When a major corporation like Target or Neiman Marcus experiences a security breach, suddenly everyone begins paying a little more attention to their network security. For a small business, that might mean changing passwords and updating antivirus software. Overall, though, many small businesses don’t give network security the attention it deserves, due to inexperience, a false sense of security or sheer lack of time.
The costs of such lax security are astronomical. According to a recent study by the Ponemon Institute as reported in Consumer Reports, in 2013 more than half of all of the small businesses surveyed had experienced a security breach at some point. The National Small Business Association reports that the average security breach costs businesses about $9,000, not including the impact of lost sales due to the effect on the business’ reputation. In addition, research shows that 60 percent of businesses that are victims of security breaches go out of business within a year of the lapse. In short, while a company like Target might experience significant losses due to a breach, it’s likely to make a full recovery. That’s not always guaranteed for a small or midsized business, especially if there’s litigation involved.
Perhaps the most frustrating part of these statistics is that the majority of security breaches are avoidable. Some businesses do fall victim to targeted attacks by sophisticated hackers, but in many cases, cyber-attacks on small businesses are crimes of opportunity: The business fails to enact the proper security measures, all but inviting an attack that exposes data.
Some of the most common IT mistakes that cause breaches include:
1. Developing a False Sense of Security
Many small business owners go about their business thinking they are immune to attacks because no one could possibly be interested in them. The fact is, though, that whether you have 10 clients or 10,000, your customer data is valuable to hackers. Basic information — name, address, phone number — can sell for as little as $1 on the black market, but when that information comes with more details, such as credit card and Social Security numbers, the price goes up, averaging around $300 per record. If you store that information about your customers, it’s valuable to hackers, as are your bank account and credit card logins and other information. Just because you’re small, you’re not safe from hackers.
If you only have a few employees, and you trust every one of them, you might think you don’t need a security policy. But just one lost smartphone or stolen laptop can lead to a major security breach, so you need a comprehensive security policy covering what employees can and cannot do on company-sponsored devices and networks.
3. Not Educating Staff
Security risks change all the time, and your staff may not be aware of new viruses, best practices or red flags. Many major security breaches, such as the 2012 incident in which personal information about thousands of South Carolina taxpayers was exposed, occur because of a simple, innocent mistake. You must invest in employee education and support to help prevent the avoidable errors that put your business at risk.
4. Not Following Login Best Practices
Restricting access to your networks with usernames and passwords is a step in the right direction, but many small businesses fail to properly manage login credentials, thereby putting their networks at risk. When employees are allowed to use the same password in perpetuity, or everyone can gain access to vital systems with the same password combination, all it takes is for that code to fall into the wrong hands and you have a breach. Develop and enforce a password policy that requires credentials to meet certain minimum standards and be changed regularly. Also, consider employing a two-factor authentication system to restrict access further. Inexpensive token or one-time access code systems add an extra layer of security to your network.
5. Allowing Anyone to Access Your Network
Who can access your company’s network? Are you allowing vendors or clients to log on when they visit? Are employees logging on using personal devices? Unless you are certain that every device accessing your network is secure, you are putting your data at risk. Restrict access to unapproved devices, or work with an IT consulting group to develop a separate virtual private network that visitors can access without potentially exposing your network.
6. Relying on Consumer Grade Products
Many small and midsized businesses operate on tight budgets. You might even share your work life with your personal home computer. While that might work in some cases, if you are collecting and storing sensitive data, consumer-level security solutions are not going to be adequate. If you do not have the technical expertise necessary to completely secure your network, hire a professional to help you build a security protocol that will provide the highest level of protection, and conduct regular audits to ensure that that everything is up to date and working as it should.
7. Not Securing the Cloud
Cloud computing has made it easier for small businesses to grow, and for employees to be productive no matter where they are. The problem is that some cloud services that small businesses rely on are not secure enough to protect business data. For example, employees may be storing and sending sensitive data using free services like Google or Yahoo, which do not offer the level of encryption and security necessary to ensure compliance with federal mandates in the health care and financial services industries. Small businesses using cloud services need to employ measures to protect the data both at rest and in transit.
8. Not Performing Updates
Updates are inconvenient, but when it comes to protecting your data, they are vital. Hackers are constantly searching for vulnerabilities in operating systems, software and plug-ins that they can exploit, and developers work hard to patch the holes as they appear. Ignoring updates, then, because you “don’t have time” or you fear that you will lose functionality, only puts you at risk. Your security policy should require regular checks for updates and vital updates are installed as soon as they are made available. If you don’t have the technical expertise, get help managing your servers and network to identify and solve problems before they occur.
9. Not Knowing Where Your Data Is Kept
Do you know where your data is stored? If you don’t, how can you effectively secure it? Small businesses must conduct regular audits to determine exactly where the most sensitive data is kept, and who has access to it. If you’re using a cloud service to store your data, determine the exact physical location of the servers where your information is stored. In some cases, storing data outside of the U.S. puts you out of compliance, and puts your data at a higher risk.
10. Not Disposing of Data Correctly
At some point, you’ll have to unload outdated gear, whether old computers, smartphones or paper files. Not properly disposing of everything could create a data breach. Have a plan in place for securing data at disposal, remembering that deleting files doesn’t make them disappear from hard drives. If you’re tossing old equipment, wipe the hard drives or physically destroy them, or work with a reputable company to help you.
Get Professional Help
Avoiding a security breach isn’t only about installing high-tech, sensitive intrusion detection and prevention or antivirus software. In many cases, a costly breach can be stopped with a few simple, common sense adjustments to how you work and manage your network. If you still aren’t sure about the safety and security if your IT systems, contact us today for a free evaluation.