In 2005, the Privacy Rights Clearinghouse reported 136 data breaches. Yet between 2005-2015 – a span of ten years – more than 4,500 data breaches were made public. Since then, the problem has almost become an epidemic -- and worse -- the consequences have become more severe. This is a problem no business can afford to ignore.
Data breaches have an extensive history dating back to the 1980s when computer networking started to take off. Since then, regulations like HIPAA and PCI Compliance have been put in place to help companies safeguard sensitive data. However, regulations don’t stop data breaches from occurring -- as attacks like the 2017 Equifax breach have proven.
The worst data breach ever.
The “worst-ever” breach was actually worse than it initially looked, smart banking brand Chime explained. The hackers accessed tax ID numbers, credit card information, and driver’s license data. These kinds of attacks can transition from one-time hits into long-term even forever problems.
Is your head in the clouds or just your data?
A 2012 report by DXC (formerly CSC) predicted that by 2020, over a third of all data will live in or pass through the cloud. The report also noted that 80 percent of data is stored by third-party enterprises. With less control over the storage of their own data, companies are susceptible to attacks due to vulnerabilities beyond their control.
Data breaches can affect everyone.
No entrepreneur expects a cyber criminal to access their customers’ private data. Yet, small businesses are actually more susceptible to data breaches than big companies. Trustwave research reports that 90 percent of all data breaches affect small businesses. Retail is hit the hardest, with the food and beverage retail companies coming in with a close second.
Your small business is vulnerable, and cyber criminals know it. Data breaches happen on a daily basis, and yes, you’re the prime target. Preventing your company from becoming the victim of the next data breach requires a multi-faceted approach, including establishing stricter policies administered from the top down.
It’s about more than data encryption.
Once you’ve secured your network with a firewall, a VPN, and you are using end-to-end data encryption on your web applications, you need to secure the potential for an internal threat. This requires carefully maintaining the chain of integrity for all of your data from creation to distribution and destruction.
1. Keep a log of who receives login information.
You need to know who has access to your company accounts at all times. If an employee shares their login information with someone who compromises your company data, that employee can be held liable for the damage. But will they? Don't kid yourself -- you will likely still be responsible.
Create an excel spreadsheet with a list of login credentials with the space to document who you’ve given the credentials to and when. It helps to document an expiration date as well. Use this spot as a reminder of the date you need to terminate access for a temporary employees, and also to document the date you actually do revoke access for each employee.
Don’t delete an employee’s credential history when they leave the company. Move the information to another sheet if you have to. You may need it later on to prove that you gave an employee access to a certain account.
This spreadsheet won’t work by itself, though. You’ll need to schedule in time to review it and make sure you haven’t left any former employees with access to company assets.
You probably have an exit process checklist for employees parting ways. Make sure you add deleting their individual login credentials and changing all company passwords to that list.
2. Revoke login access when it’s no longer necessary.
It’s one more thing to add to your busy schedule, but it has to happen. Always make sure you revoke login access when it’s no longer necessary, no matter what.
For instance, if you hire a contractor to update your WordPress website, once they finish the work, delete their login credentials and change all existing user passwords. If you hire a contractor to update your website, delete their FTP account immediately upon delivery of the work.
Harvard Business Review.
Harvard Business Review reports that in 2016, IBM discovered that 60 percent of all cyber attacks were carried out by insiders. Most of these attacks were in the healthcare and financial industries since they collect the most personal data.
When you have to let an employee go, revoking access can be trickier. If they work remotely, they might discover they’ve been locked out before they make it to the office. However, don’t be afraid to revoke access before you’ve informed them of their termination. You can’t take any chances.
One extra precaution is to make sure you force close all current login sessions for their email. There are known security flaws in smartphone apps that allow users to remain logged in despite a password change. If you reset any passwords, they’ll receive confirmation emails and they could use those to sabotage the business.
3. Change passwords frequently.
Sometimes it’s difficult or impossible to revoke access for individual users. For instance, your entire team might use one login credential. Changing the password will instantly revoke access from those who don’t need it. Then you can give the new password only to those who really need it.
Passwords are a pain to generate and change, but it’s absolutely necessary. Don’t skip this step.
4. Delete old files and shred old documents.
You likely have a mix of electronic and paper documents containing sensitive information. Perhaps you’ve got multiple revisions of your business plan, or several instances of password files. The more you collect these documents without deleting the old ones, the more likely they’ll be used to compromise your company.
Black sharpie and cross-cut shredder.
The two tools you need for physical documents are a fat black sharpie and a cross-cut paper shredder. Use the sharpie to black out important information before you shred the documents, just in case you need to leave your desk for a break. The shredders cost about the same as a good inkjet printer, and it’s the only way to ensure snooping employees don’t discover something they’re not supposed to have access to.
Overwrite deleted files.
For electronic files, get some software to overwrite your deleted files. Windows comes with this software built-in. If you’re using a solid state drive, you don’t have to be as concerned. Data deleted from a solid state drive is immediately and permanently deleted to free up memory. If you’re using an old magnetic hard drive, you will need to overwrite your files.
5. Frequently check secondary account information.
Hopefully it doesn’t happen to you, but sometimes employees add their personal email account or phone number to company accounts with the intention of using it to retrieve a password later on.
Schedule a day out of each month to check your social media, CRM, and email marketing accounts to make sure nobody’s slipped in an unauthorized account recovery email address.
6. Check the list of your company’s email accounts periodically.
One of the ways employees can maintain access to company assets once they’ve left the company is by creating extra email addresses at your company’s domain that forward to their personal email. If this happens, you’d probably never notice.
This is a really sneaky tactic that gives them the ability to retrieve verification codes that will only be sent to an address on your company’s domain. They can request these codes when they’re trying to take control of various online accounts.
If you’re not careful, you can lose control over company accounts holding sensitive customer information like your CRM or email marketing application.
Any employee who has access to your web server can create their own email address. Check your existing email addresses periodically to make sure they’re all legitimate. Also be sure to verify what your “catch-all” email address is. That’s the email that captures all un-routed mail.
If someone takes control of your catch-all email address, two things can happen. One, they can sign up for anything with any email address at your company’s domain, even if the email address doesn’t exist. They can also generate lost password requests for email addresses that no longer exist that used to belong to former employees. Since the email address doesn’t exist, the requested email will go straight to the catch-all email.
7. Create a zero tolerance policy for security violations.
Everybody deserves a second chance, except when they willfully violate security policies. Have a policy in place detailing actions that are grounds for automatic termination and stick to it no matter what.
For example, don’t allow employees to share passwords for any reason. If your Facebook ad manager can’t log in to the company’s Facebook account, it’s tempting for another employee to let them use their credentials so they can get their work done. They just want to help. However, that helpful employee won’t know if you’ve intentionally revoked access because the Facebook ad manager is being terminated.
Creating a policy of zero tolerance for security violations is the only way to get your employees to take the policies seriously. You might still have people who occasionally violate these policies without your knowledge, and that’s why you shouldn’t rely on just one policy to keep your company secure.
You can prevent most vulnerability exploits.
You can’t prevent every possible exploitation, but you can prevent most of them. Since most attacks are exploits and not actually hacks, tight security policies that aren’t meant for anybody specifically, can prevent most insider attacks.