We’ve all seen the headlines about major data breaches and hackers attacking our favorite retailers, hotel companies and even cars. But it’s not just large businesses that are susceptible to attacks; 60 percent of targeted attacks in 2014 impacted SMEs and the trend is expected to keep going as many small businesses continue to underestimate their risk level. Yes – a startling 82 percent of small business owners say they’re not targets for attacks, because they don’t have anything worth stealing. Think again. Data breaches or mishandling of private data can lead to a lack of trust from consumers, partners and suppliers and easily shut down your business.
To help get your business #PrivacyAware right in time for Data Privacy Day, consider the following key questions:
- How can I best protect the data of my home-based business?
You need to take a risk-based approach to protecting data in your home business. This approach is based on fully understanding the digital assets that you have; where they are stored; what you are doing to protect them; how you would know if something happened to them and how you would respond and recover if for some reason that data was lost or was no longer available for you to use because of a data breach or compromise.
Another important thing to remember if you are in a home-based business and the computer is being used by multiple people, then you need to ensure you are doing everything you can to segregate that data out ‒ either in the form of having a different user or passcode-protecting certain files to ensure that others cannot gain access to them.
- What data do criminals most seek?
Typically, cybercriminals are looking for personally identifiable information. They are looking to gather lists of names, addresses, phone numbers, emails ‒ basically, whatever they can get that might help them compile an “identity” about someone. Obviously, the richer the data ‒ for example, things like Social Security numbers ‒ are even more valuable to cybercriminals. However, in the case of smaller businesses, cybercriminals might also be looking to steal credentials such as logons and password information. They do this for a couple of reasons. One is to perhaps get into your business’ email and send phishing emails to your customers. Phishing emails try to get recipient to click on links that they shouldn’t so that the sender can gain access to your customers’ computers and basically spoof you and make it look like that email actually came from you. Or, they may be stealing credentials that directly access important information, like bank accounts, so they can steal directly from you as well. So, really there are a few different areas that cybercriminals are interested in.
- What might be some warning signs/red flags that my business is being targeted?
It’s hard to say. You are not going to see your business on a list of highly likely targets. You have to look at it as more of an internal and a risk management issue to address and solve. If you have lots of personal information about people, you can be a target. If you are a B2B kind of business, there is a likelihood that you could be a target. If you are a customer of or if someone is a customer of you that is a larger-sized business – that might be a data rich environment – then, you could be vulnerable as well. It’s really hard to know that you’re a red flag. Some other indicators might be if you have a website that is not secure with https, that could make you more suseptible to having your website attacked and possibly used for malware or getting in between you and your customers and stealing information. So, really you have to assume that your business is somewhat at risk and be sure to take the necessary steps to protect it.
- I don’t have anything to hide; why should I be concerned about this?
I hear a lot of small- and medium-sized businesses ask “why would I be a target I don’t have anything to hide.” It’s critical to understand – especially for home-based business — that if you are running a computer, then you are a target. You may be a specific target, like someone is coming after your business with the sole purpose of stealing something that you have. Or, you could end up being a target accidentally by going to a website that has a download of malware on it that gets on your computer and then starts transmitting information from your computer to the bad guys. It’s then that it’s realized that you are indeed a business and the cybercriminal identify what they can get. So, it is often you not being targeted directly but you could be a victim of a malicious attack that is being perpetrated across, for example, a vulnerability in a piece of software that you might be running that makes your system more susceptible than somebody else’s.
- How can I get the people who work for me to implement better privacy/security practices?
Operate by creating a culture of cybersecurity and privacy in your business. This doesn’t mean that you have to have a policy binder with hundreds of pages explaining what everyone has to do to comply with your policies. But, it does mean that you have to communicate with the people that work with you – including your vendors and contractors – the importance of security and privacy to your business. This includes their goal to protecting it which means things like being safer when logging onto wireless networks; making sure that data is backed up; that good passwords are used and turning on multi-factor authentication. You need to communicate to your team the things that you expect them to do and the way that they should be good custodians of the data that is entrusted to you by your customers. When a customer gives you their personal information, the expectation is that you are going to protect it. No one wants to violate that trust between the customer and the business. Some other good practices are to talk to your employees on a regular basis; having a “brown bag lunch” and discussing security and privacy; hosting training sessions are also great ways to establish and reinforce this kind of culture in your organization.
- How can I best protect my customers’ information?
This goes back to the risk management approach. You need to start with a couple of things. You must know what customer assets you have, where that information resides and where it’s going, for example, if you have to email it to someone else. You basically you need to understand what you are doing while the information sits on your system; and, how to protect that information while it’s there as well as while it’s in transit and, then, when it is on the new system. This means implementing some of the basics like ensuring that all software updates are taking place in both the PC and mobile environments as well as being sure you have thought about who has access to that data. Businesses must identify the best people to have access to that personal data. Other smart security practices must be in place like using good passwords; making sure multi-factor authentication is turned on and that computers are backed up in case of a cybercrime or if information is lost. So, you are really taking an approach to knowing where that data is at all times and clearly identifying what you are doing to protect it.