May 18, 2017

Why All Small Businesses Need a Data Security Policy – and How to Implement One

Small businesses often think they’re not big or important enough for information thieves to bother with... but that’s not what the research shows.

Close to half (43%) of cyber attacks on businesses worldwide in 2015 were against companies with less than 250 employees, up from 18% in 2011, according to the 2016 Internet Security Threat Report by Symantec. A 2016 Ponemon report on small business data security showed that 55% of respondents experienced a cyber attack in the previous 12 months, and 50% had data breaches involving customer and employee information.

In fact, most small and medium sized companies collect and store confidential data about employees, customers, and the company itself. Information thieves sell this kind of information on the dark web or use it to commit identity theft and other crimes.

For a small business, a data breach can come with crippling costs. According to Ponemon, the average cost of a data breach involving theft of assets cost these companies $879,582. Plus, after an attack, they had to spend an average of $955,429 more to get their business back to normal.

Here are the important steps to take to create an information security policy for small business.

• Take security seriously. Information thieves consider small businesses to be easy targets because many don’t take security seriously or budget for it. Develop a data security plan that provides clear policies and procedures for employees to follow. Create a culture of security in the workplace too, with security-driven processes and messaging.
• Assess possible risks. Identify all information assets that contain confidential information and conduct risk assessments to pinpoint physical and digital security vulnerabilities. Assess existing databases to see if any nasty bugs have gotten through. Establish a data management process to protect information from creation to disposal.
• Apply controls. Protect all devices that connect to the Internet – computers, smart phones, tablets and any web-enabled devices. Use firewalls and the latest security software, web browsers and operating systems, and keep them patched. Always scan USBs and external devices with security software. Use strong passwords too. Limit access to information.
• Manage mobile. Employees are increasingly storing business data on their mobile devices. Set up a security checklist for all mobile devices so they comply with data security policies. Encrypt all devices, avoid public Wi-Fi, and create a Guest Network in-house for customers or company visitors.
• Provide employee training. Best practices training will help reduce breaches caused by human error and phishing/social engineering attacks, which are common forms of attack.
• Embed security. Standardize security by embedding processes into the workplace. For example, partner with a document destruction company that provides locked consoles for storing paper documents that need to be securely destroyed. A Shred-it All Policy ensures that all documents are securely destroyed. Introduce a clean desk policy so confidential information is protected when employees are away from their desks. Monitor employee activity for unusual behavior that might indicate insider fraud too.
• Be prepared. Automate the process to back up data – and do it regularly. Store copies at another location. Create an incident response plan so that all employees know what to do if systems are compromised.

Start Protecting Your Business

To learn more about how Shred-it can protect your documents and hard drives, please contact us to get a free quote and security risk assessment.