7. Use good firewall and a secure wireless connection. Sileo called the number of businesses that operate a wireless network in their offices without a secure form of wireless connection overwhelming. "They're still using WEP instead of WPA2 encryption," said Sileo.
8. Keep anti-virus and anti-spy ware software up to date. Most small businesses have anti-virus and anti-spy ware software in place, but they forget or neglect to make sure they have the latest versions or the latest updates, which can open them up to all sorts of data security breaches.
9. Protect sensitive data with strong passwords and change passwords on a regular basis. In addition, have computers (including laptops) return to the login screen after five minutes of inactivity.
10. Make sure you and your employees only download applications that come from reliable sources. Because applications (e.g., games, mobile apps) may contain viruses, spy ware or Trojan horses, it's important to know and trust the source of an application before downloading it.
11. Lock filing cabinets and rooms where you keep sensitive data, and only give keys to trusted employees. "Oftentimes locked boxes keep people honest," said Sileo. "They're a great way to take away the crime of opportunity."
12. Use paper shredders, and place them in strategic places around your office. One of the leading sources of credit card information and social security number theft is trash cans or dumpsters.
13. Protect laptops, and be careful where you use them. Password-protect laptops and mobile devices and keep them locked in cabinets or drawers when not in use. If you store any sensitive data on such devices (both Heimerl and Sileo advise against this) make sure it's encrypted. Also, when using your laptop on the road, tether it to your smart phone, i.e., use your smart phone as a modem, so information goes directly through your (more secure) phone versus over a public Wi-Fi hot spot.
14. If you outsource any critical functions, vet third-party security practices. Don't be fooled into thinking that just because you outsource critical applications or store information offsite, at a supposedly secure datacenter or cloud provider or ISP, that you are not responsible for that data. "If you are outsourcing any of your operations or data management to a service provider you should be asking that provider how they address [data security]," cautioned Heimerl.
NOTE: You are still 100 percent liable for any customer-related information that is breached, even if it does not reside on a server at your business or under your control.
Therefore, before you outsource any business functions, such as payroll, Web hosting or customer service, investigate each company's security and data privacy practices, and make sure they are adequate.
15. Consider outsourcing security or hiring a consultant to make sure your business is safe and secure. "You might consider, for instance, outsourcing firewall management, intrusion testing, vulnerability management, compliance management, especially when related to financial services (PCI) or to healthcare (HIPAA and HITECH)," said Heimerl. "Chances are that a qualified managed security service can provide better security than you and do so at a lower cost, while allowing your IT staff to concentrate on the business."
What to Do in the Event of a Security Breach
Here are the four steps you need to take when a security breach occurs:
- Do not panic
- Contain the breach
- Get help
- Make sure you protect your business so it doesn't happen again
Once you have identified that there has been a breach, it's critical that you isolate and contain it. If it's IT-related, that may mean shutting down a server (or multiple servers) or disconnecting from the Internet for a while, until the threat has been eliminated. If you have been hacked, make sure you have eradicated all malware (e.g., viruses, worms, spy ware) from your systems and take steps to recover any lost information, such as restoring data from backups.
Next (or simultaneously), contact your lawyer and/or a security expert. Note: Forty-six states, as well as the District of Columbia, have security breach notification laws (you can also visit Privacy Rights Clearinghouse for a list), but these laws differ from state to state. If a crime has been committed, contact your local police department or, if you feel they are unequipped to deal with cyber crime or information theft, contact your local FBI office. For incidents involving mail theft, contact the U.S. Postal Inspection Service.
Also, in some cases, you may need to notify your customers if their personal information has been compromised. But before you do this, consult with your attorney and law enforcement contact as to when and how. Similarly, you should designate a person within your organization -- or hire a public relations or crisis management consultant or firm -- to be the point of contact for information about the breach, your response and how affected individuals can get help (if necessary).
The bottom line: It's much more expensive to fix a breach than to prevent one. And most of the time, you can prevent data security breaches by practicing safe tech, as outlined in the steps above.
The following sites are excellent resources for security and privacy information, including when, where and how to get help:
- Your Internet Service Provider (ISP)
- Privacy Rights Clearinghouse
- The Federal Trade Commission's "Protecting Personal Information" Guide
- Bureau of Consumer Protection's Business Center
- Business.gov's Privacy and Security site
- OnGuard Online
- SANS Computer Security Training
- Information Systems Security Association (ISSA)
Jennifer Lonoff Schiff is a regular contributor to SmallBusinessComputing.com and writes a blog for and about small businesses.
|Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!|