Now that we’ve shared some of the most common cybersecurity misconceptions and frightened you with our list of data breach recovery tips, it’s time to present you with a few ways to protect your business with our 7 data breach prevention tips.
As we’ve said before, with hacking and cyberattacks on the rise worldwide, cybersecurity for small businesses has become more important than ever before. Because protecting your client’s data, as well as your own, is your responsibility (legally and ethically), a breach can literally cost you your business.
Once again, we rely on the Federal Trade Commission (FTC) to guide you on the types of information needed to secure your data, and how to do it best. You can download their free PDF, Protecting Personal Information: A Guide for Business, here.
While the PDF is a detailed, step-by-step guide to help you prevent a data breach, we will be taking more of a big picture perspective as we examine the fundamentals of cybersecurity for small businesses.
Fundamentals of Cybersecurity for Your Business
Whether you do business online or simply store your customer’s data in your network or the cloud, the information you keep is highly sensitive. It’s also valuable to you and your customers.
The average business today, of every size, gathers and uses an amazing assortment of important information. From personal data on employment applications to network files with customers’ credit card numbers; from other company information to names and contact information of customers, that data is critical to your success. If it becomes vulnerable to attack, the problems that could result could, quite literally, kill your business.
This is why protecting the sensitive data you need to conduct business simply must be a priority for you and everyone in your company. From the owner to the lowest level employee, anyone who has access to your network must be trained on how to protect the data you collect.
According to the FTC, these should be your priorities for collecting and using data:
- It’s called personal information for a reason. Don’t ask for more than you need – Think about it: No one can steal what you don’t have. When does your company ask people for sensitive information? Perhaps when they’re registering online or setting up a new account. When was the last time you looked at that process to make sure your business really needs everything you ask your clients for? For example, you may need to ask for a customer’s email address but you never need to ask them to provide you with their login information. The FTC has prosecuted companies for such behavior and you certainly don’t want that.
- You won’t need their information forever, so don’t keep it forever – Obviously, there are times when it will be necessary to collect personal data as part of a transaction. For example, you may ask for your client’s credit card number, expiration date, and three-digit verification code. But once the deal is done, it may be unwise to keep it. And, doing so could put you at risk. You can easily reduce your risk by securely disposing of the financial information once you no longer have a legitimate need for it. Things like monthly subscription services require the use and secure storage of personal data but, for single transactions or those that may be repeated but irregularly, the information should be purged – securely.
- Not every team member needs unrestricted access to sensitive data – No matter how large or small your team might be, you’ll have staff who don’t need to use personal information to do their jobs. You should restrict access based on necessity and, to protect yourself and your clients, ensure that only authorized staff with a legitimate business need are given access to people’s personal information. This includes administrative access to your system and/or network. Very few people should be granted such access.
- No more birthdays or 123456 passwords allowed – If you have personal information stored on your network, strong authentication procedures – including what is known as sensible password “hygiene” – can help ensure that only authorized individuals can access your most valuable data. Insisting on complex and unique passwords for everyone in your network will go a very long way toward keeping high-value data secure.
According to the FTC, lax password practices and poor password storage can leave your system vulnerable to hackers who used password-guessing tools, or who try passwords stolen from other services in the hope that your team members used the same password to access the company’s system. This password policy must be a priority for your breach prevention program. (You know, the one you’re going to implement tomorrow!)
- Build a wall against brute force attacks and authentication bypass tactics – Brute force attacks work by using automated programs that type endless combinations of characters until hackers’ luck into someone’s password. You can stop this by suspending or disabling user credentials after a certain number of unsuccessful login attempts. You must also test your system for security flaws that might allow hackers to easily predict patterns and manipulate URLs to bypass the web app’s authentication screen, thereby gaining unauthorized access to your company’s databases. You can improve the security of your authentication mechanism in two ways: by testing for common system vulnerabilities and implementing two-factor authentication for access.
- Keep sensitive information secure throughout its (limited) lifecycle – These days, storing sensitive data is a business necessity. Then again, even if you take appropriate steps to secure your network, sometimes you have to send that data elsewhere. Use strong cryptography to secure confidential material during storage and transmission. The method will depend on the types of information your business collects, how you collect it, and how you process it. Always remember that, by law, protecting sensitive client information is your responsibility, not to mention an ethical imperative.
- Partition your system and track those who use it – There will likely be parts of your network that everyone will need to access. There will also be areas where some do not have a need to use, or even see it. In other words, not every computer in your system needs to be able to communicate with every other one. You can help protect particularly sensitive data by housing it in a separate secure place on your network.
Nonplussed yet? Feeling a bit baffled, bewildered, or bemused? (Gotta love a good online thesaurus!)
Yes, it’s a lot to take in from a blog post but, as we said earlier, these are merely the fundamentals of cybersecurity for your business in the 21st Century. There is a heck of a lot more you can, and should, do than these 7 data breach prevention tips. So, grab that FREE PDF from the FTC and begin working on your securing systems and implementing new cybersecurity programs right away!
In the meantime, the VBP team is here to help you with more data breach recovery tips, and prevention. If you have questions for us about cybersecurity for small businesses and how you can protect yours, get in touch with VBP today.