look at Forbes’ article, and if you find more helpful info from reputable sources, let us know! We can always give a references to companies who can help you develop your own system and plan of action.