Five Ways That Small Businesses Risk Customer Data

Data breaches and cyberattacks have dominated the news over the past several months, embarrassing such big companies as Las Vegas Sands, whose casino in Bethlehem, Pa., was attacked, and Target, which suffered the biggest retail attack in U.S. history.

Hackers don’t just go after multinationals. Smaller companies are often prime targets for attackers looking to exploit vulnerable security systems, says Kevin B. McDonald, executive vice president of computer network management company Alvaka Networks. Entrepreneurs may also be snagged by hackers who cull through a wide swath of computer IP addresses looking for weaknesses.

“The first step to defense is eliminating denial,” McDonald says. Here are five areas in which entrepreneurs should wise up and increase their customer safeguards.

Off-line practices. State-of-the-art online security won’t protect against terrible office practices, like passing around order forms with credit-card numbers and other customer data. “Many breaches occur right in the office, just due to bad data-protection policies,” says Scott Sanfilippo, co-founder of Solid Cactus, an e-commerce consulting company. Any employee who writes down a customer’s credit-card number on a piece of paper, crumples it, and tosses it in the trash is putting that customer at risk.

Employees. Train workers regularly to identify and avoid such common scams as phishing attacks, says Will Pelgrin, chief executive of the nonprofit Center for Internet Security. Establish a written security policy that governs employees’ day-to-day activities on company computers and accounts so they don’t inadvertently invite intruders into your network.

Mobile. Don’t forget employees’ tablets and smartphones, which are increasingly being used for work. “The perimeter has dissolved, and security protections are dependent on each user with a mobile device,” Pelgrin says. Every device should have anti-virus and anti-malware software and commercial-grade firewalls installed, McDonald says.

Hardware safeguards. Does your company collect customers’ names, addresses, and dates of birth (maybe to send them birthday deals)? If so, you’ve got enough information for an impostor to steal that customer’s identity. Don’t keep any data you don’t legitimately need, and make sure you’re guarding that data responsibly. Start with good password policies and encryption software on all your computer hard drives, says Jonathan Hirshon, a privacy advocate and principal at high-tech marketing agency Horizon Communications. He recommends software that meets what’s known as the advanced encryption standard, which can be downloaded free from sites like TrueCrypt.

Passwords are also common weak spots. “If you use a single word as your password, it’s hackable in under 20 minutes—maybe under 10,” Hirshon says. Instead, use a pass-phrase that consists of several words, at least one number, and one special character. “Something like, ‘Ilikewatchingchannel5!’ is much more difficult to hack,” he says. Better yet, password managers such as 1Password or LastPass let you generate random, unique passwords for different sites without having to remember each one.

Cloud protection. With companies increasingly moving to offsite data storage, you should be sure that your data in the cloud is protected. “Use an offsite data-backup provider that is keeping your data encrypted in more than one location, and [make sure] that their security is strong enough for intruders not to get in,” says Jennifer Walzer, chief executive of online data backup service Bumi. Ask questions before hiring a cloud service provider, Pelgrin says: “What measures are in place to protect data? Who has access to the physical machine hosting your data? Where is that machine located?”

When it comes to online financial transactions, McDonald recommends that small businesses consider using services such as PayPal. “If it’s set up properly, it can dramatically reduce your exposure and shift much of the cost and effort of compliance” off your company, he notes.

A thorough risk assessment will help you identify security gaps in your company. McDonald recommends A Guide To Conducting Risk Assessments (PDF) from the National Institute of Standards and Technology. “Be honest and thorough in this process,” he says. “Failure to identify obvious risks not only puts the data at risk, but also can lead to punitive damages if you are later found to have been neglectful.”