Whether you use a third party for your retail website or exchange intellectual property such as designs and blueprints with customers and partners, you need to protect the information that is the lifeblood of your business.
Don’t think for a moment that it is just about stealing credit card numbers. There is a universe of data that, maliciously used, can damage your customer, your credibility and your competitive edge.
Black-hats and inside jobs get the headlines—huge breaches that simply amount to stolen accounts, customer data and disruptions in service. It’s the types of breaches you don’t read about, that could have long lasting effects on the health of your business.
The targets of the bad guys’ affection are many; intellectual property, company secrets, employee records, business plans, customer data, financial and legal documents.
It’s not only cyber-attacks that you need to worry about. Of the 43 percent of businesses—yes 43 percent—that experienced some type of data breach in 2014, less than one-third were due to cyber-attacks.
Here are 5 things you should think about when locking down your valuable data assets, and no matter how simple, you should have a security plan:
Related Article: Is Your Small Business Vulnerable to Security Threats?
It’s Not Just Digital (Physical Security Trumps Everything)
The most important aspect of protecting information is clear communication to your employees of your expectations around handling information. A simple security policy can keep everyone in know about Confidential (e.g. employment applications) and Proprietary (e.g. secret recipe) documents.
Don’t leave them laying around the office and let them know you will spot check occasionally—if they are not needed any longer shred them or put them in the secure shredder bin, otherwise, lock them away.
Secure Your Premises
Locks, digital entry systems, alarms and perimeter obstacles such as fences are considered deterrents. These simply make an unauthorized entry take longer thus deterring a would-be thief from taking on the job in the first place. Digital entry systems add the further protection of knowing who was on premise and when.
If you manage your own computer systems keep them in a secure area where only authorized personnel have direct access to the hardware. This, along with proper digital access controls for applications that your employees and customers use will improve your security posture significantly.
Anyone Can Read Your Email
Yes, sending documents and information in emails is easy—too easy. Almost anyone with a basic knowledge of networks and communication protocols can read email relayed through the internet.
It is not secure.
Once again clear communication to your employees, customers and partners can prevent a major train wreck. If you have sensitive information to share or collaborate on, use technologies such as Box.com which has services to send and receive documents in a secure and authenticated manner.
If you use an internal email system, make sure you set up policies that can detect certain types of data such as SSNs, company documents and potentially dangerous attachments—block them at the source. This practice is known as DLP (Data Loss Prevention) and is the most commonly used form of preventing the problem from occurring in the first place. But nothing is more valuable than simple communication to your workforce of the known dangers of email and your expectations around email usage.
If You Don’t Use It, Don’t Store It
Convenience, sloppiness and laziness, for the sake of security—we are all guilty. Often we collect data that is not needed or store information for minor convenience.
An outdated process or application collects social security numbers when they are no longer needed or used; “we always file the applications and background check results in that unlocked filing cabinet”; “our repeat customers like the convenience of not having to provide or enter their credit card every time they do business with us.”
It’s a balance and you have to make the call, but consider that every time you store information, paper or digital, your liability increases. Even if you store documents or data at a 3rd-party, you are still liable. Is the 3rd-party secure? Can you verify they are not operating out of a garage?
Simple dedication to keeping things cleaned up and diligence in assessing real need can go a long, long way.
It’s not just data and documents that can leak sensitive information about your business and customers. Many times human interaction is the culprit of some very damaging security breaches. Social engineering is an industry term when a fraudster uses relationship knowledge to gain access to information that would be otherwise unavailable.
“Hi, my name is John Doe with ABC Corp and I meant to talk to you at the Banking Symposium last week—hey that was very interesting—anyway my company is looking at using Brinks and was wondering if your were satisfied with the pick-up schedule—what time do they pick-up at your business?” You get the drift.
Once again clear communication to your employees about what kind of information, if any, should be provided to outsiders without proper verification or permission—this could be reporters, competitors, salesmen or just criminals trying to steal from you. The impacts of tipping off the ne’er-do-wells could damage your reputation and lose you money.
Related Article: PCI Compliance: What It Means to Your Digital Security
Hard to believe this is fifth on the list, but digital security is an area in which we sometimes have the least control—it is very complicated. When providing digital applications to your employees, partners and customers there are many things to consider, however, we will only discuss two of the most important; authentication and encryption.
We are all familiar with logging in to a web site with our user name and password. This is known as authenticating and we have all read about cyber-attacks attempting to guess your ID and password.
The most important, and easiest, mitigation for this vulnerability is to communicate and enforce strong password practices (not “abc123” for you Michael Jackson fans) with the applications you own. In many cases systems should require password resets every once in a while—this keeps fraudsters guessing and guessing and guessing.
Sometimes, however, our most valuable digital assets need something even stronger requiring two or even three types of ID. Something you know (e.g. password), something you have (e.g. iWatch) and something you are (e.g. thumb print) is the model for the most secure systems. The thought is that fraudsters would have difficulty getting a hold of two or more forms of identity e.g. user id/password and your thumb.
Encryption is important as it makes data unreadable (including user ids and passwords) while it travels over our internal networks or the internet. This keeps hackers from obtaining access to our sensitive data while it is in flight. Most of us are familiar with https:// we see in our browser address bar and configuring our wireless routers with WEP and WPA. Make sure you are leveraging these technologies when granting access to any application whether internal or provided by a 3rd-party.
Authentication and encryption are very important aspects of cyber-protection, but are too complicated for most to manage. Consult your network specialist.
Security in today’s cyber-world is a complicated and ambiguous matter, but it doesn’t take a rocket scientist to protect your business. There are many simple measures that can be taken that won’t break the bank and will assure the safety of your business’s valuable information. So, no matter how trivial it may seem, get to work on your security planning, create a policy and keep in constant communication.