When a major corporation like Target or Neiman Marcus experiences a security breach, suddenly everyone begins paying a little more attention to their network security. For a small business, that might mean changing passwords and updating antivirus software. But many don’t give network security the attention it deserves, due to inexperience, a false sense of security or sheer lack of time.
The costs of such lax security are astronomical. According to a recent Ponemon Institute study as reported by Consumer Reports, more than half of all the small businesses surveyed had experienced a security breach at some point. The National Small Business Association reports that the average security breach costs businesses about $9,000, not including the impact of lost sales due to the impact on the company’s reputation.
While a company like Target might experience significant losses due to a breach, it’s likely to make a full recovery. That’s not always guaranteed for a small or midsized business, especially if litigation is involved. Research shows 60 percent of businesses that are security breach victims go out of business within a year of the breach.
The majority of security breaches are avoidable. Some businesses do fall victim to targeted attacks by sophisticated hackers, but in many cases, cyber-attacks on small businesses are crimes of opportunity. The business either purposely or inadvertently commits one or several of the following seven deadly IT sins, inviting an attack that exposes data.
Developing a False Sense of Security
Many small business owners believe they are immune to attacks because no one could possibly be interested in their data. The fact is that whether you have 10 clients or 10,000, your customer data is valuable to hackers. Basic information like name, address and phone number sells for as little as $1 on the black market. When that information comes with more details, such as credit card and Social Security numbers, the price goes up to around $300 on average per record. Just because you’re small, you’re not safe from hackers.
Not Having a Security Policy
If you have only a few employees, and you trust every one of them, you might think you don’t need a security policy. But one lost smartphone or stolen laptop can lead to a major security breach, so you need a comprehensive security policy covering what employees can and cannot do on company devices and networks.
Not Educating Staff
Security risks change all the time. Your staff may not be aware of new viruses, best practices or red flags. Many major security breaches, such as the 2012 incident in which the personal information of thousands of South Carolina taxpayers was exposed, occur over a simple, innocent mistake. You must invest in employee education to help prevent the avoidable errors that put your business at risk.
Not Following Login Best Practices
Restricting access to your networks with usernames and passwords is a step in the right direction, but many small businesses fail to properly manage login credentials, which puts their networks at risk. When employees are allowed to use the same password in perpetuity, or everyone can gain access to vital systems with the same password combination, all it takes is for that code to fall into the wrong hands for a breach to occur. Develop and enforce a password policy that requires credentials to meet certain minimum standards and to be changed regularly. Also, consider employing a two-step authentication system to restrict access further. Inexpensive token or one-time access code systems add an extra layer of security to your network.
Relying on Consumer-Grade Products
Many small and midsized businesses operate on tight budgets. You probably conduct work on your personal home computer. If you are collecting and storing sensitive data, basic-level security solutions are not adequate. If you do not have the technical expertise necessary to completely secure your network, hire a professional to help you build a security protocol and conduct regular IT security audits.
Not Performing Updates
Hackers are constantly searching for vulnerabilities to exploit in operating systems, software and plug-ins, and developers work hard on updates to patch the holes as they appear. Ignoring updates only puts you at risk. Your security policy should require regular checks for updates, and install them as soon as they are available. If you don’t have the technical expertise, get help managing your servers and network to identify and solve problems before they occur.
Not Disposing of Data Correctly
At some point, you’ll have to unload outdated assets like old computers, smartphones or paper files. Improper disposal could create a data breach. Have a plan in place for securing data at disposal. Remember that deleting files doesn’t make them disappear from hard drives. If you’re tossing old equipment, wipe the hard drives, physically destroy them or work with a reputable company to help you.
Common Sense Goes a Long Way
Avoiding a security breach isn’t only about installing high-tech, sensitive intrusion detection and prevention or antivirus software. In many cases, a costly breach can be stopped with a few simple, commonsense adjustments to how you work and manage your network. Better safe than sorry.