Now consider an even more worrisome fact. This information can be compromised – destroyed or stolen – via the Internet and is at risk constantly. If you're like most shops and small businesses, you probably don't worry too much about data security. Odds are you contract your IT needs to computer systems experts whom you trust, or you use electronic management programs and entrust their security to vendors, such as the big three information providers. After all, these are their systems. It's their business, so their security expertise is your protection, right?
Not really. Protecting your shop's data is your responsibility. Holes can exist in any security system. Such vulnerabilities represent opportunities for hackers, thieves and disgruntled employees to rob you, your employees and customers, and damage your reputation and business. In case you still don't feel your data is at risk, consider these facts:
-
- Only recently, corporate electronic giants such as Sony and Epsilon have had data stolen by Internet hackers. Symantec, a maker of antivirus software and other security products, was hacked and robbed of valuable source code, giving thieves a blueprint of how to defeat its products' protection.
-
- Some experts say most computer users have had data stolen from their home or work computers or third parties they've entrusted with their information.
Don't dismiss hackers and other malicious malcontents as harmless. They are professional criminals looking to make money off your data. However, there's plenty you can do to protect your shop's data from thieves and other risks. Start by auditing and upgrading your data protection system using the following steps.
Assess what information you keep that someone else might want. This includes social security numbers (usually from employees), credit bureau and card information, and other financial data. This is the information most often targeted by thieves looking to commit identity theft.
Also consider proprietary information, business plans, sales figures, research data, client information, patents or designs. While this information might seem to have little value outside your business, don't discount its value to hackers.
"This kind of information needs special protection because it's difficult to replace," says Armand Cousins, an IT security expert who works with small businesses. "It's also becoming more desirable for thieves to sell your information to competitors who can use your ideas as their own or outmaneuver you when you're looking to gain market share. Many times, they're looking for employee contact information so they can lure away your best workers. If they have home phone numbers and pay and benefit numbers, they're in a much better position to do that."
There's a growing number of people selling this type of information, even in areas such as grocery stores and franchise restaurants.
"Folks are willing to pay a lot of money for it," Cousins says. "This is the kind of information that's going to make the difference between their business succeeding or failing. A lot of money could be on the line."
Often the data isn't hacked or stolen via the Internet. Employees looking to make a quick buck are often culprits.
Hence, while assessing what information you have, assess who has access to it and how they access it. Track which employees have access to what data. From there, determine how they access, send and receive the data – via laptops or other computers and through data portals such as websites or e-mails.
Take inventory of computers, thumb drives and cell phones, especially smart phones. Keep in mind modern cell phones can download Word, Excel and other files from your business. They also can store usernames and passwords for your data applications, websites and other data portals stored on them. Consider whether any of the information can be accessed via home computers or stored there. This includes any home computers.
Once you know what information you have, who can access it and how, protect your access areas. Load security software (antivirus, firewall and antispyware) on any computers with Internet access along with those networked to computers with Web access. Make sure the software is updated automatically. When possible, store data on computers with no Internet access. Remove any computer programs from work computers you don't require.
Encrypt sensitive data you store or transmit to third parties. Information providers encrypt the data you send to them. Consider encrypting other data you might be transmitting via e-mail or other methods. Set strict policies about what data your employees can upload, what websites they can surf and how they access your IT systems to help reduce the risks of passing on viruses that might be on a CD, thumb drive or website. Also, instruct all employees about Internet and IT security to educate them about data risks.
People are a company's biggest data security risk, according to Ian Tessel, owner of Intel CompSafe in Phoenix.
"As electronic security has improved, criminals are using other routes to bypass safeguards to gain access to sensitive information," Tessel says "Now they target people. They send e-mails to employees or call them – posing as vendors or other professionals – hoping to get passwords or hints for passwords and other access."
Phishing, which is the most popular of these methods, involves sending e-mails disguised to look like it's sent from a reputable source. The e-mails often ask for account numbers and other data or contain links that route a user to a phony website designed to appear legitimate, asking for usernames and passwords, which are then stolen.
