It seems like every day in the news; another data breach is reported where millions of records are lost. In the past year alone, the following major data breaches occurred:
Target – Lost 40 million credit and debit cards, along with 70 million customer records, including name, address, email address and phone number.
Home Depot – 56 million debit and credit cards stolen and 53 million email addresses.
eBay – 145 million active users’ data at risk.
JP Morgan Chase – 76 million households and 7 million small businesses.
Community Health Systems – 4.5 million patients.
Goodwill/ C&K Systems– 868,000 cards at 300 stores.
Although large companies make the headlines and grab our attention, small businesses are also targets for cyber-attacks. In 2013, Symantec reported that 31% of all targeted attacks were directed at businesses with less than 250 employees. See Symantec 2013 Internet Security Threat Report. This finding was echoed by a study conducted by the Ponemon Institute, which found that 55% of small businesses in the U.S. have had a data breach.
Despite this, a majority of small businesses do little to protect themselves from a cyber-attack or protect the sensitive information of their customers and employees. This inattentiveness is extraordinarily risky. The average cost for a data breach in 2014 is $201 per record and the probability of a business having a data breach over the next 2 years with more than 10,000 records is nearly 19%. See Ponemon Institute, 2014 Cost of Data Breach Study, at 1-3.
These numbers should terrify every small business owner. But there are 7 cost-effective basic steps that a small business can take to decrease the likelihood of a data breach:
1) Identify: The business should first identify all types of personal and confidential information (“Personal Information”) collected, possessed and used by the business. Personal Information can include: names & addresses, financial account numbers, social security numbers, e-mail addresses, license numbers, health care information, video rental records, and anything else that can allow the business to identify a specific individual or company.
2) Locate: Next, the business should determine where the Personal Information is located and stored and where it comes from. Locations can include workplace files, computers, mobile devices, websites, networks, and many other places. Employees and owners should be questioned about all of the places where they store Personal Information, since they might have data on their home computers and personal mobile devices.
3) Evaluate Risks: The business should then identify and evaluate all potential risks to the security, confidentiality and integrity of the Personal Information in the business. Risks come in all shapes and sizes and can include natural disasters, cyber-attacks, theft, use of mobile devices & laptops, negligent employees, accepting credit cards, and many, many others.
4) Implement safeguards: After evaluating the potential risks, the business needs to implement reasonable safeguards to mitigate these risks. Safeguards come in three different forms: Physical, Administrative, & Technical.
Physical Safeguards: These are the physical protections, rules, and procedures a business takes to secure Personal Information from physical threats such as natural disasters and unauthorized intrusions. Depending on the business, these safeguards can include: Offsite secure storage, Locked doors and file cabinets, fences, security guards, cameras, passwords, ID cards and other authentication measures for computer/facility access, regular automated backups, and many other possible preventative measures that can be taken.
Administrative Safeguards: These are the management measures, policies, and procedures that an organization puts in place to protect Personal Information. These measures should include:
• Written Information security policy
• Incident response plan
• Internet usage policy
• Social media policy
• Mobile phone policy
• Bring your own device policy
• Specific limitations on employees’ access to information
• Rigorous protections and oversights in third-party vendor contracts
• Employee background checks
• Employment contracts with confidentiality clauses and restrictive covenants, and
• Others depending on the nature of the business.
Technical Safeguards: These are technological measures implemented by an organization to manage and protect Personal Information. These measures should include:
• Keeping hardware, operating system software and apps up to date;
• Using and updating antivirus and antispyware on all computers and devices;
• Using firewalls and virtual private networks to secure sensitive information; and
• Requiring strong passwords with quarterly changes.
Depending on the size and complexity of the organization, and the size of the information security budget, there are many more advanced protections that can be implemented. But the foregoing is the bare minimum that should be done by every business to help protect the organization.
5) Train Employees: This point cannot be emphasized enough. Businesses should regularly train employees on the proper way to collect, use and store personal information. Employees also need to be trained about the nature of today’s cyber-attacks and the best way to protect themselves and the organization. Cyber-attacks usually begin when an individual opens a “phishing” email message with an attachment that contains malware that infiltrates your network. To stop this, a business should employ a spam filter that will try to catch phishing e-mails and other junk. But even the best spam filters are not always successful. Employees need to be vigilant and trained not to open anything that seems even remotely unusual. One isolated training session is not enough, and a business should regularly hold training sessions to emphasize the importance of privacy and information security.
6) Destroy: Any personal information that is no longer being used by the business should be destroyed. Paper documents and paper files should be shredded, pulverized, macerated, or burned. If you hire a company to do this, make sure that the vendor has a good reputation, there are sufficient contractual protections to safeguard the data, and that you understand the vendor’s destruction and disposal practices. Do not just throw your unshredded sensitive paper documents in the dumpster near your business.
Computers and other electronic storage devices and the information stored on them are a little more difficult to destroy. Merely deleting the information is not enough, and steps need to be taken to overwrite or physically destroy the electronic device and computer. Different electronic devices need to be wiped clean in different ways. If you want to do it yourself, there is plenty of information on the internet about this process. See, e.g. https://www.us-cert.gov/security-publications/Disposing-Devices-Safely; http://it.med.miami.edu/x677.xml; https://www.privacyrights.org/personal-data-retention-and-destruction-plan#destruction. If you want to hire a vendor, make sure that they have a good reputation, there are sufficient contractual protections to safeguard the privacy of the data, and that you understand how the device is going to be wiped or destroyed.
7) Monitor and Repeat: After completing the prior steps, you should continuously monitor your systems, networks, and business to make sure that the safeguards are working. If the there are problems, or your business needs change, you may need to revise or implement the security practices that were put in place. This is an ongoing process and cyber-threats are continuously evolving. You need to be vigilant in order to have the best chance of preventing a data breach.
Following these steps will not guarantee that your small business won’t have a data breach. But they are cost-effective and should decrease the likelihood of a data breach. Your business will also be in a better position to determine whether more expensive protections are needed.
Thanks for reading! I would love to hear if you have other suggestions or there is something else your business is doing to protect itself from a data breach.