From credit card numbers to addresses and phone numbers, businesses typically collect and store a variety of customer data. If this information becomes compromised, however, businesses can pay a big price. “If your customers don’t have trust in your company and don’t think their data is being handled properly, then they’re going to go somewhere else,” said Robert Lowry, vice president of security at BeenVerified.com, a public data company. You could also suffer financial losses due to business disruption, legal fees and lost data.
Although data breaches that affect large, well-known companies often make the headlines, almost a third of data breaches involve small businesses, according to a 2020 report by Verizon. If you’re ready to start prioritizing security, follow this advice from experts on how to keep your customer data safe.
[Read: Does Your Small Business Need Cyber Insurance?]
Perform a data flow analysis
It’s important to know the lifecycle of your customer data so that you can understand how it makes its way into your systems and where and how it is stored. “I call this a data flow analysis,” said Lowry. “Knowing all the places where your data exists and how it’s being protected is an exercise worth going through and thinking about.”
Practice the 'principle of least privilege'
Giving employees the minimum levels of access or privilege needed to do their job—called the “principle of least privilege”— has several advantages. It can prevent workers with malicious intent from accessing systems or information outside of their job function, and if an employee’s credentials are compromised, the hacker can only gain that employee’s privileges.
“I’m the CEO for my own company and I don’t have certain access rights simply because I’m a target for hackers, who think I have the keys to the kingdom,” said Caroline McCaffery, CEO and founder of ClearOPS, a privacy tech company. “If I don’t need the access, there’s no reason to put me on it because of the risk.”
Minimize data collection
The more data you collect and store, the more data you’re responsible for protecting. “If you don’t need the data now, don’t collect it and store it just in case you might need it someday,” said Lowry. “If that data were to ever be hacked and leaked, it could be a liability.”
Knowing all the places where your data exists and how it’s being protected is an exercise worth going through and thinking about.
Robert Lowry, vice president of security, BeenVerified.com
Educate your employees
You can help protect your business by educating your employees on how to recognize cyber threats. For instance, employees should learn how to spot phishing scams—fraudulent emails that look like they are from a reputable source. Phishing emails typically try to trick the user into clicking a link to steal sensitive information such as passwords or credit card information. “Employees should also learn how to report a phishing scam to your IT person or department,” said Lowry.
Your workers should also be taught to regularly update their tools and operating system to keep themselves safe. Hackers are great at spotting software vulnerabilities, and software updates can fix security holes that have been discovered.
There are several free or low-cost resources available online to help provide security training to employees if you have a limited budget. For instance, the Small Business Administration offers an online cybersecurity training course for small businesses.
Use two-factor authentication
Two-factor authentication offers an extra layer of security for websites or applications that contain sensitive data. The user must present two authentication factors to verify themselves and gain access—usually a password first, and then a second factor such as a security token or biometric factor (for instance, a fingerprint or facial recognition).
“If someone gets ahold of your password, two-factor authentication will protect you from being hacked,” said Lowry. Some two-factor authentication providers include Authy, Duo and Okta.
Set up a VPN
A virtual private network (VPN) allows you and your employees to experience a secure connection to the Internet. When you connect to the VPN, all of the data you send and receive is encrypted (or scrambled), so hackers won’t be able to intercept it. VPNs can be particularly important when employees work remotely from unsecured networks, such as a coffee shop or airport. “A VPN can help you control who’s accessing your network and make sure no other eyes are seeing your information,” said McCaffery. VPN providers to consider include NordVPN and ExpressVPN.
Use a vulnerability scanner
Vulnerability scanning tools can scan your network and applications for weaknesses that could potentially put your business at a security risk. “A lot of breaches actually happen due to a vulnerability that didn’t get fixed,” said McCaffery. “It’s a fairly easy thing to do as a business and you can run the software yourself—you don’t need a third party to do it.” Popular vulnerability scanners include those by Nessus and Qualys.
Back up data
Your business’s data is its most important asset, but what happens if an unforeseen event causes that data to get lost, such as a fire or a cyberattack? Backing up can help protect your data even if disaster strikes. While external hard drives are an option, backing up to the cloud allows you to access your data anytime, anywhere. Some cloud solutions to consider include Acronis and IDrive.
[Read: 10 Free Tools Small Businesses Can Access Now]
CO— aims to bring you inspiration from leading respected experts. However, before making any business decision, you should consult a professional who can advise you based on your individual situation.
Follow us on Instagram for more expert tips & business owners stories.
CO—is committed to helping you start, run and grow your small business. Learn more about the benefits of small business membership in the U.S. Chamber of Commerce, here.