Cybercriminals are upping their game in an effort to obtain credit-card numbers, social-security numbers, PINs, and other personal information from millions of people throughout the world. At least once-a-week it seems that we hear about yet another large-scale theft of data from a retailer, a financial institution, or some other business.
Cybercriminals target retail businesses, for example, to make point-of-sale (POS) malware attacks that exploit the split-second that elapses when unencrypted data is passed between junction points of a computer network. Also common are “phishing” attacks, where your employee is duped into opening a file within an email that then installs malware onto computers and servers.
All businesses that collect and store customer data are vulnerable to a cyber-attack. And you generally don’t even hear about the theft of customer information from small businesses. But for the business (and its customers) the results may be more catastrophic. The costs of a data breach are high—in terms of actual dollars, business disruption, and the loss of customer trust.
If you operate your business as a corporation or an LLC, it can help protect your personal assets from the consequences of a data breach. If the business becomes liable for a debt or other obligation that the cybercriminal incurs, and the business is owned by the corporation or LLC, it is the corporation or LLC that is liable, not you personally. Losing your business due to a cyber-attack is catastrophic enough. You surely don’t want to also put your personal assets, such as your home, at risk.
Most Americans have been victims of a data breach
The headline-making breaches tend to be quite-sophisticated attacks, but even more cyber-criminals are successful due to their targets’ lax security practices. Complacency and human error are among the most common cause of a data breach. According to the Pew Research Center, most Americans do not follow basic recommendations to protect their data. Moreover, this remains true despite 64% of all Americans admitting to having experienced some form of data breach, whether it be credit-card fraud or a hacked email account.
But take solace – you can prevent most security breaches if you implement and enforce basic security-best practices, such as having a firewall and securing your Wi-Fi network. In addition to these threshold actions, here are seven other steps you can take to reduce your risk of a data breach.
Don’t click an email link that looks suspicious.
Phishing is a common ploy by which cybercriminals send deceptive email in an attempt to gather your personal information or install malware. This form of hacking has been around since the advent of email, and it remains one of the most-common tactics that cybercriminals use for one reason – it still works.
For this reason, make sure that every individual in your company (i) is aware of the risks created by phishing schemes, and (ii) knows how to identify a phishing email. How can you recognize a phishing email? Well, it often comes from foreign countries or criminals who do not speak English particularly well, so look for:
- poor grammar;
- misspelled words;
- odd attachments;
- links to sites that you don’t recognize; or
- a sense of urgency in the messaging, such as an email (i) warning of suspicious account activity, (ii) a request to confirm a password or account details, or (iii) etc.
Adopt and enforce a smart-password policy.
It may be hard to believe, but “123456” and “password” remain the most common passwords that people use today. If you want to protect yourself, adopt and enforce a password policy that requires your employees (i) to use long passwords (with letters, numbers, and special characters), and (ii) to change their passwords every 3 or 6 months without reusing their prior passwords. Also, use password-manager software to store passwords – don’t just write them down on a piece of paper that someone could find.
Protect information that is used remotely.
Poor data practices extend beyond password issues. Employees bringing work home on a USB drive or by emailing it to themselves on their personal email can expose the data to security risks. Similarly, an employee using their personal-mobile phone or tablet can also expose your data. This can result in a serious data breach.
Begin by conducting an audit of how everyone in your business accesses data. Then, develop and adopt appropriate safeguards to protect it and policies to ensure that your employees adhere to the safeguards. Require an enterprise-level firewall, anti-virus, and malware programs on all devices that access company data.
Protect against social-engineering schemes.
You’ve seen it many times on television—a criminal gains access to the premises by pretending to have lost their key. That’s a classic example of social engineering; a criminal uses a pretext to trick an unsuspecting person. These criminals commit fraud by exploiting basic characteristics of human nature: the tendency to think well of other people, to trust other people, and to want to help other people. These are traits that you probably stress in providing quality-customer service. But if you adopt a policy that prohibits employees from supplying information—particularly any system credentials—without approval, you give your front-line employees an easy and polite way to decline requests that might compromise your data.
Criminals also use this tactic in a variant of phishing called “pretexting.” In this case, an email seems legitimate (e.g., from a bank, a company officer, or other credible person or institution) in order to obtain personal or sensitive information. Require your employees to make a phone call to confirm the request, using a number other than one provided in the email.
Update regularly your malware protection and all other software.
Another step that small businesses can take to do their best to prevent a data breach is to use commercially-available anti-malware programs. Similarly, it is critical for you to ensure that all your software programs are updated. For example, a major company recently discovered a major security flaw in their operating systems, which prompted the company to release a patch. But a software patch is no help unless the end-users actually install it.
Keep your data backed-up.
This step doesn’t prevent an attack, but it is critical that you regularly backup your data just in case a breach occurs. You should have your computer system set-up to automatically back-up your data each week. You should store the back-up in a secure location either offsite or in the cloud.
Be proactive – adopt and enforce a plan.
Unfortunately, cybercriminals always seem to be a step ahead; they constantly are able to find new ways to get access to your data. You need to be proactive in understanding cyber risks and finding ways to mitigate them. Educate your employees on how to detect and prevent potential security breaches, as well as what to do if you are subject to a cyber-attack. Review and update these guidelines on a regular basis, and issue reminders to your employees on following basic data-security best practices.
Although there is no perfect solution, implementing these suggestions can help reduce the likelihood of a cyber-attack. If your business requires that you collect and retain a significant amount of sensitive customer data, particularly payment data or medical information, consider hiring a computer security consultant to review your systems and make recommendations for enhancing data security.
If you suffered a cyber-attack, or have any questions, please call an experienced lawyer at George Law at (248) 470-4300. We are available 24/7.