“Data Breach” has become part of our vocabulary, where bugs are branded like companies with their own cool logos like the heartbleed bug. You’re right if you think this is a fairly recent development. Reports of the biggest data breaches recorded started in 2005. Much of this growth can be explained by a massive explosion of the data we generate and use.Consider these projections from a 2012 report by CSC:
- By 2020, over one-third of all data will live in or pass through the cloud.
- In 2020, data production is estimated to be 44 times greater than it was in 2009; experts estimate a 4,300 percent increase in annual data generation by 2020.
- While individuals are responsible for most data creation (70 percent), 80 percent of all data is stored by enterprises.
If your business isn’t a giant like Target or Home Depot (both data breach victims) you may think that you are will be overlooked in cyber attacks in favour of juicier targets. You may even think you have nothing worth stealing. The opposite is true. Small businesses make appealing targets because hackers know these companies are a bit more lax about security. In fact, small businesses fall into what’s been called hackers’ cybersecurity “sweet spot” : They have more digital assets to target than an individual consumer has, but less security than a larger enterprise.
So you don’t have a big budget or an IT department to tackle data breach vulnerabilities? Or you do have a budget and IT department but want to be sure to get the best protection for your money? We have put together the 10 commandments of the cheapest and easiest ways to protect your business from a data breach.
- Thou shalt not underestimate Human Error
Human error causes 52 percent of security breaches, according to a new study from CompTIA, The “IBM Security Services 2014 Cyber Security Intelligence Index”. Asked about the top examples of human error, 42 percent of those surveyed blamed “end user failure to follow policies and procedures,” another 42 percent mentioned “general carelessness,” 31 percent named “failure to get up to speed on new threats,” 29 percent described “lack of expertise with websites/applications,” and 26 percent cited “IT staff failure to follow policies and procedures.” Only 54 percent of those surveyed said that their company offers some form of security training. In fact, about half of respondents indicated that their company does not have a security policy, or that the organization is still working on a security policy.
- Thou Shalt not let your employees fall by the wayside
Training staff to be aware of the simple things they do that can make your business vulnerable is more important than any sophisticated. Day-to-day practices of an employee that they may not think twice about include opening suspicious emails or attachments, downloading onto company pcs, using weak passwords.
- Thou Shalt honour the assets of your company
You first have to know you are under attack. This is not as farfetched as it sounds. A Ponemon Institute survey reported that one-third of respondents admit they are not certain if a cyber-attack occurred in the past year. As a small or new company, you may think that you have nothing to protect. Not so, every business has a unique value in the marketplace – and for cyber criminals. Small businesses are attractive to cyber criminals because most do not pay attention to security, don’t allocate any budget to security and have few to no resources. Take the time to understand where the value is within your business and consider the proper protections.
- Thou Shalt not worship hardware
Today, you don’t need expensive servers and IT staff to protect your data. You can contract out your data security by placing everything in the cloud. Even if you do not run your accounts in the cloud, chances are you are already using cloud services such as Google Docs or Dropbox. Powerful, cloud-enabled “managed security as a service” solutions are available for a very low cost. Do make sure that your cloud vendors encrypt and fragment the data to keep it out of the hands of hackers. Check that they meet digital security requirements, such as PCI and HIPAA.
- Thou Shalt encrypt
Encrypt sensitive information. Encryption is the turning of data/information in the cloud into nonsense, with codes to turn the data back into something understandable. Non-authorised viewers see only strings of gobbledygook while authorised viewers see the clear text data. Even if encrypted information is breached, it will be unusable, and encryption technology is relatively cheap.
- Thou Shalt implement data practices
While cloud-based security solutions and encryption are very important, those tools get you nowhere if you are not implementing them correctly. Effective data and privacy practices must start from the top-down with clear internal policies for how sensitive data is handled and stored. Can employees send information via mobile devices? How are employee laptops protected so that information can’t be compromised if they are stolen? Often a data breach caused by an employee mistake, and good policies help prevent that – and cost you nothing.
- Thou Shalt keep business vendors in mind
An often overlooked concern is the cyber vulnerability of your business’s vendors. Credit card data of 40 million Target customers, 15,000 Boston Medical Center patients’ personal information, and payment card information of 868,000 Goodwill customers – all of this information was exposed as a result of data breaches not at the companies themselves, but at vendors with access to the company’s’ systems. When evaluating any new vendor, make sure to ask them some questions about their security profile. Is their software up to date and patched? Have they have ever been involved in a security breach? What’s their password procedures? A few awkward questions now may save you disaster down the road.
- Thou Shalt minimise the amount of data held
The more sensitive data held by your business, the greater the risk of breach. Businesses shouldn’t collect protected information from customers and employees unless truly necessary. This sensitive information should only be maintained as long as necessary and then destroyed.
- Thou Shalt purchase a firewall
Buy a firewall that sits between your business network and the Internet. It takes a little bit of configuration which can be clarified by the manual or online tutorials.
- Thou Shalt use two-factor authentication
Two-factor authentication provides a second layer of protection on top of the traditional username/password. Google, Microsoft, Facebook and Amazon have offered two-factor for a while. Users have to provide not just something they know, like a password, but also something they have. The extra thing may be a pin code, a fob, a phone or a fingerprint/voice print.