In this digital age, data breaches, and all of the liability and headache they represent, have become a fact of life for large corporations. The bad guys, however, don’t just target large companies, and small businesses have a legal and ethical obligation to protect their customers, too. The risks of data breaches continue to increase and businesses need to pay close attention to their network security measures to protect their customers.
Here are some best practices you can use to help keep your business information secure.
Among information security professionals, there’s a common saying: “If you’ve been ignoring information security, you’ve already been hacked.” U.S. Bank deflects approximately 500 attacks per month. If a customer has trusted you with his or her data, you have a legal and ethical obligation to protect it.
Oftentimes businesses think they’re secure when they are not. There’s good reason for that: Over the last decade, cybercrime has become increasingly sophisticated.
On the small end, plenty of hackers are working alone and may not be motivated by money at all. (In one recent case, a group of teenagers hacked a British service provider just to impress their friends.) At the other end of the spectrum, however, there has been rapid growth in organized cybercrime. Estimates vary, but McAfee claims that as much as $550 billion may be lost to cybercrime every year. Juniper Research expects that amount to rise to $2 trillion by 2019. Groups operating on the large end command resources greater than the GDPs of many countries, with software teams writing viruses and other malware.
Risks may be even higher depending on your industry. The U.S. Department of Homeland Security defines 16 critical infrastructure sectors — industries such as water and agriculture, electricity and financial services — that might be attractive targets not only to criminals but also to foreign governments or other groups seeking to cause damage and panic.
Organizations that rely on data for others’ safety are also prime targets for ransom attacks, where a hacker may take vital data or systems offline unless they are paid off. Several hospitals hit by such attacks in the last several years have been forced offline until they paid the hackers, most dramatically in May 2017 when malware hit the entire British National Health Service.
As a business, your exposure to threats from hackers is less than that of a major corporation, but it may also be harder for you to have the right security expertise. Legal requirements for data and information security vary across countries and states, so it’s important to know your obligations.
If you’re using computers, you need to invest in IT security by putting someone in charge of data security. If you’re not large enough to have a dedicated information security person on your IT staff, you should at least have an IT person with the relevant knowledge and certifications. IT security for businesses can include outsourced data security. However, it’s important to understand that you can’t outsource risk. Make sure any outside firms are accountable to you.
Although there are no one-size-fits-all solutions or rules, there are still guidelines. Depending on your industry, about 3 to 5 percent of your IT budget should be dedicated to information security in some form. This is certainly one function you cannot afford to shortchange; it takes only one data breach or hacking incident to harm your reputation, your customers and your bottom line.
Investing in good anti-virus software is necessary but not sufficient, and there is no off-the-shelf solution to these problems. Being in an information security role is like trying to predict the weather on a planet where the climate changes every quarter. However, no matter what your specific requirements are, there are general information security frameworks that give you a comprehensive set of controls that will still allow you to sustainably serve your customers.
One useful framework, from the National Institute of Standards and Technology (NIST), is particularly good. While implementing all components of the framework is important, focusing on a small handful of precautions they outline can help you eliminate most of the risk.
1. Stay rigorously up to date on software patches.
2. Be careful with who has administrative access to your devices.
3. Use two-step authentication when accessing your network or email remotely.
4. Test your employees with fake phishing emails so they know not to click the wrong link when a real one arrives.
In addition to the threats the NIST framework tries to prevent, one other threat is worth mentioning: payment security.
In recent years, hackers have gotten increasingly sophisticated at targeting employees by impersonating executives or others in the company, convincing them to approve fraudulent wire transfers. While these funds can be reclaimed if the fraud is quickly identified, the bad guys have netted over $3 billion from tens of thousands of businesses since 2013.
Businesses of all sizes, from major multinationals to a local dry cleaner, take payments, which means they’re also responsible for protecting customer payment information. If you’re accepting payments, be aware that there was a liability shift in 2013 that puts fraud risk on the business if there is a compromise and you are not up on the latest security, such as chip readers for credit cards.
Over the last 10 years, threats to data security have grown in sophistication from lone hackers to international crime rings, and that trend is only accelerating. As quickly as we try to adapt to new data and information security threats, especially as more and more everyday devices in the internet of things become connected, we will see a shift from internet security to internet safety. By taking data security seriously, you aren’t just protecting your customers’ information — you’re protecting your customers themselves.
Continue reading at usbank.com/small-business.