High-profile retailers have become the victims of a slew of recent data breaches, with hackers stealing incredible amounts of information. At Home Depot, for example, 56 million customer credit and debit cards were potentially compromised last year. Before that, Target took a major hit in 2013, as online thieves swiped data from 40 million of its customers.
But, experts believe, big-name companies and those who frequent them aren't the only ones who should be worried – the little guys are also vulnerable. "Hackers see small businesses as low-hanging fruit, not as being unworthy of their attention," says Kai Pfiester, owner of New Jersey-based Black Cipher Security.
In fact, a recent study released by Experian Data Breach Resolution and the Ponemon Institute found that 43% of all U.S. companies had experienced a breach in the last year alone. Needless to say, that's a lot of compromised data. What can you do to avoid becoming the next victim? Here are several steps to take.
Pick Strong Services
For many industry companies – regardless of size – improving data security comes down to choosing Web-hosting services and other online products that are established and trustworthy. "In most cases, if you do choose the right provider, you don't have to worry about security," says JP Hunt, vice president of sales and marketing for InkSoft, an Albuquerque, NM-based software developer. "There are economy and amateur solutions, but Web hosting is not the place to save money."
When choosing a Web host, it's best to find out up front what features are included in a monthly price tag, and what's not. It's becoming more common, for instance, for some services to offer separate security packages. These add-ons usually provide frequent virus and malware checks, giving an extra layer of data protection.
Before you agree to any plan, though, be sure to ask if the service automatically contacts you if any suspicious activity is detected. This is a key factor in knowing that you've purchased not only a software program, but also a comprehensive service that will proactively inform you if something suspicious arises, rather than solely reacting to hack attempts.
Finally, only go with hosts that guarantee 24/7 phone and Web chat support from technicians, not basic support reps.
Use SSL Certificates
The most common method of protecting online data is to use Secure Sockets Layer (SSL) encryption technology. SSL certificates are like a secret handshake between two servers, ensuring data is transmitted privately. You can recognize whether a site is using SSL if the Web address begins with "https," rather than simply "http."
Some SSL certificates will also add a green bar or tiny padlock icon to the browser to show the site is secure. SSL providers will often give out an emblem that can be posted on a website to show off its secure status.
In the past, the trend was only to use such certificates for sensitive pages that require data input because encryption slows sites down, Hunt says, but that's changing. "It's getting more exposure now," he says. "Many consumers are getting concerned about security and asking, 'Is this website safe?'"
Having a prominently displayed SSL certificate has become a marketing tool, too, according to Hunt. SSL certificates are available through some Web hosts, but also look to digital security companies such as Symantec.
Without question, SSL certificates are critical if you plan to sell promotional items on your website. As customers become savvier, research shows they look for markers to ensure their purchases are safe. As an example, a recent survey conducted by VeriSign showed 93% of online shoppers felt it was important for an e-commerce site to include a trust mark of some kind on its purchase page.
For companies that host their own servers, it's paramount to have a strong, commercial-grade firewall in place to help separate networks from the outside world, says Melissa Minchala, CEO of DataVelocity, a managed IT services and solutions company in New York. The cost will run a business anywhere from a few hundred to a few thousand dollars – but it's necessary. It's also a good idea to have centrally managed virus protection software that limits viruses, malware and Trojans from gaining a toehold in your network, she adds.
Limit Collection & Retention
It's good to remember, experts say, that the more information you collect, the more you're responsible for. That's why it's a smart strategy to only get client data you need for each deal, while erasing names, bank records and credit card info from past transactions. You should routinely delete old and confidential data completely – not just hard copies, but hard drives as well.
Also, if you use free cloud storage technology – where files tend to float for years – be absolutely certain that all data is encrypted. Even though records might not be physically in your hands, your clients and employees still expect you to protect their information. Create protocols for what types of data your firm puts on the cloud, avoiding placing sensitive data there.
The real key for small businesses is to take note of where all of their data is housed, while measuring what really is important. "Do an inventory of your information and prioritize it and categorize it," says Richard Kissel, an IT specialist with the National Institute of Standards and Technology. "Then, you'll have a much greater feel of where you're going in your business and where the protection needs to be applied."
Remember To Back Up Files
Small businesses should regularly back up their data, both locally and remotely through an encrypted connection, Minchala says. "That way, should anything happen to the hardware, the database or the data in any manner, there are less points of failure," she says.
Consider secure cloud-based data backup services, like Carbonite or Crashplan (which will cost close to $1,000 a year), and a Managed Security Service Provider (MSSP) to ensure your system and data are protected, Pfiester says.
– Email: email@example.com
Practice Smart Security
Even if you're not a tech-savvy cyber guru, there are plenty of simple steps a small-business owner can take to help secure digital operations.
Create strong passwords. Dan Timpson, vice president of technology for DigiCert, a website authentication and encryption provider, recommends using long passphrases that include numbers and symbols, rather than just letters. Avoid simple combinations and phrases, too, like "iloveyou" and "abc123."
Consider a password manager. This enables you to create unique and "difficult-to-crack" passwords across multiple platforms, Timpson says. "Many password managers are available for free and will generate and store strong passwords for you," he adds. If you're worried you or your employees will forget complex passwords, there are secure sites that can store this information and keep it updated.
Monitor your network. Minimize the number of programs you use, and keep an eye on Web traffic to make sure everything is running as it should, says John Murphy, a security researcher for network security firm FlowTraq. "There's no better pattern-matching system on the planet than the human brain," he says.
Educate employees. "Adopt the attitude that every one of your employees has to be a security officer," Murphy says. Create and train workers in "smart security" procedures, like being wary of email attachments, not sharing passwords or login credentials and data-handling protocols. Warn staffers not to use public Wi-Fi networks in coffee shops, hotels and airports that are breeding grounds for hackers.
Stay up to date. Make sure your operating system and application patches are current to protect against potential breaches. Also, when employees leave the company, be sure to turn off their accounts and access immediately.