Protecting Your Business From a Data Breach
There's hardly an industry that doesn't use technology and the internet. Your customers provide you with personal information, like their names, telephone numbers, and even their credit card numbers. Storing customer data and banking details puts you in possession of sensitive and confidential information, and your customers need to feel safe doing business with you.
A data breach occurs when such sensitive information is taken and exposed to unauthorized people. Data breaches can have a devastating impact on a business's finances and reputation. A 2020 report from IBM and the Ponemon Institute showed the cost of a single data breach averaged a staggering $8.64 million in the U.S.¹
Data breaches occur for various reasons — including accidents — but modern attacks typically fall into two categories: data theft or ransomware. Both types of attacks are costly to recover from, and the size of your business does not make you less susceptible to being a victim.
There are some common vectors among both types of attacks, and most attacks can be attributed to one of the following:
Out-of-date software creates gaps that can allow hackers to exploit system vulnerabilities
Weak or reused passwords
Clicking on links that unintentionally download malware, also known as drive-by downloads
Spam or phishing emails
How to Protect Your Business Against a Data Breach
Preventing a data breach should be a multi-faceted, ongoing endeavor that includes your entire company. When you develop a cybersecurity infrastructure for your business, there needs to be organization-wide adoption and enforcement of policies and procedures.
Protect sensitive information, computers, and networks from cyberattacks by installing the most current security software, operating system, and web browsers.
Improve Overall Security
Cybersecurity for a small business does not have to be complicated, but you need dedicated IT support — whether it's an employee, department, or external vendor — and the architecture should fit your business's needs. Here are a few best practices that every business should follow to protect themselves, their customers, and their data:
Install software updates as soon as they're available. Protect sensitive information, computers, and networks from cyberattacks by installing the most current security software, operating system, and web browsers. This is one of your best defenses against malware, viruses, and other online threats.
- Set up a firewall for your internet connection and keep it updated. A firewall is a security system designed to prevent unauthorized access to your private network from the outside. If you have remote employees, ensure they can only access your private network through a secure VPN.
- Limit access to data and information — a security principle called Least Privilege. Sensitive data should only be available to employees who require access to perform their job duties. If your business has 40 employees, but only four need access to all data systems, you can reduce your vulnerability to your employees by 90%.
- Control physical access to computers. Create individual accounts and passwords for each employee and ensure screens are locked when not attended. Encrypt laptops and physically secure them when left unattended. Require strong passwords and implement 2-factor authentication.
- Establish a secure WiFi network. Keep your WiFi network secure, encrypted, and hidden from public broadcast. Password-protect access to your router. If you have a retail space, set up a separate guest WiFi for your customers.
- Use best practices on payment processing systems. Do not process payments with the same computer you use to surf the internet. Ensure third-party vendors employ the most trusted, validated anti-fraud services.
- Regularly back up important business data. With ransomware attacks, hackers block your access to data. Set automatic backups, if possible, and keep regular backups available off the network, so they aren't exposed to ransomware.
According to Forbes Business Council, 95% of data breaches result from human error.² A cybersecurity plan cannot be successful if your employees aren't participating in best practices. Establish basic security policies and procedures for all employees and train them regularly. Here are a few areas to review with staff:
- Email behavior: Firewalls cannot protect you from all threats because many infiltrate your network through email. Clicking malicious links can install malware that infects a computer, possibly spreading to the rest of your network. Regularly review email threats with your employees, conduct test emails to check awareness, and implement external warnings on emails coming from outside the organization.
- Data protection: Establish rules for protecting customer data, restricting how sensitive information can — and cannot — be sent. Remind employees not to leave data on their screen when it's not needed and to lock their screen when leaving their workstation. Never leave printed records in plain view and secure them when unattended.
- Passwords: Require strong passwords and implement a regular password reset. Consider implementing a multifactor authentication beyond the password for access to systems.
- Peripherals: USB drives are popular devices for transferring data from one computer to another. However, this also makes them appealing to cybercriminals. A drive containing malware plugged into a computer will infect that computer. Restrict use of USB drives or disable USB ports.
- Mobile devices: Mobile phones and tablets carry their own set of dangers. The simplest way to keep your network secure is to prohibit employees from plugging their mobile device into their computers or connecting to the company WiFi. Install mobile device security software on their personal devices if they have access to company information, like email.
Steps to Take if a Data Breach Occurs
Establish a data breach response plan for your business. If a data breach occurs despite your best efforts, you will need to act quickly. Though the response will vary from case to case, here are the basic steps you'll want to follow:
- Assess. Analyze which systems were impacted, who had access to the infected systems, and which networks were active when the breach occurred. Try to determine the severity of the breach by learning which information was targeted.
- Contain. Once you know what systems were impacted, mobilize a team for the response and secure systems and physical areas that may be related to the breach. Involve your IT team and any vendors that may have software connected with the breach. Try to limit the breach's impact on new systems but know that changing the system or turning it off may destroy evidence that would be needed for use later in a prosecution or to aid in future recovery.
- Notify. Based on your incident response policies, laws, and regulations, notify applicable employees, law enforcement, vendors, and customers. Most states require customer and regulator notification with specific timelines. Consult with legal counsel to determine how to best communicate with the appropriate parties that a breach has occurred.
A data breach is costly in so many ways. It damages a business's reputation and costs time, money, and customers. Preventing a data breach is an ongoing endeavor. Hackers are continually looking for new ways to steal data, so your best chance at prevention is to keep your systems up to date, frequently reevaluate your security measures, and keep your employees trained. If you work proactively, you have the best chance of avoiding a breach and are in a better position if one occurs.
If you wish to comment on this article or have an idea for a topic we should cover, we want to hear from you! Email us at firstname.lastname@example.org.