What Small Business Needs to Know About Information Security
Small businesses aren’t exempt from the risk of a security breach just because they’re small. In fact, a recent Forbes article noted that 20% of small to midsized businesses have been targeted by cyber crimes.
Small businesses face the same threat sources as larger enterprises. Threats can come from:
- Insiders like current or former employees, temp and seasonal workers, or partners
- Cyber criminals looking to profit via data sale or ransomware demands
- Business competitors searching for an edge.
Unlike their larger counterparts; however, small business have a unique challenge in that they often lack the resources to effectively plan for and prevent threats.
“Small companies are at a disadvantage, because they lack the required budget and dedicated staff for security.”
said Lawrence Pingree, a security analyst at Gartner, citing his own research, which found that most companies with fewer than 500 employees don’t have staff dedicated to specific security functions.
Beyond financial losses, the result can be reputation loss, legal action, and potential impact to partners and vendors. A 2014 cyber attack on Pennsylvania T-shirt maker 80sTees.com cost the company $200,000, not counting the transactions lost during the period when they had to stop accepting credit cards. And this cost is on the low side: according to the Ponemon Institute, the average price for small businesses to clean up after their businesses have been hacked stands at $690,000.
What Information Needs Protecting?
Certain information – like credit card and bank account information – are obvious candidates for protection. But don’t forget the following information that can be exploited for profit or exposed via negligence:
- Personally identifiable information (PII) that can be used on its own or with other information to identify, contact, or locate a single person; this includes your employees’ personal information.
- Protected health information (PHI) about health status, provision of health care, or payment for health care.
- Information about or from your partners or vendors.
- Intellectual property, trade secrets, and other confidential data.
Small Business Information Security Recommendations
Here are seven recommendations – and additional resources – to help you secure your small business’ information:
- Inventory and protect your data. Identify what data needs to be protected, limit access to this data, and delete the data when it’s no longer necessary. Securely dispose of paper records by shredding.
- Establish a security policy. Your policy should cover password guidance, bring your own device (BYOD) usage, and threat reporting. Ensure everyone in your business – including temp and seasonal workers – read and acknowledge the policy. The FCC provides a Small Biz Cyber Planner 2.0 to help with policy creation.
- Take care of the basics. Mandate and enforce the use of strong passwords, password protect your WiFi, protect mobile devices, use encryption, and backup your data.
- Provide education. You don’t need to create your own security awareness training curriculum. Vendors such as SANS, Lynda.com and InfoSec offer online courses regarding security best practices that your employees can access.
- Follow industry standards and best practices. Take a page from your bigger counterparts and learn from their efforts and experience. You may also want to check out the NIST publication Small Business Information Security: The Fundamentals.
- Take extra precaution with payments. Credit card information is arguably the top target for hackers, so make sure your business uses trusted and validated tools to process payments. Separate your payment system from other, less secure programs and do not use the same computer to process payments and surf the internet.
- Use monitoring software to track your employees’ online activity.
Information security breaches are likely to be more than just a cost or a loss of revenue for a small company. The U.S’ National Cyber Security Alliance found that 60 percent of small companies are unable to sustain their businesses over six months after a cyber attack.