Data security best practices every small business should follow

Small businesses take heed: Some hackers are using small businesses as an entry point to larger companies.

For example, the successful attack on Target was through an HVAC company. It’s no longer just about your own data security. Today, small businesses must also be able to placate their new business prospects, clients and customers’ security concerns by demonstrating their own security.

What are potential security holes that small businesses should consider? And how can a service-based small business shore up those holes?

Part of the answer is “technology.”

But it’s equally about the business practices, like identifying relevant compliance requirements, ensuring you have the expertise — either in-house or from an outside firm — and communicating all of this to your customers and prospects.

Security holes to plug up

• Protecting data. Use encryption both for transmission and storage, and make user permissions are set so that only the appropriate people can read, add, change or delete data (or fields within data records) within your records. Also consider implementing DLP (Data Loss Prevention) tools, which can monitor what data is trying to go where, and block unauthorized data flows. For example, is someone trying to email files to a non-employee, download them to a flash drive plugged into the USB port of an employee’s computer, or upload them to a web file-sharing site.

• Restricting access. Don’t just look at stronger passwords, also consider two-factor authentication (e.g., having a code texted to the user’s smartphone), for out-of-office staff and for admin-level tasks.

• Have audit trails. This should apply to anyone who uses your devices, across all data access points and for all admin changes to software and systems.

• Be physically secure. Make sure any on-site servers and storage are not in site, and are kept behind a locked door.

• Protect your IT from cyber-attacks. Configure and maintain security software including firewalls, anti-virus/anti-malware, and web and email filtering. Cloud-based security can help here, especially for smaller companies. Also consider shifting key business apps like email and financials to cloud-based services, for better security.

• Secure all WiFi. Networks at your office(s) should be secure.

• Train and encourage employees in basic IT security. Put together basic guidelines, including regarding appropriate use, and have employees read and sign them.

• Do regular backups offsite, to a cloud service.

Acquiring the expertise, resources (and time) for security

While most security tools should be running automatically, few small companies have the in-house expertise — translation: staffing and budget — for security expertise. Even a medium-sized company that can afford an IT person to manage basic ongoing security tasks is unlikely to be able to afford a security team with the full range of expertise that’s needed today.

Your best bet: Look for one or more outside IT security firms to work with you. They should:

• Help you map out your current IT environment (systems, devices, applications, etc.)

• Determine what security areas and levels are mandated for your industry and activities.

• Identify the areas of potential security risk, e.g., on-site, remote, mobile and cloud systems and services.

• Recommend appropriate security software, services and settings; help you with purchasing and any installing, integration and configuration.

• Help with employee training, and fulfilling any regulatory reporting requirements.

• Be available to help in the event of data breaches or other security “events.”

Again – for small companies, outside security experts are your best bet to get the expertise you need, at affordable prices. Without proven security, your data is at risk, and customers will be uneasy. With your data properly secured, you can go about your business with greater confidence.