Data protection: How to protect your business database
The statistics for cybercrime, online fraud and data theft make for disturbing reading. The Federation of Small Businesses (FSB) claims 45% of its members have were victim to online crimes such as malware infections, hacking attacks or full-on data breaches in 2016-2017. The average cost per business was £1,400.
For the small- to medium-sized-business (SMB) owner especially, the impact of such attacks go beyond the immediate financial loss and disruption to the daily working schedule – there’s the loss of reputation and customer trust to factor in, too. Despite this, it’s SMBs that have the most difficulty finding affordable and doable security measures. This can lead to substandard protection or – worse still – no security at
To help solve the problem, here are ten simple ways to make your business more secure.
For more on creating an IT security policy, visit How to write your company’s IT security policy.
1. Know your data
Not all data is equal. The starting point for any business must be understanding what data is business-critical or sensitive. You must identify how it’s used and where it’s stored. The most basic of audits can be accomplished just by considering what might happen if a breach were to occur and data, such as financial data, or employee or customer records, was compromised.
Once you understand the likely effect on your business – and there can be multiple “what if” scenarios, depending on the nature of the incident – you’ll have a blueprint for your business-impact levels.
High-risk data needs to be appropriately secured, and you can devote more of your resources to ensuring it is. Just note that your job doesn’t stop there – you can’t ignore data that you’ve classified as less risky; rather, you must prioritise your security efforts accordingly.
2. Manage your passwords the easy way
Passwords are at the core of every security policy, yet ensuring that they’re secure and enforced isn’t easy. Consumers have services such as LastPass to help generate and manage their passwords, but should a business use password managers?
LastPass and other such services have enterprise versions available at a low cost per user. These offer all the basic secure-password-generation options you’d expect, with a variety of business-orientated extras: for example, you can set company-wide minimum password standards to meet your policy requirements, or apply customised policies to restrict access to specific devices, groups or locations.
Then there’s Active Directory (AD)/Lightweight Directory Access Protocol (LDAP) integration. This can import existing AD profiles, automate reporting tools to highlight weaknesses in the password security chain, and offers real-time syncing across devices to help with the rise of the Bring Your Own Device (BYOD) culture. It can be protected by a master password, which can be reset or revoked by the administrator.
Everyone in your business must understand company security policy and know why it’s important. Education doesn’t need to be expensive: it can be integrated easily into the staff-induction process, and you could consider six-monthly refreshers to bring existing employees up to speed with any changes – including threats of which they should be aware.
Only an hour is needed every now and then to sit with an employee to explain how security applies to their particular role and to answer any questions. Remember, education and communication are just as important as tools against cybercrime as the computer technology you use to defend your data.
However, in order to be effective, it has to be implemented from the bottom up and the top down – that is, everyone from the CEO to the summer temp needs to be on board if a security policy is to work. That doesn’t mean the same training should be given to all; the best training is tailored to the specific role of the employee and the threats they may encounter.
4. To encrypt or not to encrypt?
Of all the tips presented here, encryption is probably the most controversial. But it’s also the most valuable in terms of data protection. It’s controversial because encryption has always been seen as being the realm of the nerd and thus beyond the ken of ordinary business owners; plus there’s the small matter of convenience to consider.
Both arguments are becoming weaker as encryption technologies become easier to deploy and work with. If a laptop/storage device is lost or stolen and the data on it is encrypted, then it’s far less likely to pose a security risk to your business. However, every business needs to weigh up the protection/convenience ratio before jumping in.
The same goes for data in transit. Despite the recent Heartbleed hacking scare, it’s far safer to make sure all online transactions are carried out using Secure Sockets Layer (SSL) than over an insecure connection. The best-practice advice is to investigate what encryption options are available to suit your data, devices and business usage.
But the bottom line is that, from SSL and encrypted USB containers at one end of the scale to on-the-fly encryption at the other, encrypted data is more secure than data that isn’t. Do you want to risk the consequences of ignoring that?
5. Be prepared
An integral part of any small-business IT security strategy is a formal document that goes into proper detail – and is then kept updated, rather than stuffed in a drawer and forgotten about. It may sound tedious, but you must plan not only how to protect your data and resources, but also what to do in the event that things go wrong.
Although many smaller businesses assume such an IT security policy is something that only large enterprises require, they’re wrong – every business, including the smallest SMB, can benefit from implementing a security policy. The trick is to understand that it’s more than just a formal document to be filed away gathering dust; it should be seen as a dynamic device to help you understand what data security means to the business. You can then build a structured response to suit your needs. Think of it as a commitment to protect all the data you create and use, and an absolutely integral part of your business processes.
