How to Protect Your Small Business from Data Breach

Cybersecurity has become an issue that impacts businesses of all sizes across many industries in today’s cyber-threat landscape.

While ten years ago hackers targeted large retailers and organizations like Target or Yahoo! hoping to capture large amounts of salable data with a single network breach, today they often target small retailers and service providers.

The overall cost of a single data breach averaged more than $4 million in 2018, and those costs are likely to continue to grow.

Small retailers and franchises such as gas stations, restaurants, and hotels continue to be victims of data breaches in increasing numbers, indicating that no business is too small to be a target.

In this article, we’ll cover how and why data breaches happen to small businesses, and then we’ll explain nine best practices they can follow to avoid being hacked.

Image | Pixabay

What Is a Data Breach?

A data breach is any unauthorized release of private or valuable data.

The classic data breach that we often hear about in the news is a network attack.

Outside hackers, sometimes sitting safely on the other side of the globe, gain access to a company’s network and transfer stolen data to themselves over the internet. Hackers can also disable a company’s IT systems out of spite.

Data breaches sometimes happen when insiders steal data and release it, too.

The most common actors?

A disgruntled or recently fired employee, or a third party contractor who either accepted a bribe or didn’t have good security measures in place and has become a point of entry by an outside criminal to steal company data.

The third way a data breach happens is inadvertently. Sometimes IT staff or other employees leave data exposed to public view on the internet.

Another example is when employees forget a company laptop in a public place or when it’s stolen.

These breaches happen because of inattentiveness and poor security policies.

How Do Data Breaches Happen?

The question on every cybersecurity professional’s mind is “How can a data breach happen?”

It’s a difficult question because it has many answers, and it’s difficult to guess them all in advance.

Data breaches often happen because security policies and personnel do not see a way criminals could breach their security.

That said, there are several common ways hackers break into private business (or personal) networks:

• Email phishing: This is the most common way company networks experience a breach. The main goal of phishing emails is to successfully steal employee credentials or trick them into downloading malware to their work computers. Hackers make employees believe a fake email is a legit business communication or an email from vendors. There’s always a small chance an employee will fall prey to this attack, so hackers send out a constant barrage of phishing emails to their targets waiting for it to happen. A single click is usually enough to get access.

Image | Pixabay

• Zero-day exploits: A zero-day exploit is a software flaw that hasn’t been discovered by its maker. “Zero-day” means the day they begin fixing the bug hasn’t come yet.
  For as long as an exploit remains known only to hackers, they can continue to use it to break into computer networks undetected.
• Drive-by downloads: Websites load many scripts that run in the background – mostly to serve ads in web browsers. When a malicious script is injected into ad placement networks, it can use exploits to install malware onto the computer without an employee’s knowledge.
• Social engineering attacks: Social engineering is a fancy term for con-artistry. These attacks can involve impersonating company employees, police investigators, or customers during phone calls.
  They can also involve stealing employee badges and using them to access the workplace.

The Consequences of a Data Breach

A data breach will expose a business to many costs – financial, tangible, and intangible.

The immediate financial costs can take the form of lawsuits, fines, and contractual penalties if an investigation shows lax security caused the breach.

Customers are likely to file class-action lawsuits, and a company’s brand will suffer for years after a highly publicized breach.

Businesses that process credit card transactions for their customers are exposed to both regulatory fines and contractual penalties with the credit card vendors when customer payment data is stolen.

Banks that lose money to the subsequent financial fraud may pursue the breached company for liability.

Companies involved in the financial and healthcare industries are also subject to stringent regulatory requirements for securing the privacy of customer and patient records and financial information.

A failure to keep them secure will cause penalties that can cripple or bankrupt small businesses when combined with other costs likely to be incurred after a data breach.

A data breach can damage a business’s brand and finances enough to put small firms out of business, but the consequences can be dire when it happens to local and state governments.

The disruption caused to their IT systems can prevent government agencies from providing essential services to the community, as it did when the city of Atlanta was hit by a ransomware attack.

Ways to Avoid a Data Breach

Cybersecurity is difficult to implement for small businesses that can’t afford to add dedicated security professionals to their IT staff.

There are several rules of thumb that can make your business safer from data breaches, whether they result from insider fraud or outside hackers.

Image | Pixabay

1. Hire outside security consultants: If your company doesn’t have a security plan, the first step is to bring in consultants to help you create one. This option is less expensive than hiring permanent staff, and you’ll get a thorough security assessment and recommendations to follow.
2. Safeguard all data: Data breaches are not just network hacks. You should also assess the physical security of your data. Can criminals infiltrate your business? Can employees access sensitive records, either paper or electronic, and steal them? If you find data unsecured in any form, find ways to restrict access to it.
3. Store only data that you need: One way to minimize the damage of a data breach is to not have customer and employee data on hand when it happens. A good policy to have is to store only the data that’s necessary and discard it once it has served its purpose. An example is not storing customer transaction details after they make a purchase.
4. Train employees about common hacker tactics: Network security’s weakest point is your employees.
   Most data breaches begin with an employee falling for an email phishing attempt by clicking a link that installs malware or giving away their account credentials. When you have a security literate workforce, it’ll be harder for hackers to succeed.
5. Keep your software updated: The second most common way hackers breach private networks is by exploiting a software weakness to gain access. Software vendors release security patches frequently, and most times, you can configure your software to be updated automatically over the internet.
6. Restrict the use of portable storage devices: USB sticks are convenient tools for hackers to infect computers on a private network. Sometimes they will impersonate employees or contractors to gain access to your workplace and infect computers will malware by plugging in a USB stick.
   They may even drop them on the floor knowing that someone will plug it into a computer to check its contents.
7. Protect websites and networks with a security service: Security services help businesses defend their websites and networks against breaches. They constantly monitor their networks for suspicious activity and raise red flags immediately. Most breaches take weeks or months to execute, so quick intruder detection is key to stop network breaches in their tracks.
8. Encrypt all data transfers: Strong encryption exists today that prevents anyone from accessing data without special keys to decode it with. If you implement a robust encryption policy, hackers won’t be able to use the data they steal during a data breach.
9. Control administrative rights: Hackers need to gain full administrator privileges once they gain access to your network to steal your data. You can prevent a potential data breach by taking the security of your network administrator accounts seriously. Limit the number of admin accounts, give them only the privileges they need, and use strong passwords to protect them.

Final Thoughts

The frequency of data breaches and the high cost of becoming a victim makes it imperative that every company create a strong security plan and adhere to it.

While there’s no way to avoid a data breach, you can minimize any damage caused by it with proper preparation.

By consulting with cybersecurity firms and following a set of practical security policies, small businesses can keep their data secure. Those security policies include keeping software updated, ensuring networks are properly configured to prevent unauthorized access.

Never forget that your security is only as strong as your weakest link, and make sure you include employee training on cybersecurity as part of your strategy.

When your employees know how to steer clear of suspicious emails, and know good practices on keeping their business laptops safe when out in the open, you will reduce the likelihood of being a victim.

A solid security plan and the will to implement it is the key to secure business, large or small.