In August 2010 there was an article published that showed that since 2005 more than half a billion sensitive records had been breached. These breached records contained sensitive data like credit card numbers, tax file numbers and names and addresses. About one fifth of this information came from retailers, merchants and other types of non-financial, non-insurance related businesses.
Even scarier as a statistic, 80% of small businesses that experienced a severe data breach go bankrupt or suffer serious financial loss within 2 years of the security breach.
What can an SME (small and medium business and not for profit organisation under 200 staff) do to protect their business from a security breach? Well the answer is simpler that you would think. It is also cheaper than the physical, financial and emotional cost of rectifying a security breach.
Security breaches happen from one of the following seven causes:
- Unintended disclosure – someone posts private or sensitive data on a website, blog, Facebook or twitter.
- Hacking or malware – an unauthorised person gains access to a computer, server or smartphone through the use of malicious program.
- Payment card fraud – customer information is stolen from a point of sale location.
- Bad staff – intentionally stolen or leaked information.
- Lost, discarded or stolen documents
- Lost, discarded or stolen mobile devices – mainly media but also laptops, smart phones and tables.
- Stolen Computers and servers.
Protecting an SME is not all about having the right technology in place. It’s about hiring the right people (resilience), having good security practices (compliance), but mainly deploying common sense. So let’s look at the ways to protect that critical business information:
- Identify what your business considers sensitive information: work out what information in your business is sensitive to a customer, credit cards and then document where it is stored.
- Isolate sensitive data: Keep sensitive information on the least number of computers as possible. Then separate these computers from the rest of the network. The fewer copies that are available then the easier it is to protect them.
- Encrypt sensitive data: all sensitive data that is on a mobile device – laptop, tablet or smart phone need to have that data encrypted. If you encrypt the data then in the event of a breach it is very hard to access the sensitive data.
- Use SSL (Secure Sockets Layer) in transmission: if sensitive information needs to be transferred electronically then it needs to be secure and encrypted across the internet.
- Check your new employees: A quick call to the referees or references of a new employee to verify that they are telling the truth. If your business requires a level of security then a police check can also be done.
- Use a good firewall and especially a secure wireless connection: This is the front facing part of your business in regards to the internet. Good security here is like putting in a decent front door and lock with an alarm. Don’t skimp on these components.
- Keep Anti-Virus, Spyware and applications up to date: These are not set and forget they all have components that need to be updated regularly. Turn on automatic updates and make sure AV definitions are updated daily.
- Protect sensitive data with strong passwords: Not only strong passwords but update them regularly.
- Download applications only from reputable sources: The only place on the internet where you should be getting drivers and applications is from the manufacturers site or it affiliates.
- Physical security is just as important: not only does it keep people honest but it also protects sensitive physical information.
- Shred it! Any sensitive data that is leaving the office should be shredded.
- Physically Protect laptops and tablets: These things have a tendency to be lost or stolen so make sure that if it happens then they are hard to access (BIOS Passwords, strong passwords and physical locks) and even harder to get sensitive information off (encryption on the hard drive).
- Always vet outsourced or service businesses: If you have critical components of your business that are outsourced make sure the company has similar or tighter security controls than you have.
- Consider outsourcing security or hiring a consultant: There are a number of reputable companies that can do a better job of managing your internal security than having an ad hoc approach. You will also find that a managed security service is not as expensive as you once thought.
Finally – what to do if you do have a security breach
- DON’T Panic
- Contain the loss
- Get help
- Redefine your security policies so that it doesn’t happen again.
Once you have identified that you have been breached, you need to localise and contain it. You should also implement a breach process that involves turning off servers, workstations, investigating hacked systems and eradicating malware and spyware. Once this is done then inform relevant authorities. You may also need to get a solicitor or security expert involved.
Depending on the severity of the breach you may also need to contact your clients and customers, but consult with your solicitor or the AFP. You may need to employ a public relations person to keep everyone informed with the correct information and not let the rumour mill produce something that you cannot control.
Finally – it is a lot more expensive to fix a breach that it is to secure your SME sensitive data.