If your company suffered a data breach in 2015, well, at least you were in good company. Hackers plundered a veritable Hall of Fame last year, gleaning customer data from retail giants including CVS, Costco, Home Depot, and TJMaxx; looting photos and videos of children from toymaker VTech; dropping the dime on CIA Director John Brennan’s private email account; and of course, airing the dirty laundry of more than 37 million Americans in the salacious Ashley Madison incident. “What’s this got to do with me,” you’re saying. “As a small business, I’m under the radar.” Bad news: The attacks Big Business has to fend off also play in Peoria, as the Small Business Committee of the US House of Representatives reports that 71% of cyber attacks occur at businesses with fewer than 100 employees. The good news: Being secure starts with being informed. Read on.
What to Look For
It’s often said that a good offense begins with a good defense, but the key to a good defense is knowing what’s coming. The three major classes of security threats businesses will face in 2016 are extortion hacks, attacks that change or manipulate data, and bot attacks.
Extortion hacks occur when a hacker gains access to and control over your data, and either denies access, or threatens to release it in an unflattering or dangerous manner, unless a certain price is paid. This could be credit card or other customer financial data, but it could also be information such as trade secrets, proprietary data, and the like. Ransomware, a type of malware that locks a computer or a network, rendering the data unusable until a ransom is paid, also falls under this category.
Attacks that change or manipulate data occur when a hacker accesses your records and surreptitiously alters the information either for financial gain or simply as a nuisance. This type of hack is perhaps even more insidious than direct theft, because it’s much harder to detect.
A malicious bot is self-propagating malware designed to infect a computer or network and connect back to a central server. Bots can log keystrokes, gather passwords and financial information, and capture and analyze data.
Thankfully, there are many ways you can prepare to put down a potential attack. Plus, you don’t necessarily need a high-dollar IT staff to accomplish a great deal: In some cases, applying some good old fashioned common sense may be your best weapon.
The Defensive Dozen: 12 Top Tips to Secure Your Company’s Data
First, identify the data that’s most important to your business and focus on protecting it. Determine what presents the biggest risk – financially, legally, or operationally – and take the steps to protect it wherever it resides.
Install effective virus and malware protection across your company. Kaspersky and Trend Micro, for example, offer affordable business versions of their antivirus solutions, which also control against far more common attacks, including ransomware, data- stealing Trojans, and bots.
Get serious about your passwords. Password security is the critical common- sense step that is most often for granted. SplashData, a provider of password management technology, reported in the closing days of 2015 that, overall, password habits continue to be lax – the top five passwords remain “123456,” “password,” “12345678,” “qwerty,” and “12345.” Instead of these, choose passwords of 12 characters or more with mixed character types (include symbols like “#,” “^” or “!” in your password); avoid using the same password over and over across your network and online; and consider using a password manager to organize and protect passwords, generate random passwords, and automatically change passwords periodically.
Create data protection policies. Set out protocols for how data is collected and stored – both any customer data that you maintain and employee data. Then, make sure everyone in your organization – including any outsourced providers – is aware of the policies you’ve specified and complies with them. Whether five or 5,000, your employees are your first line of defense.
Have an incident response plan and practice it. In the event you uncover a data breach, it’s much more effective to respond from a place of preparedness. Forbes’ Frank Sorrentino notes, “Just like a fire drill, having a plan of action for responding to a cyber incident is crucial. Even more important, it should be practiced so that all your employees know exactly what to do in the event of a breach. In an environment where hackers are often one step ahead, a collective accountability can be our first line of defense.”
Secure document workflows. Are you emailing Word or Excel documents back and forth? Your data is only ever as secure as the documents it’s contained within, whether it’s text or numerical data. PDF files can be a particularly secure way of storing and sharing documents as they can be encrypted and password-protected to prevent unauthorized access, copying and printing. Secure your print network and practices. Speaking of printing, don’t forget that the company printer is often also connected to the Internet and thus is vulnerable to compromise. Your printer is particularly in need of attention if it’s an all-in-one machine, which you may be using to scan and/or fax documents.
Beware of potential data leaks through the Internet of Things. If you’re a gadget guru, you may enjoy tricking out your office with Internet-enabled devices, but they can tell on you as well: For example, many security cameras transmit video over unencrypted FTP. Be aware of the pathways for data that such devices create and ensure that you take appropriate precautions (i.e., do not post an enabled video device directly over your credit card machine). Select service providers carefully. Of course, you vet the people who assist you with running your shop, but take time to consider the apps that help your business along, too. “Small businesses should avoid using consumer-grade tools or tools with inadequate security,” says Drew Robb of Small Business Computing. “Many small businesses use products like Dropbox for storage or Gmail for email – dig a little deeper to understand what you’re getting in terms of security, especially if you have a small company. A data breach could put you out of business.”
Repeat. Data security isn’t a one-shot deal: It’s an ongoing process. Continually maintain vigilance over your data, how it’s stored and how it’s transmitted, and you’ll be one step ahead of the game.