As major retail chains struggle with well-publicized data breaches, small business owners may not be aware of a potential security problem that’s much closer to home: employee compromises of sensitive data.
According to recent reporting from the Identity Theft Resource Center, which tracks data breaches across industries such as business, education, government/military, medical/healthcare, and banking, employees were intentionally or accidentally responsible for 28.5 percent of data breaches. That’s more than one in every four occurrences. Given these numbers, what can a small business owner do to keep their customers’ data safe from their employees?
Small businesses can reduce their risk of data breaches by carefully screening all new employees before hiring them. “I would recommend business owners use all available resources to them to research any potential employee,” says Patrick Regan, an engineer with Single Digits, a company that provides managed networks, data/phone lines and managed IT services. “With the internet you can find out just about everything you need,” he adds. “Check Facebook, LinkedIn, and other social networking pages, and call previous employers. Lastly, if it’s a role where they would have access to proprietary passwords or corporate infrastructure, spend the money on a criminal background check first.”
Costs for a criminal background check average around $100, although minimal information gleaned from public records can be purchased for as little as $30 online, according to Hire Right Express, a global provider of criminal background checks located in Irvine, CA. How much do you need to spend? It depends on your business needs, according to Rob Beatty, project manager at UMass Memorial Medical, Worcester Massachusetts “If your business is installing alarm systems, then a rather extensive background check would be something I would use,” he says. “If you’re a landscaping company, then its far less likely that your employees will have access to something that puts you or your company at risk.”
Strategically restrict access to data
The easiest way to prevent your employees from intentionally or accidentally breaching data security is to never grant them access to it in the first place. “Find out what’s absolutely essential for employees to know and share that,” advises Beatty.
In a report entitled Protecting Against Insider Attacks, the SANS Institute, which provides computer security training, recommends determining who currently has access to your company’s sensitive data. From that information a company can then determine which employees actually need that access to complete their job functions and responsibilities. Everyone else should lose access to that data, even if they’ve had access previously.
Conduct regular data back up
Data security is an ongoing responsibility, similar to the security of your company’s physical location. Every day, you lock the door and set the alarm to keep intruders out. Data security requires similar vigilance.
“If you have large amounts of data changing daily, and it’s important to keep that data accurate and up to date, then you need daily backups,” Beatty explains. If the data doesn’t change as frequently, then weekly or monthly backups are sufficient. Data backups should be either cloud-based or to a remote location if possible. If backups can only be performed on site, then keep backups stored off-site in a secure location. “Never leave your physical backups sitting in the same location as your data,” he warns. Not only does storing backups with your data make it easy for an ill-intentioned employee to snatch both, but “a disaster such as flooding or fire will take out your data along with your backup ensuring that recovery is impossible.”
Use ongoing monitoring
One of the most important components of internal data security is being vigilant about how your employees are accessing and using data on a daily basis. “If you're concerned employees are misusing data in any way, there are two ways to handle it,” Regan says. He recommends businesses consider investing in a firewall, which is a network security system that creates a barrier between your company’s computer network and the rest of the internet, thereby protecting a company against external attack. The other route he recommends is checking employees’ browsing history. Robert Moskowitz, a data security expert for Verizon, writing for the RSA Conference, an information security trade event, points out that business owners want to watch for changes in how their employees are accessing data. For instance, if an employee’s data access had been moderate and then suddenly he or she starts transferring five or ten times as much data, or accessing hundreds of database records, a business owner will want to investigate further and review user activity. Moskowitz also points out that most intentional data breaches are caused by disgruntled employees, such as those who have been passed over for promotion or recently laid off.
Terminate access quickly
Whether an employee quits, is fired, or is laid off on a temporary or permanent basis, terminating access to all of your company’s data is an essential task that must be completed immediately in order to protect your business. The first step is to disable the former employee’s user accounts and passwords. It’s also a good idea to change the passwords on any other company accounts the former employee may have had access to.
Data security is an ongoing commitment
Protecting your sensitive data from internal threats in an ongoing responsibility. It begins before you hire a new employee, continues through their employment with you, and extends to smart post-employment protection strategies. Being vigilant does take time, energy and resources, but these costs are far less than the tremendous expense associated with a data breach.