10 Information Security Tips for Small Businesses
When it comes to information and data security, most small business owners often do not know where to start.
But in today’s world, customers have naturally come to expect that their sensitive data will be kept secure. It can be an intimidating step for a small business that likely does not have an IT department, but we have compiled a list of tips to help you tackle your security concerns.
1. Identify Your Sensitive Data
The very first tip in securing your sensitive data, is figuring out just what it is. Every organization has it, whether it’s financial records, employee’s personal information or customer credit card details. Knowing where this information is stored, computers, servers, data centers is the first step, the following will help ensure that it is protected.
2. Train Your Employees on More Than Just the Registers
Employees are typically an organization’s biggest security risk, and small to medium businesses have the mentality that hackers only go after the big fish in the pond. This is usually just the opposite, as many smaller organizations still house valuable data like customer credit card information. Unlike larger organizations, SMB’s do not have strong, if any security measures in place. These attacks typically begin with a phishing email, holding an attachment to some form of malware. Untrained employees are more likely to open these and click links, not realizing in the slightest that they may have irreparably damaged their company. Teaching your employees, the very real dangers of cyber threats, and not to open anything that even remotely looks out of place could save your company’s reputation and revenue. We recommend going further and implementing web-surfing controls, spam filters and advanced malware protection systems that track targeted attacks in multiple ways.
3. On That Note – Install the Security Basics
Firewalls, firewalls, firewalls! These need to be set for both wireless and wire-based access points as well as anti-malware on ALL endpoints and servers. While Norton or AVG anti-virus systems are typically fine for your own PC, on a business network it really is a limited form of defense. Follow best practices, like patching all operating systems, and applications as soon as they are released. And if all of this is going right over your head – seriously consider hiring a security provider to take this stress off your plate. (We happen to know a great one *cough*Secure Sense*cough*) It can be a big step for a SMB – but in today’s digital world, if you are not serious about security than you are putting your customers at risk. Also … if you didn’t know, it is mandatory to adhere to data privacy requirements spelled out in the PCI guidelines for ANY business that accepts credit cards.
4. Don’t Forget the Physical
While most threats will occur in the virtual world, businesses of all sizes should never forget the “old-school” way of an attack, the one’s that happen right in front of your faces. Any device that holds, or gives access to data needs to be monitored. The most common form is POS tampering. Training your employees to watch for distraction techniques and any changes to the devices can help prevent these style of attacks.
Security expert Brian Krebs, shows us how to spot the difference between a legitimate Ingenico self-checkout POS device and a tampered one.
5. Balancing BYOD and Company Owned
Regardless of whether your company has transitioned to smartphones and tablets yet, it can be guaranteed that there are multiple devices running on your network. The potential issue with this, is the different operating system platforms (think iOS vs Windows) and their different security requirements, and updating methods. Most companies now have a “Bring Your Own Device” option that allows employees to use their own smartphones or tablets. While this can seem like a great option, it raises legal concerns since confidential business data is no longer being held/distributed on a device that is business owned.
6. Passwords, Passwords, Passwords!
No matter how often security experts warn the world about passwords, the most commonly used one is STILL “Password1”! Small business owners should frequently review all passwords being used in their systems and update them. If any are deemed un-secure, change them. Any time an employee leaves the company or a third-party company has had access to them, change it. We have blogged about this several times, so make sure to use a strong password and DO NOT reuse it on another website!
Please don’t do this either!
7. Limit and Monitor Individuals Access to Data
This step can take time, and not every SMB has the resources or patience to do this, but the safety of your data could depend on it. Determine what employees and external business partners really need to have access to in terms of network and applications in order to do their jobs. Keep a record of these accesses, and consider a two-factor authentication. When employees leave, ensure their access is immediately revoked.
8. Proper Disposal is Key
One point that we cannot stress enough is proper disposal of old computers and ANY other device that stores data. In a study that we have previously blogged about, the results showed a staggering 78% of devices still held residual data. Make sure someone monitors the removal, sanitation and removal verify that it has been done properly. Sensitive information is worth a lot to the right people, and this simple step can negate that from happening. Be sure to shred all paper documents as well!
9. You Can’t Control the Inevitable
Mother Nature doesn’t play by anyone’s rules, and no matter how much you think you are prepared, you cannot control floods, fires, earthquakes and other environmental phenomenon’s. You also cannot control the actions of others, whether that’s outsider or insider threat. All of these factors can impact the security of your stored data. In this day and age, every single business now depends on some form of computer processing – so automate your back-up process. Plan and test for these kinds of disruptions that could last for days, weeks and some extreme cases (think stolen data and legal issues) even months.
10. Big Things Can Come in Small Packages
Just because your business is small, does not necessarily mean you’re not holding big data. If your company in any way shape or form, holds customer data – especially credit card information – you need to ensure you are putting in the right steps to protect them. Ensure your company has a strict policy in place, and enforce it. This should define how employees are utilizing their internet access, as well as how data is being shared and controlled. Have your employees read and sign a document, and make it clear that their online activities will be monitored.
Do you have any additional security best practices to share? Let us know your best security tips in the comment section below!
Connect with Secure Sense to protect data, your network, and systems 24/7, 365 days a year. If you have questions or want to learn more, please contact Secure Sense by calling 866-999-7506.