It sometimes feels like a day doesn’t go by without another big data breach hitting the headlines. In the past few years major companies like Target, Home Depot, Sony and Yahoo, along with their customers, have experienced the challenges that occur when customer account information is compromised as a result of a data breach. Hopefully these stories haven’t instilled an attitude of fear, but instead created a sense of awareness on how vulnerable technology systems can be, how important it is to keep your data secure, and how you can take an active role in this endeavor.
Your first reaction may be to assume that your business is too small to be a target, or that the “IT gurus” at your company have it under control. The truth is, no matter how large or small your company is or how much information you collect or store, there is always risk. In addition, every employee plays a critical role in data security, not just the information technology department.
DEFINING THE RISK
From credit card numbers jotted on a piece of paper to emails with your customer list attached, there are plenty of opportunities for data to be at risk. When considering what data to secure, most companies think first about credit cards. Breaches in this area have costly fines associated with them and are the most newsworthy. If you do accept cards, you want to be sure to follow PCI Compliance Guidelines; more information is available at pcisecuritystandards.org.
Even if you don’t accept credit cards, check acceptance is still vulnerable to a form of hacking called social engineering. These hackers are individuals who work outside of systems to obtain secure information. Beyond financial data, other types of data are at risk including customer names and addresses, purchasing and shipping history. All of these data elements are some of your company’s highest valued assets and need protection, no matter the business size.
BUILDING A CULTURE OF SECURITY AWARENESS
With all this data hidden in systems and processes, you may be wondering how you can make an impact. Your first step is to determine the types of policies and education needed for your environment. Larger companies typically need to implement policies whereas small businesses may simply need education on the areas of concern. The Ponemon Institute, an independent research group on privacy, data protection and information security policy, confirms that training and awareness programs reduce data breach costs. Since data security can be a broad subject, focus on the following four key areas of awareness and development:
1. POLICY: Establish an acceptable use policy to protect company-owned equipment from being breached and misused. Additionally, if you allow employees to utilize their own devices including computers, phones and tablets, a Bring-Your-Own-Device (BYOD) policy is a must to ensure employees don’t unknowingly put data at risk.
2. PASSWORDS: Follow good password practices. Password hacking is a common problem, but also the easiest to fix. Strong passwords contain at least 12 characters and include a variety of text, numbers, and special characters. They should never contain personal information such as birth dates or a child’s name. Passwords should be updated at least every 90 days and be completely private to you. This means passwords should not be shared among systems, with others or written down.
3. SECURITY: Another easy solution is to lock all devices when you are away from them including cell phones, laptops and desktop computers. Having a strong password does not help if the device is not locked.
4. EDUCATION: Finally, educate employees on how to avoid phishing scams. Phishing scams are attempts by scammers to trick individuals into giving out personal information such as bank account numbers, passwords and credit card numbers. Be wary of emails from unfamiliar individuals that contain a strong sense of urgency or poor spelling and bad grammar. Employees should know not to open suspicious links in email, tweets, posts, online ads, messages or attachments, especially if they don’t recognize the sender as they can carry harmful viruses.
The National Cyber Security Alliance website, staysafeonline.org/business-safe-online, contains a variety of helpful resources on these and other topics.
IMPLEMENTING SECURITY CONTROLS
There are also technical safeguards that any company should take advantage of to guard sensitive data and, with advances in technology over the past decade, these aren’t overly complicated.
The first line of defense is always to stop things before they happen. These solutions include using a recognized anti-virus software package that includes frequent updates. Another guard that no business should be without is a firewall. Firewalls come in many varieties including both hardware and software solutions. Free and low-cost solutions exist for anti-virus and firewalls; however, this is not a place to look for a bargain – it’s the guard at the door.
Also recommended is a schedule for updating hardware and software. Each company has different needs, so no perfect timetable exists for this. At a minimum, update both hardware and software before they are no longer supported by the manufacturer. Also, apply security updates to all software regularly so your organization is safeguarded from known issues and compliance is maintained.
A well-thought-out backup system is your final protection and possible remedy to some of the challenges if your systems or data become compromised by theft or virus. In addition to a backup strategy, an incident response plan is a must. This plan details the individuals in the company responsible for each of the systems, processes and approvals necessary to respond to any incident. For small-business owners, this would simply be determining who to call in case of emergency whether that is an insurance agent, legal counsel, or a local information technology firm.
WHAT NOW?
These points are the background for larger conversations with experts. Solutions should be tailored for each business. Since hackers do not discriminate, it is important for businesses of all sizes to discuss possible liabilities and risk tolerance with an insurance agent. Determine what policies and training to consider first.
Collaborate with information technology professionals inside your company or, for small-business owners, a local information technology firm to determine improvements. Topics should include security controls, disaster recovery, business continuity and incident response plans.
Most importantly, understand that these conversations are important to have. Just like you can’t put the toothpaste back in the tube, once your data is released, the consequences can be devastating for your business. With proper training for prevention, employing a proactive mentality and making knowledgeable investments, risk can be significantly reduced.
Jodi O’Toole is Director of IT and Web Development at the National Wood Flooring Association in St. Louis. She can be reached at jodi.otoole@nwfa.org.