The best IT security policy will detail not only how to protect your data but also how to react when things go awry. Setting out an incident-response strategy when you have a calm head is far better than trying to put things right in the heat of the moment.
6. Update, patch, update, patch…
If you want your business to be secure, you need to stay up to date. Specifically, you must update all the software you use day-to-day in your business: the operating systems of all the devices, from smartphones to servers, plus the software that runs on the security systems that protect them all.
It’s a no-brainer that keeping your antivirus software up to date will ensure it offers the best possible protection, yet for many small businesses this is low on the to-do list. Security software, generally, automatically checks for and installs updates. While the same might be said of operating system updates, auto-updates are usually switched off due to the resource drain and disruption they can cause.
Larger companies have patching policies and automated patch-management systems, but these are beyond the financial and implementational reach of most SMBs. Useful alternatives include deploying scanners to run regular system checks for unpatched or vulnerable software, and then scheduling those updates during your business’s off-peak times. Doing nothing isn’t an option, especially if a patch has already been made available. Think about it: if the patch is out, then would-be attackers will be aware of the problem and will be finding ways to exploit it. Patching is relatively low-cost, especially at the smaller end of the business scale, but investing your time in it will bring invaluable rewards when it comes to security.
7. Disarm the BYOD bomb
Locking down your data on the move has always been important, especially since laptops were introduced. However, never has it been such a security imperative as it is now, courtesy of the Bring Your Own Device (BYOD) explosion.
The BYOD bomb is far more likely to detonate within smaller businesses, where the cost savings of allowing staff to use their own smartphones, tablets and laptops seem to far outweigh any security risk. The truth of the matter is that mobile data needs to be secured with the same rigour as that on your own network. The mixture of personal and business data on mobile devices, together with a lack of corporate security controls outside of the workplace (when connected to the home network, for example) is a recipe for disaster.
Stopping BYOD isn’t an option for the majority of companies, but this doesn’t mean you can’t reduce the security risk. Security solutions might include dividing a device into secure work and play parts, or implementing policy-based controls that require users to have locked-down devices. Encrypted work data and remote-wipe facilities help, too.
Although mobile device-management solutions are beyond the budget of most SMBs, a combination of educating users of the risks, on-device security software and properly implemented network controls can offer reasonable all-round protection at a relatively low cost.
8. Use the cloud
While the idea of encrypting everything may be controversial, the idea of embracing the cloud for professional work purposes is seen by some as positively scandalous. However, the cloud can be a genuinely secure choice for most small businesses.
In particular, it makes sense if your company doesn’t have the time or knowledge to be on top of all the security issues, and the updates and implementations it needs, because a good cloud service provider (CSP) does have time.
Don’t be scared of the cloud for data storage or application-serving usage, since a reputable CSP will be more proactive than you at maintaining software patches and implementing security – in order to survive, CSPs have to take security seriously. What’s more, they can do so at less cost to your bottom line than you can.
The anytime/anywhere nature of cloud access even provides a good disaster-recovery route for smaller businesses. Of course, the cloud isn’t 100% secure, and you need to think about where your data is located and who has access to it. Here, though, encryption is your friend (see tip 4), as are single sign-on tools for cloud usage, which enterprise password managers (see tip 2) can often provide.
9. Time to get physical
Good data security isn’t all about bits and bytes – it’s also about the bits and bobs, from the front-desk PC to the phone in your pocket. You need to secure your hardware and secure access to your premises. Every SMB’s security policy should embrace the physical, or it could be counting the cost when someone walks in and steals a laptop – and by so doing potentially steals access to the network and data, too.
Simple things can reduce the risk of data loss – such as keeping doors and windows locked whenever the office is closed, fitting alarms, using Kensington locks on desktops and laptops, and requiring users to have lockscreens activated whenever they’re away from their desks, plus being careful about who you let into your premises.
Shred documents to prevent paper trails that could be useful to cybercriminals, and keep your paper files in locked cabinets. Finally, seeking advice from a local crime-prevention officer is never a bad idea, either.
10. Act today
The most important piece of security advice for any business is to take responsibility for your data, and to do it now.
Even when you have a security policy written up and implemented, the staff educated, the data encrypted and the devices under control, you can’t afford to rest on your laurels and assume you’re now secure. IT security is a dynamic, ever-changing landscape, and securing your data is your responsibility.
The bad guys won’t be sitting back – they’ll be keeping on top of the latest vulnerabilities and weaknesses, so it’s up to you to keep up with them.