Data breaches and data leaks are never a question of “if” but “when.” And, while cyber attacks affect businesses of all sizes, small businesses are especially vulnerable.
Cyber security for small business can be a challenge, but we want to help every business avoid data breaches. Let's arm you guys with some knowledge:
Small businesses are most likely to experience a company breach, causing lost data like email addresses, encrypted passwords, social security numbers, and other confidential information.
Here’s what you need to know when it comes to common causes of data breaches and how to protect your small business.
Your business is important, but there’s often a common thread to why data loss occurs:
Sadly, many small businesses don’t have the time, money, or people to plan and manage their business’ online security.
In fact, nearly one-third of data breaches in 2020 have already involved small businesses. The consequences of data breach can be financial, or cause decreased customer loyalty.
In the worst case: they suffer permanent business closure.
It’s important to treat data security as a priority, so your company doesn’t become another cybersecurity statistic.
What is a Data Breach?
A data breach is a security-related incident where a system’s sensitive information is accessed or stolen without the operator’s knowledge.
They often involve the use/exploitation of personally identifiable information (PII):
Credit card numbers, healthcare histories, and SIN numbers are at risk.
For larger companies, trade secrets, customer lists, account information, and software source codes could be exploited.
Common Data Breaches Affecting Small Businesses
The best defence is a good offence.
Familiarizing yourself with common business-affecting data incidents is essential for keeping your company safe and secure.
Here are some common data breach terms, along with examples:
Short for malicious software, malware is a blanket term describing software created with the intent to cause damage to networks, data and/or systems.
Common types of malware include:
Viruses – One of the most common forms of malware, viruses are a malicious program or code that “infects” legitimate, clean code on a user’s computer. Once executed (either unknowingly or through automated processes), viruses can spread quickly across a network, affecting other systems and users.
Spyware – This form of malware “spies” on the user, operating in the background to collect employee data: passwords, credit card numbers, internet usage and other sensitive data.
From here, this information is then sent to data firms, advertisers or other external users, typically for financial gains.
80% of data breaches are thought to be a result of weak or stolen passwords.
Passwords that are easily guessed, based on personal details (i.e. your dog’s name) or used across multiple sites, will put your information at risk -- this is becoming more common knowledge for general users of the Internet.
Another common source of compromised credentials?
When an employee stops working for your company.
It doesn’t matter whether the employee leaves voluntarily or if they’re let go: company passwords and logins must be managed in a secure way.
We have worked with clients using shared logins for some of their most important, cloud-based tools.
We asked how long since their last password change. The answer:
“Oh, we’ve used the same password since we got that tool 4 years ago.”
There you have it. The implication for the data that was stored in some of those tools was mind-blowing. Any former employee that had access to that tool would have no issue loading up a web browser and logging into that piece of software.
In our digital world, it is extremely important to treat logins and passwords for tools and software with the same care as our ATM PINs.
We’ll cover a little more on employee risks for data breaches later in this post. In the meantime, if you’re interested in learning a little more about password security, follow these essential tips for stronger passwords.
In the case of social engineering, cybercriminals use manipulation techniques to exploit human error and gain access to a business’s sensitive data.
This type of data incident relies on psychology to deceive unsuspecting users into giving up information.
While social engineering comes in different forms, we’ve all experienced these kinds of attacks from our favorite “royalty” from around the globe:
an international prince or the recently-deceased, long lost bank tycoon…
They’re called phishing scams.
While our examples may make you giggle, every day, they’re trying to get more sophisticated.
At times, these types of attacks can look just as legitimate as an actual email from your credit card company or bank. They may come with an Excel or PDF attachment…
and it’s coming to your inbox from an email address you recognize - co-worker, vendor, client, friend, or family member.
Backdoor attacks refer to any method(s) used to circumvent a system, application or network’s standard security measures (a Trojan is a perfect example).
Once in, cybercriminals will seek a higher level of access to hijack devices, install malware, steal employee or customer data and more.
When too many users are granted too many privileges to your business systems, your information becomes more vulnerable.
You might recognize terms like “Denial of Service” Attack when thinking of these types of data breach.
Keep admin privileges specific to a worker’s job function and remember, the less data users can access, the less likely it is to fall into the wrong hands.
Remember the former employee we talked about earlier? They’re not the only common source of data breaches.
An insider threat is a cybersecurity threat that originates from, you guessed it, within an organization. This can come in the form of employee data theft, which can cause highly damaging business data loss.
Usually these threats come from a past or current employee, third party, or contractor who has access to a business’s databases, applications or network.
Device Theft or Loss
For instance, employees commuting or working between different locations are far more likely to lose or misplace their devices. Have you ever forgotten your phone, tablet, or laptop in a public location?
You may have already experienced this type of practice with your personal Android or iOS devices:
Two-factor authentication is necessary for preventing unauthorized access to your company data, lowering the risks from misplaced devices.
Out of Date Software
Outdated software makes cybercrime easy for any hacker or malicious intruder.
Without regular software updates and the latest security patch installs, your systems and devices will not maintain the defences they need to thwart malicious attacks.
Ensure regular updates are part of your small business’s best cybersecurity practices.
6 Key Tips For Preventing Data Breaches
1. Educate Your Staff
Did you know, over 90% of data breaches are caused by human error? Because hackers love to take advantage of unsuspecting employees, it’s important to provide mandatory cybersecurity awareness training for your staff.
2. Limit User Privileges
Here again, by limiting access to your data, you are limiting your chances for security breaches and data loss. Employees should only be granted access to permissions essential to the completion of their work.
3. Employ Anti-Spyware and Antivirus Software on All Devices
These forms of security software are essential to safeguarding your businesses against any number of malware attacks (see above). Install anti-spyware and antivirus protection on all devices and be sure to keep them updated!
4. Encrypt Company Data
Encrypted data can only be accessed by users with the right encryption key. In short, encryption prevents your information from being read or stolen by unauthorized persons online.
5. Configure a Virtual Private Network (VPN)
Like encryption, a business VPN will prevent attackers from gaining access to your private network. Especially important for small businesses that rely on remote work, a VPN provides employees with a secure way to access company information, from anywhere, without exposing your data.
6. Perform Regular Security Assessments
Last but not least, we recommend performing regular IT Security Risk Assessments as a means of identifying vulnerabilities within your business. This will help you prevent potential data incidents before they have a chance to take root and prevent costly downtime.
At GAMTech, we specialize in reliable, affordable and ultra-responsive IT services. Our mission is to help protect, scale and streamline operations for small to medium-sized businesses. For more information on the many cost-effective services we provide and how they can help your organization succeed, we invite you to get in touch with us!