Six Steps to Protect Your SMB Against a Data Breach

Image

The number of data breaches increased 27.5% in 2014, making measures against these types of security incidents increase significantly among large companies. What about small businesses? Do they really stand a chance against hackers and security incidents? Being a small company might make you think no hacker will bother stealing your data. But, just because you’re small doesn’t mean your information is safe. What would happen if your office caught on fire, and you had no backup (or you kept the backup in the very same office)? What if someone breaks into your office and takes all the computers and storage media? What if a disgruntled employee starts deleting all of your files? Think again. Could you imagine where your business would be without your client information, years of product development, notes, documents, etc.? Probably not... without all of this data, small businesses would likely go bankrupt. So, here are six steps to protect your company:

1. The Backup

Doing regular backups of all your data helps you protect it not only in case of theft but also if someone has changed some of your files in an inappropriate way. For most companies in the IT services industry, it is enough to have your data and your key employees available, and you can continue doing the business in any other office, or even from home. However, just producing the backup won’t help – you have to place the backup media (a tape, a disk, or similar) in some distant location; in the last couple of years, cloud services like Dropbox or Box have proved to be even better solutions than having the physical backup media. Just make sure you don’t give access to this backup to everyone.

2. Access Control

You have to think hard about who will have access to which data in your company, and this has to go further than limiting access to payroll. For each type of information, you have to consider whether it is really necessary for each employee to have access using the “need to know principle," meaning if some employees don’t really need access to certain documents in order to do their jobs, then restrict access to this information. This access control is actually easy to implement – if you’re using SharePoint, Box, or similar systems, they already have built-in ability to allow access to employees on an individual level; you can even achieve the same result handling the shared folders on Dropbox. There is some data only the owner of the business should have access to, such as the backup

3. Physical protection

You should stop potential offenders from being able to reach your IT equipment and media in the first place by locking your office and alarming it. If you store some very sensitive information in your company, consider using a notification system in case of an incident, and also a security guard. However, you should also protect your mobile devices (e.g., laptops, tablets, mobile phones, etc.) when taking them outside of your office – such devices should be either with you all the time, or must be stored in a facility with no public access. This room or office must be locked when no one is present.

4. IT security

Things like anti-virus software and firewalls are everywhere now, so I’m quite sure you already use them. Are you sure they are maintained properly? When was the last time you updated your anti-virus software? Are you sure your firewall is configured so that it lets through only the traffic that is safe? You can also take your IT security a few steps further:

• Set your computers to auto lock with password if not in use for 5 minutes – this way, if an employee leaves their computer, no one will be able to access it.
• Avoid using USB flash drives – they are the best way to get your computer infected because often times anti-virus programs cannot detect such malicious code.
• Make sure you protect your mobile device with a good password. Otherwise, in the event it gets stolen, the thief would be able to access your email, change passwords to your cloud services and consequently, access all your data stored in the cloud.
• Use password managers, which will enable you to save passwords for your different services and applications. If you used the same password for all of them, the breach of only one password enables the criminals to access all of your accounts; password managers also enable you to use complex passwords for each of your services. And yes, those password managers are available for mobile devices, too.
• Use VPN service for connecting to the Internet, so that your passwords and other sensitive information are protected when transferred over the network; this is especially important if you’re using a Wi-Fi connection that you cannot fully trust.
• Use 2-factor authentication when connecting to important cloud services like Gmail, Dropbox, or similar – even if someone steals your password, he or she wouldn’t be able to access your sensitive information. These 2-factor authentication systems can work together with your phone (by sending you a text message), or with special USB keys, without which access to a system wouldn’t be possible.
• Encrypt the data stored on your hard drive. If it gets stolen, the thieves won’t be able to read it; you can also encrypt data stored in a cloud – there are some specialized cloud companies offering this kind of service.
• Update your software – you should do this regularly, as soon as a security patch is published. The best route would be to set-up automatic updates.

And, to ensure that all employees are complying with these methods, you should develop an information security policy or acceptable use policy, which would ensure everyone in your company really understands what is expected of them.

5. Managing people

The first and most important rule is: be careful who you hire. An experienced IT administrator can delete your whole client database in less than a minute, or bring down your website in a matter of seconds. You should always run a background check for candidates who will work with your most sensitive data. The second most important thing is to make your employees aware of potential security threats and how to cope with them. Here are a couple of topics for such awareness sessions:

• Never, ever give your password to anyone.
• Don’t install every program you come across on your computer or mobile device – some of this software, disguised as a nice game or utility program, is made with the sole purpose of injecting a virus onto your computer.
• Disable your Bluetooth connection because it is very unsafe and disable the Wi-Fi network on your mobile device when you’re not using it.
• Do not leave your computer in a car.
• Do not leave your computer unattended in public places like airports, toilets, public transport, conferences, etc.

6. Get certified

More and more companies are offering their services over the Internet, so more clients want their information to be protected. To assure clients that their information is safe, and to attract new clients to whom security is important, you can get a certificate that proves you are safeguarding their information properly. Getting certified also enables you to get the methodology for information security implementation, so you’ll know exactly where to start from. To maintain the certificate, you’ll have to make sure all of the safeguards really work.  

Image

About the Author: Dejan Kosutic leads the 27001Academy.com team in managing several websites that specialize in supporting ISO and IT professionals in their understanding and successful implementation of top international standards. Dejan earned his MBA from Henley Management College, and has extensive experience in investment, insurance, and banking. He is renowned for his expertise in international standards for business continuity and information security – ISO 22301 & ISO 27001 – and for authoring several related web tutorials, documentation toolkits and books. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.