By: Linsey Knerl
Content provided by America’s SBDC. Originally appearing on Nav.com.
Most consumers today have been a victim of theft. While not everyone has had the harrowing experience of a home burglary or stolen car, a compromised email password or Social Security number has affected almost everyone. The FCC reports the theft of digital information has surpassed that of physical theft in the U.S. to become the most rampant type of fraud today.
As a small business owner, your risk is even greater. Any commercial task you conduct through the internet is especially prone to exposing your customers to this often-devastating criminal activity. How then, should a responsible company approach cybersecurity? Here are some of the best practices that wise entrepreneurs are implementing today.
Understand the Value of Data
While no single piece of stolen information can be damaging on its own, fraudsters are experts at aggregating data to create whole online “personas” that can then be used to make purchases, wire money, or even claim benefits. An email here and a password there can result in a major headache for customers, if in the wrongs hands.
While it usually takes a couple of pieces of info to do major damage, even credit card numbers without the accompanying security code (the 3-digit number on the back of VISA/Mastercard and the 4-digits on the front of AMEX), can be used in “no card present” transactions. Because of the potential for harm to your customers, it’s wise to treat every single bit of data as sensitive. Don’t allow customer info to be shared, stored, or used in anything but a secured environment.
Train your Employees
You are only as secure as your most careless worker. Shared passwords, log-in info, or even desktops should be discouraged. Keep each employee accountable for their own tasks and data trails. Know where and when info is being accessed. Also, all employees should understand the ramifications of properly securing data, even if they don’t deal with it during the course of their workday. Have an easy process for reporting suspected data breaches, and regularly update workers on best practices – as well as new security concerns that could affect the company.
Don’t Skimp on Security
Even the small company with just a few computers needs to invest in solutions that are secure. Consider hiring a professional to implement a security protocol and ensure networks and devices are properly secured and maintained. Set up reminders to update tools regularly, and avoid using “freeware” or unproven software products for your firewall, antivirus, and browser protection. Recognize the difference between the types of risks, such as malware, spyware, viruses, and ransomware.
Take Security on the Road
If you have road warriors working for your company, ensure they know the drill for connecting to public wi-fi and using computers at hotel business centers. Know the difference between working on a secured “intranet” and standard “internet.” Regularly check work laptops and phones for malicious programs and apps, as part of a work device maintenance program. Have conversations with your team about what’s acceptable to discuss in public (on a cell phone call, for example) and what should remain in the boardroom.
Backup, Backup & Backup Again
If you had a qualified and dedicated IT, team, they should be performing weekly (if not daily) backups of your data. Ask about what options are available for backing up information to both physical drives and the cloud. For smaller companies with just a few computers, it’s still necessary to create a means for retrieving data in a computer crash, power loss, or service outage. Look at creating a plan that keeps data both secure and accessible for when the worst happens.
Get Serious About Social
Have you heard of social media cyber-vandalism? It’s a new but scary occurrence of a hacker getting control of a business’ social media account and using it in an unauthorized manner. Not only can this type of cyber-hijacking cause damage to your brand’s reputation and messaging, but it can also put customer and fan information at risk. The SBA has created a comprehensive guide for how to prevent cyber-vandalism on platforms such as Twitter, Facebook, Instagram, and more. The basic standards for securing your accounts include:
- Create a team to develop, execute, and respond to social media communications and issues
- Understand each platform and the limitations
- Implement and communicate best-practices for each platform
- Utilize two-step authentication, when available
- Use templates and pre-approved messages, when possible
- Regularly monitor accounts for suspicious activity
- Recover compromised accounts promptly by working with social media teams, platform customer service, and your own internal security stakeholders
While a compromised social media account can be embarrassing, and sometimes damaging to your company’s sales or reputation, a quick and efficient recovery plan can make all the difference.
Consider Insurance
What if, despite your best efforts, you do experience a security threat? Fortunately, you are not alone, and there have been developments made in the ability for small businesses to get on track. One of these opportunities is through insurance coverages. While most companies have insurance plans that cover liability and some types of damages, standard plans often don’t protect against cyber-attacks. Specialized cyber insurance is the only way to recoup damages from cyber-attacks. Despite this fact, however, only 21% of small US companies (fewer than 250 employees) have invested in cyber insurance – compared to 58% of larger companies. Ask your insurance agent if this type of coverage is appropriate for your business.
What to Do If You’re Targeted
The cost associated with cybercrimes is high, and both the FCC and the SBA have dedicated significant resources to ensuring that today’s businesses are prepared for the newest cybersecurity crime (whatever they may evolve to look like.) If you find yourself the victim of a crime, inform local police, as well as your state attorney general right away. Stolen finances or identities should also be reported to the IC3 unit, and fraud should be brought to the attention of the FTC. Hopefully, your report can help others avoid a similar incident.