You’re a small business owner—how much could cybersecurity really matter to you? After all, you’re just a little fish in a big pond of online businesses. Surely hackers have more important, more lucrative targets to set their sights on, right?
Think again. One recent study showed that small businesses made up 58 percent of cyberattack victims. And there’s no faster way to sink your business’s reputation than by being careless with customer data. The total cost of a data breach has been estimated at $3.92 million, and lost business due to reputational damage accounted for a whopping 36% of that—$1.42 million, on average.
Unfortunately, businesses haven’t caught up to consumer sentiment on data security just yet. A survey by the Better Business Bureau revealed a substantial disconnect between the attitudes of businesses, of which only 20% had a protocol to audit or monitor their cybersecurity, and those of customers, 70% of whom emphasized that it was important for businesses to protect their personal information.
Cybersecurity clearly matters to customers—which means it needs to matter to small businesses. Here’s how to protect yours.
The less data you have, the lower your risk of losing or compromising it. Eliminate outdated data repositories by establishing reasonable data retention policies and then routinely disposing of information that’s outlived its usefulness.
When it comes to personal data about your customers, you’ll no doubt want to collect and retain some basic information, such as names, email addresses and purchase histories. However, you should only collect and store data that you have a legitimate business need for. With the growing emphasis on data privacy, you should also evaluate whether you need to get customer consent to collect or use any personal data.
Once you’ve made sure you’re only keeping the data you need, how do you keep it safe?
Weak passwords may be easy for you to remember, but they’re easy for hackers to guess too. Require passwords with at least 8 to 10 characters, including a mix of upper- and lowercase letters, numbers and symbols. Set up a regular schedule—every 90 days is good—to change passwords. You might also incorporate two-factor authentication, where users must confirm their identity through an additional step, such as confirming a code number received through an email or text message.
2. Grant Access to Data as Needed
Everyone in your organization doesn’t need access to every piece of data you collect or generate. Set up role-based access parameters to limit access to sensitive data—such as customer payment information—to an as-needed basis.
Store important business data and customer information in a password-protected repository that uses data encryption for an additional layer of security. That way, even if the drive is lost or breached, your data will be encrypted and unreadable.
Have a data backup plan. Protect critical information against accidental deletion, hardware failure or cyberattack by backing up essential information to a secure cloud-based system.
Don’t stop with basic virus protection for your hardware; protect your website pages with malware scanning and removal tools to guard against dDos attacks, ransomware, spyware and more. If you do discover you’ve been a victim of malware, then invest in a reliable urgent cleaning tool.
Hackers are always looking for new vulnerabilities, which forces developers to update their operating systems, web browsers and software to counter those attacks. To make sure you’ve got the most up-to-date protection, install security updates as soon as they’re available and allow automatic updates for website plugins.
Your business’s WiFi network should be hidden, encrypted and accessible only with a strong password that’s regularly updated. If you also operate a public WiFi network, use two different access points so your secure WiFi stays secure.
Don’t let just anyone access your network. A firewall operates like a guard at the doorway of your network, monitoring the traffic between your internal computer network and the internet as a whole.
Most small businesses allow (or even require) their employees to use their own personal devices for some or all of their work. Ensure that your employees are protecting these devices, allowing automatic security updates and changing their passwords at regular intervals.
A Secure Sockets Layer (SSL) certificate from a trusted certificate authority demonstrates that sensitive data on your website is securely encrypted. Make sure you’re using SSL and showcase the SSL trust seal on your website.
People are often the weak link in cybersecurity. The best security policies in the world won’t do you any good if your employees lose their business phones, connect to unsecured wireless networks while traveling or write their passwords on post-it notes next to their computers. Yet despite a growing awareness of the risk of data breaches, employee behavior is still a major cause of security lapses. One study found that 42% of small business owners reported that “human error or accidental loss by an employee” caused a data breach.
Limit the risk as much as possible with these practices:
Additionally, if your business must comply with specialized laws and regulations requiring extra protection for personal information, such as the Health Insurance Portability and Accountability Act (HIPAA) or the EU’s General Data Protection Regulation (GDPR), incorporate these requirements into your initial and ongoing employee training.
To maintain customer confidence and establish your business as a trustworthy source of information, products and services, you must protect both your data and that of your customers. These tips will help you ensure the security of your website—and your reputation.