In August 2010, the Privacy Rights Clearinghouse published its latest Chronology of Data Breaches, which showed that since 2005 more than a half-billion sensitive records have been breached. Of those breached records -- which contained such sensitive data as customer credit card or social security numbers -- approximately one-fifth came from retailers, merchants and other types of non-financial, non-insurance-related businesses, the majority of which were small to midsized.
An equally scary statistic: approximately 80 percent of small businesses that experience a data breach go bankrupt or suffer severe financial losses within two years of a security breach, according to John Sileo, a professional identity theft consultant and speaker, who knows firsthand about the havoc a security breach can wreak on a small business.
What can a small business owner do to protect her business from a security breach? Small Business Computing spoke with two security and privacy experts and consulted the leading security and privacy sites to find out. The good news: protecting your business from a data security threat is easier than you think. It's also much cheaper than the physical, financial and emotional cost of repairing one.
The 7 Causes of Security Breaches
According to the Privacy Rights Clearinghouse (and other sources), security breaches typically result from one of the following seven causes:
- Unintended Disclosure: Someone in or affiliated with your organization inadvertently posts private or sensitive company or customer information on a website (e.g., Facebook or a blog) or in an email, fax or letter.
- Hacking or Malware: Unauthorized individuals gain access to your computers or servers (often due to inadequate firewalls or weak passwords) and steal or corrupt data by using malicious software programs known as malware.
- Payment Card Fraud: Information is stolen from a point-of-service credit card or payment terminal.
- Bad Employees: Someone who works for you intentionally steals or leaks sensitive information.
- Lost, Discarded or Stolen Paper Documents
- Lost, Discarded, or Stolen Mobile Devices (e.g., laptops, smart phones, flash drives, CDs, etc.)
- Stolen Computers or Servers
15 Ways to Protect Against Data Security Threats
Protecting your business from a security breach isn't just about practicing safe tech. It's about hiring the right people, having a good security policy in place and employing common sense. You can protect sensitive or confidential data by following these 15 steps.
1. Identify what sensitive information you have, what you use it for and where it resides. Translation: inventory your company's potentially sensitive information (e.g., customer credit card information) and document on which computers, servers and laptops it's stored.
2. Isolate/segregate sensitive data. Keep sensitive information on the fewest number of computers or servers, and be sure to segregate it from the rest of your data and network if possible. "The fewer copies of data you have, the easier it is to protect," said Jon Heimerl, the director of strategic security for Solutionary, a security services company that helps companies of all sizes design and manage better security programs and detect and prevent security events.
3. Encrypt sensitive data. According to Heimerl, encryption becomes even more important when your data is mobile. "There are many options to encrypt data via applications, databases or via security suites that can run, for instance, on a laptop. If you can encrypt the data, chances are good that, even in the event of a breach, the information will be safe from ultimate compromise. The HITECH Act, for instance, says you must report breaches of unsecured data. Encrypted data is considered secure."
4. Use Secure Sockets Layer (SSL) or a similarly secure connection for receiving or transmitting credit card information and other sensitive financial data. Using a secure, encrypted connection such as SSL protects sensitive data while it is in transit across the Internet.
5. Do background checks and get at least two references for all new employees. Ask for at least two references from previous employers and take the time to call both former employers to verify previous employment information. You may also want to check if a prospective employee has a criminal record or a problem with his credit history. To learn more about employee background checks and references, review the Privacy Rights Clearinghouses Small Business Owner Background Check Guide.