For a business of any size, customer data is an especially critical asset, offering insights into consumer preferences that can guide business owners on everything from their marketing messaging to their merchandising strategy. But if your customer data isn’t properly protected, you can be vulnerable to attacks that could damage trust with clients, leave you liable to legal action and potentially spell the end of your business. We spoke with Michael Markulec, Partner & Co-Founder of cybersecurity consultancy Harbor Technology Group to learn about the steps small business owners can take to secure their data. Read on for his tips.
While you might think that the majority of cyberattacks happen to big companies with larger stores of data, 58 percent of all cyberattacks actually happen to small businesses, according to the 2018 Verizon Data Breach Investigations Report. According to research from the National Cyber Security Alliance, 60 percent of hacked small and medium-sized businesses will go out of business within just six months.
What are the common causes of data breaches? A major one that Markulec cautions against is business email compromise, or what he calls “the Nigerian prince email on steroids.” These email scams target employees to try and get the recipient to transfer funds to a non-recoverable account. Phishing emails have become more savvy in recent years, using social engineering to mimic the names, lexicon and topics of discussion typical of your inbox.
“It could look like a vendor who sends an email to a design firm that says, ‘Hey, we’ve changed our bank, wire the money to this account,’” he says. “Once that money has been wired, it’s lost.”
There’s also ransomware, a type of malware that can pop up when you click on a compromised link that prevents you from accessing your files and demands a ransom payment to regain access. Markulec recommends getting cyber insurance, in part so you can pay up if you absolutely have to.
Protecting Your Data
When it comes to protecting your business’s data, Markulec stresses that crossing your fingers and hoping you won’t get hit with an attack isn’t a viable strategy.
His first point of advice is to train your employees on cybersecurity, since most breaches are ultimately the result of human error, and cyber awareness training is inexpensive compared to the cost of a single breach. To Markulec, proper training isn’t a one-time thing.
“Training is no longer PowerPoints and donuts,” he says. “It needs to be reoccurring, it needs to be engaging and it needs to be tested. In the cyber world, we like to do 3- to 5-minute short video trainings once a month, and then we reinforce that with simulated phishing to see who clicks on bad things.”
His second tip is to regularly back up your data. A proper backup strategy involves three copies: the one you’re currently working with, one that’s backed up to a local server or storage device at your workplace, and one that’s offsite somewhere like the cloud or at a separate facility. If you’ve backed up your data, you can avoid needing to pay up in the event of a ransomeware attack, and you can get your systems up and running fairly quickly after a breach.
Third, Markulec recommends investing in strong endpoint protection, or what used to be called anti-virus protection.
“If you do those three basic things: train your employees, back up your data and run good endpoint protection, you’re better than 87 percent of the people out there. You may not be the fastest gazelle, but you’re not the slowest one anymore,” he says.
He adds that password control is also key, noting that passwords should never be repeated or reused. Password management systems like LastPass, Dashlane and Keeper can store complex encrypted passwords for heightened password security.
In the unfortunate event that you experience a breach despite these measures, it’s crucial to have an incident response and disaster recovery plan in place. A breach doesn’t have to be the end of the world, and you can bounce back if you have a plan. If you’re ever unsure if you’ve been hit with a breach, contact your cyber insurance provider for guidance.
While cybersecurity can be overwhelming in a time where threats are constantly evolving, making the effort to get your staff up to speed and protect your networks is worth it — and taking a proactive stance ultimately doesn’t need to come at a great cost to your business.
“One thing I would tell small- and medium-sized businesses is that this doesn’t have to cost a lot,” Markulec says. “It’s really not about spending more money. It’s about doing some of the simple things right.”