The digital revolution has swept up small and medium-sized businesses as well as large companies. Small businesses frequently rely on one or more types of software to keep track of customer information, handle sales, and perform other necessary daily tasks.
But while small businesses have rushed to embrace technology, they haven’t engaged as thoroughly with data privacy and security tools. According to Untangle’s 2019 SMB IT Security Report, 29 percent of small businesses spend less than $1,000 on IT security annually.
Small businesses may feel as if they don’t have the resources to contribute to data security, but the consequences of failing to address the problem before a breach occurs can be devastating. The average cyber attack can create losses of $200,000, Scott Steinberg at CNBC reports. That’s enough to bankrupt a small business.
That’s why small businesses need to prioritize data security. This starts with understanding how data-security problems emerge, what the legal repercussions are, and what tools are available for shoring up your data management.
The risk of data exposure or theft online isn’t a new concern. Billions of pieces of personal identifying information are currently available online as the result of security breaches, some of which have targeted large companies like Target and Marriott. Today, small bus
inesses are a target for hackers primarily because they are a rich source of personal identifying information like credit card numbers and email addresses, says Scott Ikeda, Senior Correspondent at CPO Magazine.
Between 2017 and 2018, breaches of small business data security increased 424 percent, according to a study by 4iQ. These breaches added an estimated 3.6 billion new identity records to those already circulating online. The Verizon 2019 Data Breach Investigation Report found that 43 percent of all attempts to breach data security protocols over the past year were aimed at small businesses.
“We now know that small businesses are being targeted much more frequently than previously thought and that even relatively tiny businesses are now on the menu for sophisticated hackers,” says Ikeda.
One reason these businesses are increasingly popular for data theft is because hackers see them — small businesses and medium-sized businesses — as easier to breach, says Joe Galvin, Chief Research Officer for Vistage Worldwide. A small business is vulnerable precisely because its team seldom has the time or awareness needed to anticipate an attack, nor the tools necessary to mitigate the effects of an attack.
A number of recent legal changes have attempted to address data security and privacy concerns. One of the most well-known is the European Union’s General Data Privacy Regulation (GDPR), which seeks to give EU citizens more control over their personal data.
While GDPR made headlines worldwide, many small businesses haven’t drawn a connection between GDPR’s requirements and their own operations, says Suzie Blaszkiewicz, Video Editor at Typeform. Blaszkiewicz points to a GetApp survey, in which 50 percent of small and medium-sized businesses said they were unfamiliar with the GDPR.
GDPR isn’t the only recent regulatory response to data privacy and security concerns. Several U.S. states have adopted privacy laws that parallel the GDPR. For instance, the California Consumer Privacy Act (CCPA) focuses on giving consumers more control over their personal information and penalizing businesses that experience data breaches when they haven’t complied with the CCPA’s requirements. Small businesses that familiarize themselves with the evolving regulatory landscape will have a roadmap to improved data security and compliance.
Then, on a more practical level, the FCC offers some simple steps all businesses can take to wall off unauthorized data access. Those include:
With such guardrails in place, small businesses can then begin to develop specific habits that will nurture an internal culture that prioritizes data security and customer privacy.
A majority of small businesses have embraced technology as a way to improve their daily work and reach business goals. For instance, a 2017 Capterra survey found that 56 percent of surveyed small businesses used customer relationship management (CRM) software to secure their customers’ information, and 68 percent had at least one piece of software dedicated to data and information security, says Tirena Dingeldein, a former Analyst at Capterra.
While dedicated security software is important, small businesses shouldn’t place their data privacy and security protections in the hands of a single software or platform. Data is made secure through habits, processes, and internal knowledge.
Two good places to start: Password management and employee education.
Teach staff to create strong passwords. The federal Cybersecurity and Infrastructure Security Agency (CISA) recommends a number of basic steps for strengthening passwords.
For instance, says CISA, instead of using a dictionary word like “basketball” as the basis for your password, try using the first letter of each word in a memorable phrase or sentence. A sentence like “my kids love to play basketball” thus becomes “mkltpb.”
Then, insert capital letters, numbers, and special characters in a meaningful way. For instance, here you might replace the “t” for “to” with the number 2, capitalize the “b” for basketball, and add an exclamation point after the “k” for kids. The resulting password would be “mk!l2pB,” which is stronger than a password based on a standard English word — and also memorable because it is personal to the user.
CISA also recommends the use of password managers, encryption, and other technologies to protect passwords while also making it simple for your staff to access the information they need when they need it.
A password manager is like a notebook containing all your passwords, which is accessed with one master password, says Zach Whittaker, Security Editor at TechCrunch. Unlike a conventional paper notebook, however, the password manager can also generate strong passwords for various sites.
Password managers help staff avoid common password mistakes, such as trying to memorize passwords or reverting to the same password for all accounts, says Daniel R. Stevens at SecureThoughts.
When rolling out a password manager for your team, start by deciding who should have access to which functions. For instance, while it’s important for at least one person to have full administrator access, it’s not always necessary or wise to allow administrator access to everyone on the team. Asking one or two employees to test password management tools before sharing them with the entire company can help, as well.
Even when password managers are in place, small businesses should educate their teams on the most common methods used to attack passwords, says Stevens. For instance, staff should be taught how and why to avoid opening unsolicited email attachments: These attachments can contain malware that seeks and steals passwords.
Preparation is key to good data security. “Responding to an attack starts long before it occurs,” says Sam Bocetta, a former Security Analyst at the U.S. Department of Defense. “You should — if you haven’t already — put in place an action plan for responding to an attack. All staff should know what is expected of them if the worst occurs.”
Many of today’s business tools come with security options included. Making sure your staff know how to use these tools, and which threats each tool addresses, can make their use second nature. When your team understands the risks your business faces and why specific security procedures are in place, they will be more likely to adopt good habits when handling sensitive data.
Additional educational resources may be on the way, as well. In June 2019, a bipartisan team of senators introduced the Small Business Cybersecurity Assistance Act. The act seeks to offer more counselors and resources through federal Small Business Development Centers, focused specifically on helping small businesses meet today’s data security demands, say attorneys Joseph J. Lazzarotti and Maya Atrakchi at Jackson Lewis PC.
Raising your staff’s awareness of the risk of data security breaches can also help harness their creativity and insight into addressing the problem. For instance, by asking staff for their input, small businesses can more easily identify tasks or locations that are part of the business’s day-to-day work, but that also pose a security risk.