Companies that fail to invest in protecting their networks are taking a huge risk. Not only is there the possibility of data being stolen, but a cybersecurity breach could also damage your reputation and credibility, and open you up to potential legal fines and penalties.
In 2019, Equifax, a large consumer credit reporting agency, was sued by the Federal Trade Commission for $575 million after failing to secure personal information stored on their network. This breach exposed the names, birthdates, social security numbers, addresses, and more of nearly 147 million customers. Likewise, Uber was forced to pay a $148 million fine after the personal information of 57 million of its drivers and riders was leaked in 2018. They faced even more scrutiny after trying to cover up the breach for almost a year.
Large corporations are not the only ones who need to take precautionary measures when it comes to data security. Small businesses should be protecting customer data just as much as the big guys. With a spike in working from home due to COVID-19, securing remote access as well should be just as big of a focus as on-site routers and networks. Knowing where to begin and being aware of resources can give you peace of mind for your business’s security.
Protect Devices & Networks
When it comes to protecting your devices and networks, make sure you’ve got the basics covered:
• Change the default network name and password on your router
• Enable WPA2 or WPA3 encryption on your servers
• Update to the latest version of software as soon as it becomes available
• Perform regular backups to the cloud or external storage devices
• Require passwords for access to networks
• Use a Virtual Private Network (VPN) for employees connecting remotely
It is especially important to stay current with all software patches and updates. A patch can warn of security vulnerability from different programs before they create an issue. Enabling automatic updates could be a worthwhile resolution so that you do not have to monitor for new versions yourself or trust employees to.
You should also tightly control who has access to remotely connect to your network. If you have multiple administrator accounts that are able to edit network settings, limit access to only those that need it. If remote access is not needed by certain employees do not give them access to it at all. This reduces the number of accounts within your system that could cause a breach.
Many companies have started to utilize Mobile Device Management (MDM) software to manage mobile devices including smartphones, laptops, and tablets. This allows employees to securely access business information on their personal devices. With a rise in “Bring Your Own Device” (BYOD) among companies, your network security can be compromised by an app on an employee’s personal phone. MDM can give you control over these devices and limit access by segregating company data from personal data. If a device is lost or stolen, company-owned devices can be locked or wiped to prevent data leakage.
Don’t Wait Until a Breach Occurs
Whether your business is large or small, data security should be something you focus on from the beginning. Set up protocols and procedures internally so that you can react quickly and effectively if your company falls victim to a security breach.
• Be cautious when working with third-party companies. Many breaches are caused by connections with third-parties that have access to your data or vendors that connect remotely to your network. If this happens, you’re still the one held responsible. In 2019 the average cost of a data breach in the U.S. was $1.9 million – when third parties were involved it added on average another $370,000 to the cost. Ask partner vendors to share their security provisions when creating contracts that include data sharing.
• Develop a cybersecurity policy. No matter how secure your network is, if employees do not follow protocols it can still be bypassed by a hacker. A report from cybersecurity firm Kaspersky Lab shows that 90% of data breaches are the result of human error. Every organization that allows remote access should have a clear cybersecurity policy in place that is communicated with users. This should include practices for access from home, while traveling, working at remote sites, or using public Wi-Fi. It may also include what devices will be authorized to connect to company networks or data.
• Train your employees. Have checks and procedures in places to be sure your employees are following policies and understand why you have them in place. This includes education about using complex passwords, ensuring emails are legitimate, and avoiding leaving workstations, laptops, or smartphones unattended. Consider requiring multi-factor authentication to any areas of your network that contain sensitive information.
• Have a breach plan in place. Create a plan for all employees to follow in case there is a breach. State which departments to notify if an individual employee finds their device hacked or stolen. This includes business continuity or disaster recovery, as well as a communication strategy for notifying employees and/or customers. The Federal Trade Commission (FTC) has resources that can help you develop your plan.
For more cybersecurity tips for your small business, visit our Security Center.