Along with educating employees about the most current security risks, Tessel recommends restricting their access to data, specifically to information not required for an employee's job. Many small businesses store personal information on files that can be accessed by anyone with computer access.
"IT systems typically are set up to provide networking ease, so information can be tapped from any networked station," Tessel says. "Too often, you have employees in one work area who discover, after searching around on a computer, they can locate files elsewhere in a business's system containing personnel and other information they have no need or right viewing."
To restrict unnecessary or unauthorized access to data, every part of a business's computer system should be password protected. That includes any programs that use sensitive data and all computer workstations, along with electronic devices that contain business information, notably cell phones, which can be troublesome because they're easy to misplace and employees often use them to save contact information and business data.
Businesses need to set guidelines for passwords, which should be updated regularly. They should consist of alphanumeric combinations that should never include names of your business, location, people, etc. The word password should never be used as a password because it's used frequently throughout the business world. Employees shouldn't document passwords anywhere they can be spotted or found easily.
Attend to the physical security of the company's data. For example, set strict guidelines about the use of laptop computers because of their portability. Designate specific areas where laptops and other portable data devices are stored and have them locked up overnight. If they need to be used away from the worksite, for a business meeting, etc., demand they never be out of sight of an employee. This same philosophy should be used to protect data stored on CDs, thumb drives and other storage devices, which need to be locked in secure areas, such as a locked filing cabinet.
Businesses also need to be more careful about who they hire and need to implement policies to change passwords and reset computer access when employees leave.
"Considering how many businesses grant computer access from home and other remote PCs, they need to do a better job of monitoring this kind of access," Tessel says. "It's not odd to hear from people who quit a job and then find out they can still log into their old work PC months later. When someone leaves a business, for better or worse, that person should become a stranger. Why would you want any stranger being able to log into your system?"
Considering just how much a shop relies on electronic data and how much of the data is stored in your computer systems, managing and protecting it can seem daunting. Make these chores easier by limiting how much data you retain in your system.
Many small businesses make the mistake of maintaining more data than they need. As the data increases, so does business liability and the risk of loss.
"Any business should ask itself how much of the data it keeps is really necessary," says Judy Stepphano, a consultant with JM Business Strategies in Washington. "Just because information can be stored, doesn't mean it should. Once a business takes ownership of it, the business becomes liable for its use or misuse."
This puts shops on a legal hook for personal data stolen from them and later used to commit a crime or other nefarious purposes. Set data storage guidelines that specify exactly what data they keep and for how long. Data should be kept only for as long as it's necessary. Such data includes customer credit card numbers and employee Social Security numbers, which should be erased immediately after an employee leaves a company and never be used use as an employee identification number.
It can be tempting to maintain this information for convenience purposes, for example, to charge customer work to a credit card that was used to save the customer and administrative staff time. However, businesses need to measure this convenience against the cost and liability of storing this data. Businesses also need to consider the cost savings of managing smaller data pools. Less data means less time and money spent storing and protecting data and upgrading storage facilities.
While you're taking steps to protect data internally, address third-party vendors. Along with the estimating and management tools you use from information providers, there's a good chance you might have outsourced IT, accounting, HR and other duties to another company. Turning your data over to others comes with risk. Complicating matters, greater numbers of these vendors are using cloud computing systems, which run programs on remote servers, so data is processed and stored outside the business. (Note: ABRN explored security and other data issues connected to information providers and cloud computing in a July 2011 article "Lost in the Clouds.") Make sure these folks are taking the necessary steps to safeguard your data.
Before turning over your data to any vendor, examine their security precautions. Cousins recommends only working with vendors that have a security plan in place they're willing to detail and demonstrate. If a company balks or isn't transparent in any way, walk away. If you don't feel comfortable or confident reviewing a vendor's credentials, turn to a data security consultant who can review the vendor's and your procedures.
Navigating the sometimes perplexing and dangerous waters of data security can be difficult. With the proper investment of time and knowledge, every shop can create a plan to protect its data and, by extension, its business.
