When an unauthorized party gains access to any of your customer’s personal information, this is known as a data breach. Says Don Klaskin, Managing Director of Corporate Resolutions Inc., a security and investigation firm: “Small businesses often don’t believe they’ll be the target of attacks. So they do not invest in their systems as much as larger organizations.” In March 2013, the Ponemon Institute, a research center dedicated to privacy, data protection and information security policy, reported that more than half of the small businesses they’d surveyed had experienced a data breach.
The consequences of a data breach can be significant. The first hit comes to the relationship you have with your customers and business partners; if they do not feel that their private information is safe with you, they may no longer be willing to work with you at all. And the bad publicity that surrounds a data breach can negatively impact your future growth.
There are several ways a data breach can impact you financially. In addition to lost sales, there’s a risk that your intellectual property could be sold or used by your competition. Regulatory fines and lawsuits can result in tremendous expenses.
You’ll also want to have a conversation with your insurance agent. Standard commercial property and liability insurance does not protect you from data breaches, which can mean you’re left trying to cover all of the costs of a catastrophic data breach out of pocket. This can bankrupt a small operation.
Data breach insurance is available from all major carriers. There are several levels of coverage available, making it easier for you to comply with regulatory requirements, restore customer confidence, and defend yourself in case of lawsuits.
Internal and external threats
As a responsible business owner, you want to protect your customers, and you want to protect yourself. The first step to ensuring that you’re doing everything you can to keep customer data safe is to look at how data is being handled within your organization.
The common assumption is that most data breaches are the result of a hacker’s concentrated efforts, but that’s actually not the case. According to the Ponemon Institute, the primary causes of data breaches were employee or contractor mistakes; lost or stolen laptops, smart phones, and storage media as well as general procedural mistakes. Criminals don’t have to steal our data—we’re giving it away.
The problem of Bring Your Own Device (BYOD)
“Your company’s data is at risk. But the threat isn’t from cybercriminals. Instead it is your own employees who are often unwittingly putting your data at risk by failing to ensure their mobile devices are safe and secure,” begins “Employees Tell The Truth About Consumer Data”, a report from Aruba Networks. As businesses become more mobile, more and more of us are using our own personal laptops, tablet computers, and smartphones for work. Aruba estimates that half of us will be using personal devices for work by 2017.
While BYOD has some advantages for the small business owner, this cost-savings carries a risk premium. You can’t prevent your employees from losing their laptops, tablets, or smartphones. You can’t control your employees from logging onto unsecure networks, which makes your data vulnerable. You can’t control who has access to your employees’ devices: the manager you trust with everything could very easily have a relative that might create a risk to your business.
While it’s important to understand that, ultimately, you can’t control what your employees will do with company data, it’s still important to have strong, documented policies and procedures in place regarding what types of data employees are allowed to access and how that data must be secured. In a list of best data security practices relevant to BYOD, experts recommend insisting on regular data backups and strong device passwords.
PCI Compliance: What you need to know
Protecting credit card information is obviously a top priority for the business owner. If you accept credit cards, you need to operate your business in a way that is PCI Compliant. PCI Compliance means adhering to the best practices for merchants spelled out by the PCI Security Council, a trade group that includes all of the major credit card companies.
The main thing you need to know about PCI compliance is that your business should not be storing customer credit card information. Online shopping carts, for example, allow your customer’s credit card information to ‘pass through’ to the payment processor without your staff ever being able to access that information. If for any reason you take credit card information over the phone, data must be destroyed immediately after you’ve entered it in your payment processing system. Be hyper-vigilant about this. Credit card companies aren’t forgiving of mistakes, and your customers won’t be, either.
Be on guard: Best practices to keep your customer data safe
While there’s no way to completely eliminate the chances of a data breach, you can take steps to minimize the risk. The best approach addresses both internal and external threats. Here’s what you need to do:
1. Invest in your data systems and backups. Review your internal data security systems and invest in extended measures for protecting customer and company information. Be sure you’re your backing up your information for extended periods of time. Klaskin explains, “Many small businesses do not invest in firewall protection or extended back-ups due to cost. And this can cost them more in the long run.”
2. Put restrictions on data. Restrict access to essential information only, and let employees know how you expect them to handle that data. Look at restricting export access from your customer data storage applications and adding extended permissions on certain company files that contain intellectual property.
3. Provide regular reminders about data security. You want your team to be mindful of the location of their laptop, tablet, and smartphones. You may even want to look into tools for monitoring these devices, such as Prey Project for various devices or Spector CNE for reviewing desktop computer activity.
4. Double-check your web store’s compliance. If you run an online store talk to your web team to ensure that the shopping cart used on your website is PCI compliant. Visit the PCI Security Standards website for more hints on how to keep credit card data secure.
5. Double check outside vendor policies. Any time you share data with a third-party site, your data becomes vulnerable. Do your due diligence on how the third-parties you work with protect your data, and what actions they will take if your data is breached. Accountability is important.