Small business guide to cyber security: 6 steps against the data breach

Lately we’ve seen many large companies getting hacked: Anthem, Sony, and Target to name just a few. The number of data breaches increased 27.5% in 2014, so measures against these types of security incidents are on the rise in large companies.

How about small businesses? Do they really stand a chance against hackers and security incidents?

Being a small company might make you think no hacker will bother stealing your data. But, just because you’re small doesn’t mean your information is safe – what would happen if your office caught on fire, and you had no backup (or you kept the backup in the very same office)? What if someone breaks into your office and takes all the computers and storage media? What if a disgruntled employee starts deleting all of your files?

So, think again – could you imagine where your business would be without your client information, years of product development, notes, documents, etc.? Probably not – without all this data, you’ll probably go bankrupt.

So, here are 6 steps to protect your company:

1) The backup

Doing regular backup of all your data helps you protect it not only in case of theft, but also if someone has changed some of your files in an inappropriate way. For most companies in the IT services industry, it is enough to have your data and your key employees available, and you can continue doing the business in any other office, or even from home.

But, just producing the backup won’t help – you have to place the backup media (a tape, a disk, or similar) in some distant location; in the last couple of years, cloud services like Dropbox or Box have proved to be even better solutions than having the physical backup media.

See also this article: Backup policy – How to determine backup frequency.

But, make sure you don’t give access to this backup to everyone…

2) Access control

You have to think hard about who will have access to which data in your company. And, this has to go further than limiting access to payroll; for each type of information you have to consider whether it is really necessary for each employee to have access, using the “need to know principle” – this means if some employees don’t really need access to certain documents in order to do their jobs, then don’t give them access. There is some data only the owner of the business should have access to – for instance, the backup.

This access control is actually easy to implement – if you’re using SharePoint, Box, or similar systems, they already have built-in ability to allow access to employees on an individual level; you can even achieve the same result handling the shared folders on Dropbox.

3) Physical protection

You should stop potential offenders from being able to reach your IT equipment and media in the first place – by locking your office and alarming it; if you store some very sensitive information in your company, consider using a notification system in case of an incident, and also a security guard.

However, you should also protect your mobile devices (e.g., laptops, tablets, mobile phones, etc.) when taking them outside of your office – such devices should be either with you all the time, or must be stored in a facility with no public access; such room or office must be locked when no one is present.

4) IT security

Things like anti-virus software and firewalls are everywhere now, so I’m quite sure you already use them. But, are you sure they are maintained properly? When was the last time you updated your anti-virus software? Are you sure your firewall is configured so that it lets through only the traffic that is safe?

You can also take your IT security a few steps further:

  • Set your computers to auto lock with password if not in use for 5 minutes – this way, if an employee leaves their computer no one will be able to access it.
  • Avoid using USB flash drives – they are the best way to get your computer infected, because very often anti-virus programs cannot detect such malicious code.
  • Make sure you protect your mobile device with a good password, because if it gets stolen, the thief will be able to access your email, and with your email he will be able to change passwords to your cloud services and consequently access all your data stored in the cloud.
  • Use password managers, which will enable you to save passwords for your different services and applications, because if you used the same password for all of them, the breach of only one password enables the criminals to access all of your accounts; password managers also enable you to use complex passwords for each of your services. And yes, those password managers are available for mobile devices, too.
  • Use VPN service for connecting to the Internet so that your passwords and other sensitive information are protected when transferred over the network; this is especially important if you’re using a Wi-Fi connection that you cannot fully trust.
  • Use 2-factor authentication when connecting to important cloud services like Gmail, Dropbox, or similar – so even if someone steals your password, he wouldn’t be able to access your sensitive information. These 2-factor authentication systems can work together with your phone (by sending you a text message), or with special USB keys, without which access to a system wouldn’t be possible.
  • Encrypt the data stored on your hard drive, so that if it gets stolen the thieves won’t be able to read it; you can also encrypt data stored in a cloud – there are some specialized cloud companies offering this kind of service.
  • Update your software – you should do this regularly, as soon as a security patch is published; the best route would be to set up automatic updates.

And, to ensure that all employees are complying with these methods, you should develop an Information security policy or Acceptable use policy, which would ensure everyone in your company really understands what is expected of them.

5) Managing people

The first and most important rule is: be careful who you hire. An experienced IT administrator can delete your whole client database in less than a minute, or bring down your website in a matter of seconds. You should always run a background check for candidates who will work with your most sensitive data.

This article will also help you: How to deal with insider threats?

The second most important thing is to make your employees aware of potential security threats and how to cope with them. Here are a couple of topics for such awareness sessions:

  • Never, ever give your password to anyone.
  • Don’t install every program you come across on your computer or mobile device – some of this software, disguised as a nice game or utility program, is made with the sole purpose of injecting a virus onto your computer.
  • Disable your Bluetooth connection because it is very unsafe; but also, disable the Wi-Fi network on your mobile device when you’re not using it.
  • Do not leave your computer in a car.
  • Do not leave your computer unattended in public places like airports, toilets, public transport, conferences, etc.

Read also this article: How to perform training & awareness for ISO 27001 and ISO 22301.

6) Get certified

More and more companies are offering their services over the Internet, so more clients want their information to be protected. To assure clients that their information is safe, and to attract new clients to whom security is important, you can get a certificate that proves you are safeguarding their information properly.

Getting certified also enables you to get the methodology for information security implementation, so you’ll know exactly where to start from. To maintain the certificate you’ll have to make sure all the safeguards really work.

There are many certificates available, and ISO 27001 is probably the most popular. Learn more about ISO 27001.

So, as you can see, cybersecurity is not only about IT protection – you have to implement different methods in order to protect your information. Implementing only some of these safeguards, and not the others, will leave your company seriously vulnerable.

To learn about a systematic approach to protect your company, try for free this online Security Awareness Training.

Advisera Dejan Kosutic
Dejan Kosutic
Leading expert on cybersecurity & information security and the author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become compliant with EU regulations and ISO standards. He believes that making complex frameworks easy to understand and simple to use creates a competitive advantage for Advisera's clients, and that AI technology is crucial for achieving this.

As an ISO 27001 and NIS 2 expert, Dejan helps companies find the best path to compliance by eliminating overhead and adapting the implementation to their size and industry specifics.