business.com receives compensation from some of the companies listed on this page. Advertising Disclosure
World's Best Boss

Do you have the world's best boss?Enter them to win two tickets to Sandals!

Updated Jan 11, 2024

17 Security Practices to Protect Your Business’s Sensitive Information

Mark Fairlie
Mark Fairlie, Senior Analyst & Expert on Business Ownership

Table of Contents

Open row

You don’t have to look far to see the repercussions of a business’s failure to protect sensitive information. Equifax, Adobe and Target, among many others, have been victims of significant data breaches that hurt their reputations and bottom lines. [Learn how to manage your online reputation.]

Indeed, failures in cybersecurity countermeasures have significant costs for businesses. In the U.S., cyberattacks cost small businesses more than $8,000 annually, on average, according to Hiscox. That’s enough to dent a large hole in any small business’s cash flow.

We’ll share 17 ways to protect your sensitive information from a cyberattack. Rather than focusing on the technical aspects, we’ll look at how to educate your staff and create a culture of cybersecurity across your business. Then, we’ll explore three primary attack vectors used by cybercriminals and explain the merits of cybersecurity insurance.

How to protect your business’s sensitive information

Cybersecurity starts at the top of the business. Your staff will be compelled to make cybersecurity a priority only if it’s important for the organization as a whole.

To create an effective cybersecurity plan for your business, first you need to carry out a cyber risk assessment that lists what is valuable and may be vulnerable to theft. Then, you must understand how your current IT infrastructure and your co-workers could help enable such an attack.

Once you understand the specific cyber risks, implement plans and procedures to protect against these vulnerabilities. If you don’t have an IT department at your business, it’s wise to hire an outside expert to help you create and implement a plan. It might cost money now, but it could save your business in the long run. A consultant may recommend that you establish an annual cybersecurity budget for equipment, software and training. 

Here are 17 important cybersecurity best practices to follow.

1. Teach your staff about cybersecurity.

Any cybersecurity expert will tell you that, no matter how stringent your firewalls are or how much your IT equipment costs, the biggest vulnerability to your business is not the technology itself. Instead, 88 percent of all data breaches result from mistakes by employees, according to Tessian.

That’s because your staff is either unsure what to do when confronted with a particular circumstance or they don’t perceive it as a threat. For example, a request to click a link in an email to reset an account experiencing “unusual activity” is likely an attempt at cyber extortion, as is an allegedly internal call from IT asking for a user’s password.

In your training, emphasize that the most significant risk comes from criminals trying to trick your employees into doing something, rather than from people hacking into the company’s Wi-Fi. The key is to teach them the signs to look for and, when something seems wrong, what they need to do about it.

TipBottom line

Monitor how your staff does post-training, and encourage managers to give feedback. When someone does spot and prevent an attack, celebrate it among your team and reward them.

2. Set internal controls to guard against employee fraud. 

Regardless of how much you trust your employees, it’s wise to use internal controls to limit your risk of employee fraud. Otherwise, employees could misuse company funds or steal customer information.

Limit each employee’s access to the information they need for their job. Make sure your systems log the information each employee accesses. Segregate duties to prevent a single employee from having too much responsibility. For example, instead of having one employee make purchases and go over expense reports, split those tasks among two employees. 

3. Keep your software updated.

Cybercriminals are a curious mix of devious and ingenious. The rewards of a successful hack can be so great that they will work for weeks or months to find “zero-day vulnerabilities,” which are obscure ways to sidestep the internal security workings of a popular program to infiltrate companies’ computer networks.

No app or software is 100 percent secure at the time of launch. Loopholes and exploits are found all the time, and in response, vendors release patches and updates to protect their clients. As part of your new cybersecurity policy, ensure that every time a vendor releases a patch, you update your version of the software the same day.

If your vendor no longer supports a product, this represents an escalating probability of disaster. In this case, switch to an alternative that is supported.

4. Use difficult-to-guess passwords.

Computer security experts have advised consumers and businesses for decades to choose secure passwords for logging in to computer networks, online accounts and business apps. This is still superb advice. 

To take more control of this, consider instituting centralized password management across your business. In addition, use multifactor, fingerprint or biometric authentication as a second line of defense.

5. Guard your wireless networks.

Business Wi-Fi is not as safe as you might think. Although it’s getting faster, especially since the release of the 802.11ax standard, it’s only as secure as the protocols you put in place.

Here are some tips for protecting your wireless networks:

  • Create difficult-to-guess passwords for devices such as printers, point-of-sale systems and cameras, as they can be a backdoor to your wider system.
  • Hide your network from others by disabling the SSID broadcasting.
  • Keep an inventory of permitted devices that can log in to your Wi-Fi so that all unauthorized devices are automatically barred entry.

