You’ve finally established a successful business based on the excellent products and services that you offer. There’s nothing more satisfying than knowing that you are meeting the important needs of your clients and improving their lives in some measurable way. But that can all come crashing down without the proper security safeguards. Businesses that fail to secure their data and applications place their whole enterprise—as well as their clients’ information—in jeopardy. Here are five things that every small business should be doing to keep their customer data safe.
Enforce the principle of least privilege.
Just like classified government intelligence, the information that your business stores and manages should only be available on a “need to know” basis. The principle of least privilege is a concept that calls for a kind of bracketing in data access permission. At the top of the privilege ladder is administrative access—but even that should be limited. Sure, an administrator should be able to get into systems and networks for operations and maintenance purposes. But if he or she is not the database administrator or owner of the database, do they really need access to it? Others may need write access so they can add or update records. Still others users might need read-only access, or no access at all.
Along with a tiered permission structure, consider grouping your users according to your business structure. In other words, payroll employees will have access to certain records, while those in shipping and receiving will be able to read and update others. Anyone who manages user access for any system or network should follow the principle of least privilege.
Simply put, continuously asking yourself the question, “Does X person need access to X thing?” If not, simply don’t add them. This is a simple step to take, but it pays big dividends in the long run, especially if accounts are ever compromised or the employee leaves the organization.
Encrypt all your systems that access client data.
Without encryption, your company’s data is exposed to potential theft or alteration by any clever hacker with the right scanning and sniffing tools. Any place that client data is gathered, accessed, transmitted, or stored should be protected with a robust encryption mechanism.
Consider all the platforms that handle your company’s customer data. Are you using encryption on all of them? You may have encrypted the data files in your servers or storage system, but what about all the devices that access them? On Macs, for example, it’s as simple as going to settings and clicking “Turn on Filevault.” Are your employees and contractors using encrypted smartphones, tables, and laptops? Will thieves be able to see confidential data if any of these devices are stolen? VPNs are never a bad idea for road warriors, while not as critical as they used to be thanks to large-scale adoption of HTTPS.
Now that business has gone mobile, it’s important to make sure that sensitive data is protected wherever it is, whether “at rest” or “in motion.” A hacker may only need to exploit a single weakness to find their way into all your important systems. Be sure to lock down every system with good encryption—and don’t use them until you do!
Backup your client data files securely.
Containing all your customer information with encryption is not enough. What happens if the data becomes lost or corrupted? What will you do then? A telecom network engineer once forgot to back up the data before replacing a module in a switch. The process resulted in the loss of thousands of records of customer data that could not be recovered, because there was no backup. Unfortunately, mistakes like this can be fatal for companies, and mistakes like this often don’t happen twice. Get ahead of data loss!
Take an inventory of every repository of client data in your IT infrastructure. Look deep into your networks and systems. Do you have a sufficient backup plan in place for each of these data collections? The principles and practices of data backup are well established. We should never overlook them.
Control and secure any BYOD access.
When employees use their own devices to connect to the business infrastructure, it’s called Bring Your Own Device (BYOD). Allowing employees to log into the company network with their own devices is not without its risks. It may be convenient for them to connect to business applications while at a restaurant, at home, or travelling across the world, but each person has a responsibility to make sure that these transmissions are secure. Since every device is different, with different manufacturers, operating systems, and applications, employees should consult with their IT department before using their own device. It’s important to check with the experts to make sure that they are handling client data securely.
It’s important to get ahead of the inherent risks BYOD comes with and implement an official stance and policy for BYOD. Maybe the answer is “Sure, you can use your own device, but we need to secure it first,” or “Sure, but these requirements must be met.”
Educate your users.
It takes a certain level of knowledge to use any computing device, whether large or small, hardware or software. Without a proper understanding of how things work, there is a greater risk of error or lapses in security. To protect client data, you should make sure that each of your users is informed and educated in the systems that they are operating. That means setting up classes, videos, workshops—whatever it takes to instruct users in the policies and best practices for good data security.
Everyone in the company must do their part to protect customer information. But every business should set up the policies, procedures, and training required to secure this critical data. These five practices are just a starting point—you and your business should do as much as you can to safeguard the client information in your care. You have a duty to their clients, to the government, and to yourselves to provide the best security possible for the people that you serve.
If you own a small or medium-sized business, AaDya cybersecurity was made for you and your team. Email firstname.lastname@example.org to speak to an AaDya team member today!