6. Use encryption on all types of data.

Encryption transforms data into something called ciphertext, which is indecipherable to anyone without an encryption key. There are three types of data: in transit (data that’s going from one place to another), in use (data that’s being used by a device in a process), and at rest (data that’s not being used at all).

All three types of data are at risk, so it’s better to use encryption across your entire network, including cloud connections, so that if a breach were to occur, a hacker would not be able to make sense of the data.

7. Back up your data every day.

In a ransomware attack, a hacker will hold your computer network, data or both hostage until you pay them. If your data exists only on your internal network, you are vulnerable to a ransomware attack. Even if you do pay up, there is no guarantee that they will release your data; they may still destroy it or distribute it for all to download online.

If you back up your data every day and a ransomware attack occurs, this is still serious. However, your IT team or contractor can work to release control of the PCs without worrying that doing so will destroy the only copy of the data. When the problem has been solved, your IT team or contractor can safely load the software and data back onto your network.

Did You Know?Did you know

Cyberattacks can be very costly for businesses. In addition to losing valuable information, companies must pay up to remedy the problem and often lose revenue as a result of reputation damage. According to IBM Security, the global average cost of a data breach was $4.45 million in 2023.

8. Switch to the cloud.

Many companies want to keep their data on physical hardware on company premises, but more businesses are switching to storing data exclusively in the cloud or using a hybrid approach. Cloud services automatically back up your data online every time you or a colleague takes an action.

Cloud encryption is often far superior and harder to crack than any internal solution you have to protect your on-premises networks, thus affording your data an even greater degree of security. 

9. Store physical documents securely.

Cyberattacks may be a more common threat, but lost or stolen documents can be just as bad. Whenever documents contain sensitive information, It’s important to keep them safe from prying eyes. Store documents in a locked file cabinet or room that only your most trusted employees can access. Dispose of documents by running them through a shredder. 

10. Keep a device inventory.

Consider allowing only authorized devices to log on to your network, cloud and software. That way, staff can still store and transfer information via laptops, smartphones, tablets and flash drives, and if you operate a bring-your-own-device policy, colleagues still have the access they need.

But if a device is lost or stolen or a member of your team who regularly uses a device to log in to your system moves to a new employer, you can remove that device from your inventory permanently.

11. Save only what’s necessary.

The more information you collect about your customers and employees, the more you need to protect them. Companies often save more information than is necessary, and their customers are the ones who suffer if a data breach occurs.

To limit what hackers could steal, save only the information you absolutely need to run your business. This is called data minimization. If you need information only temporarily, get rid of it properly after you’ve used it.

12. Pay for expenses with a business credit card.

For business expenses, the best and most secure payment method is a business credit card. Most will have zero-liability fraud protection, and if you need to dispute a transaction, you won’t lose any money during that process. You can set spending limits on employee cards and receive immediate notifications of transactions via text alerts. 

Any payment method has its risks, but credit cards have the most safeguards and security features. Security isn’t the only benefit of business credit cards; they also provide detailed expense reports and the opportunity to maximize your travel rewards.

13. Monitor your employees’ accounts.

Any employee account is a potential hacker’s portal to your most valuable information. To protect your business from employee account hacks, you should analyze their logs and behavior while setting rule-based alerts. In doing so, you can identify unusual login attempts that often indicate a hacker inside the account.

14. Create firm employment agreements.

In all your job contracts, include text that forbids your employees from sharing certain types of information. Every time an employee shares information, they transmit data through a channel that, even if highly secure, could theoretically be breached. If this information isn’t shared in the first place, it can’t be accessed.

15. Plan your response to data breaches.

You always need to be prepared for a worst-case scenario. How you respond to security incidents can be the difference between a minor data loss and a costly breach. Your plan should include the following steps:

  1. Close any holes immediately. Disconnect and shut down any compromised computers, and stop using any compromised programs.
  2. Notify the appropriate parties. Depending on what information was stolen, you may need to notify customers and law enforcement.
  3. Investigate what happened. Conduct an internal review or hire an agency to find out what went wrong.

16. Stay up to date with your cybersecurity.

A cybersecurity program can protect your business from malware and other threats. Look for a paid program that can secure your network and every device on it. The money you spend is well worth it, as a breach could cost you much more. Once you have your cybersecurity program in place, install all updates immediately.

For example, in recent years, machine learning tools have been successfully used to stop spear phishing attacks. The money you spend to protect your staff from exposure to phishing and other extortion attempts will be a good investment.

Did You Know?Did you know

The 2017 Equifax breach, which affected 143 million people, occurred because the company failed to update Apache Struts, according to sources who spoke to Bloomberg.

17. Run regular cybersecurity audits.

The nature of cybersecurity threats changes constantly as new attack vectors are identified and exploited. Run a cybersecurity risk assessment at least once a year to check that your previous assumptions are still true. Ask yourself whether the ways you currently deal with them are effective. 

For newly identified threats, use the same approach to identify what’s valuable and vulnerable to those threats and the best way to defend it with your technological and human firewalls.

Types of security risks businesses face

Businesses face many types of threats, including ransomware, phishing, data leaks, hacking and insider threats. Here’s more about some of the threats businesses face: 

Email phishing scams

Phishing is an attempt to trick users into revealing sensitive data. It usually involves an email designed to look like an official communication from a legitimate, reputable company, but the email asks the recipient to log in to an account or share information to supposedly prevent something drastic from happening. This information then goes not to the reputable company but to the bad actor. You’re best off not responding, no matter how legitimate the email looks.

To determine whether an email is a phishing attempt or a legitimate communication, check the email address that sent it. It’s easy to not think of doing so when you receive concerning emails, but the one second this takes can strongly protect your business. And if you’re not sure whether the email is legitimate, call the company that allegedly sent the email. 

Device and computer hardware theft

Research from the University of Pittsburgh found that about 1 in 10 laptops will be stolen, and 98 percent of those will never be recovered. A stolen laptop, if not password-protected, gives anyone who uses it full access to your information. 

This security threat is easy to avoid: Always keep your password-protected laptop with you or within sight.

Unauthorized network users

When you password-protect your Wi-Fi network, you block hackers from stealing your information. That’s because computer-savvy unauthorized network users can access any information, including credit card numbers and passwords, that you transmit via your Wi-Fi network. 

TipBottom line

Use a combination of strong passwords, multifactor authentication and endpoint security to help prevent security breaches.

Understanding cybersecurity insurance

Many small and midsize businesses now include insurance in their cybersecurity budget. There are many options, and most business owners choose either cyber liability insurance or data breach insurance. Note that these are different from general cyber insurance policies.

Here’s a quick guide to what each type of policy covers:

Coverage

Cyber liability insurance

Data breach insurance

General cyber insurance

Electronic data breach

Varies

Yes

Yes

Data theft or loss not from computers, like printed documents

No

Yes

Varies

Business interruption due to a cyber event

Varies

No

Yes

Cyber extortion, like ransomware

Varies

No

Yes

Cost of notifying affected parties

Yes

Yes

Varies

Reputation damage mitigation PR

Yes

Yes

Varies

Legal advice costs

Yes

Yes

Varies

Data recovery costs

Varies

Varies

Varies

Legal defense costs

Yes

No

Varies

Settlements or judgments 

Yes

No

Varies

Regulatory fines for noncompliance

Yes

No

Varies

Liabilities from network security breaches

Yes

No

Varies

To choose the policy that’s most suitable for your business, you need to run your own internal cyber insurance risk assessment. You’ll be able to reuse much of the information from the risk assessment you carried out prior to implementing your company procedures.

In your initial risk assessment, you already identified your key assets and major threats. Also keep these considerations in mind:

  • Electronic data theft: If your business is prone to electronic data theft or loss, a cyber liability insurance policy could provide the level of coverage you need.
  • Nonelectronic sources: If you print documents or store data on other nonelectronic sources, data breach insurance is likely the best option.
  • Regulations: If you handle a lot of third-party data or are in a heavily regulated industry, cyber liability insurance might be the most suitable choice.
  • Cost versus protection: If you’re looking for broad protection, a general cybersecurity policy should be fine. Make sure it protects you against as many scenarios as possible, and note that many of the cheapest options provide very little protection.
  • Reliance on online solutions: If the vast majority of your business is conducted online and you rely on software to run your company, look for insurance with high levels of business interruption and cyber extortion coverage.

Giving your business maximum protection

Preventable security issues have brought down many small businesses. Although you can’t eliminate the possibility of data breaches or fraud, with the right security practices, you can reduce their likelihood and minimize the damage if one does occur.

Max Freedman contributed to this article. 

Mark Fairlie
Mark Fairlie, Senior Analyst & Expert on Business Ownership
Mark Fairlie has written extensively on business finance, business development, M&A, accounting, tax, cybersecurity, sales and marketing, SEO, investments, and more for clients across the world for the past five years. Prior to that, Mark owned one of the largest independent managed B2B email and telephone outsourcing companies in the UK prior to selling up in 2015.
BDC Logo

Get Weekly 5-Minute Business Advice

B. newsletter is your digest of bite-sized news, thought & brand leadership, and entertainment. All in one email.

Back to top