As your small business gains momentum, you’ll undoubtedly juggle countless tasks at once, so when it comes to data security, it’s easy to put it on the back burner. But the fact is that if you suffer a data breach, the costs could include customer erosion, financial losses, and regulatory fines. The reputational fallout alone can continue months beyond the incident and translate into upwards of $5 million in losses.
And don’t think you get a free pass on security simply because your business isn’t large or well known. According to Verizon’s 2013 Data Breach Investigation Report, 72 percent of data breaches affect small businesses, making it clear that cybercriminals and automated attacks don’t discriminate on company size. What’s worse, more than half of small businesses don’t survive past six months after a breach.
Can your growing business weather a security slip-up and the loss of your customers’ trust?
What if your business relies on SaaS applications? No doubt, cloud computing offers instant access to sophisticated services that would be too costly and complex to build on your own, but don’t be mistaken, these cloud applications carry risks, as well.
They proliferate employees’ credentials and your business’s data across the web. And oftentimes, that data includes customer or regulated data and fraudulent access to your accounts that can put regulatory compliance and your customer relationships at risk.
Embedding a security strategy in your business culture and work styles now will serve you well as your business grows – securing both your business’s data and your customers’ trust.
Assess Your Risks
The first step to a solid security strategy is understanding your internal risks. The weakest link in cloud security is often end-user behavior – aka your employees.
According to Forrester Research, insiders are the most common source of data risk, and 36 percent of breaches are due to inadvertent mistakes by employees. The risks span from using insecure passwords to falling prey to phishing attacks to losing devices housing business data to sharing data inappropriately.
The insider risks for growing businesses are great for many reasons. First of all, with the consumerization of IT, boundaries between our work and personal lives have been blurred – leading to empowered employees who bring personal habits and IT into the workplace.
Additionally, employees fill more or broader roles, with wider access to data and applications that make their login credentials high exposure points for the business. And while cloud services and applications deliver low-cost powerful solutions, they introduce reused employee credentials and outsourced security to business. Lastly, while a “Bring Your Own IT” policy keeps expenses down through employee-owned devices and applications, it leaves a gaping hole in your security strategy.
Fill the Holes
You can mitigate these risks to your business by building a security strategy that matches the way you and your employees work today. Here are five key steps to get you started:
1. Train Your Employees
Employees are the frontline of your organization and the gateway for much of your corporate data – they create, access, and transact it daily.
But first and foremost, they act like consumers. They bring their own devices, cloud applications, and security habits (either positive or negative) to work, leaving your business’s data at the mercy of each individual’s behaviors. And with data breaches on the upswing, you can’t afford to leave your employees ignorant of security best practices.
Passwords are many times re-used, so when an employee’s personal accounts are breached, it creates a potential entry point to your business. By helping employees secure their personal and work lives, you’ll mitigate risk to your business. Train employees on cybercriminal tactics used to breach accounts so they can detect when something is amiss, and to gain buy-in, stress the risks – both professional and personal – that are at stake.
Security training is available through web-based platforms or consultants. Creating awareness and a behavior change in your employees is the trick to creating a culture of data security.
2. Get Serious About Online Identities
Employee login information is the key that opens the front door of your business. With that key in hand, hackers can access the network and cloud resources that store your customers’ data.
As seen in eBay’s recent breach of employee logins, this can mean the compromise of customer records – 145 million in eBay’s case. Much of your business is done in the cloud, and the more cloud resources your business relies on, the greater the potential risk of stolen logins. And due to the epidemic of reused logins, a login stolen in one location can be used to unlock others.
It’s essential that these identities and corresponding logins and permission be managed centrally for security of and visibility to the business. Identity and access management (IAM) solutions enable businesses to manage and secure employees’ logins to network and cloud resources. This allows them to track and manage who’s accessing what when.
Luckily, cloud applications have evolved IAM to the cloud, so solutions in recent years are more affordable and convenient to manage and access. Consider deploying cloud-based IAM solutions to secure employee identities and your business-critical data in the cloud.
3. Curate Cloud Vendors With Care
Marketing security theater is alive and well. The majority of vendors claim to have strict privacy policies and secure services – whether it’s HTTPs, password secured, or encryption – but how do you really know?
Ask potential vendors where your data will be stored, who will have access to it, and what physical/network security standards and breach notification policies they enforce. Perform due diligence on applications employees use on behalf of your business. Cloud resources are chosen for their utility and convenience, but the business needs to understand exactly where and how its data is being managed. Ignorance is not bliss – it’s a liability.
Before you entrust vendors with your online identities and data, assess their reputations based on these queries:
- Do they have a strong foundation in security, with reputation and experience to match?
- Who trusts them, and what customer references can they provide?
- Can they explain why their solution is secure?
- If they offer free services, ask why. Are they monetizing your data?
4. Make Security Convenient
Ultimately, the key to security adoption is convenience.
When security policies and tools are confusing, time-intensive, or have limited device compatibility, people simply won’t use them, especially if they impede their day-to-day productivity. The cloud and BYOIT, on the other hand, give them workarounds for security and the ability to choose their own IT tools. But chances are, these shortcuts are short on security, too.
Curate policies and tools for employees that are convenient and intuitive, but also fulfill your security needs. If people are using an application that you haven’t approved, find out why they need it and whether it’s up to your standards. Rather than banning the application, offer a secure alternative. Make it easy for people to find the applications you’ve curated and follow security guidelines.
At the end of the day, convenience will always trump security, so finding that middle ground is crucial.
5. Embrace BYOIT
BYOIT brings great value for small businesses – namely reduced costs – but while it’s a win for your bottom line, it’s a threat to your data.
Employee-owned devices and applications that can access, transact, and create your business-critical data on a daily basis pose big risks for your company. You can significantly reduce these risks by enrolling BYOIT users into a defined, sustainable security program that simply secures access to your data. Implement these three best practices to do so:
- Require employee devices to run company-approved anti-virus, anti-malware, and anti-spyware programs.
- Defend against device loss and theft by auto-locking and encrypting all devices’ resident data with a passcode.
- Centralize and secure all device access to business services with a cloud single sign-on solution that uses two-factor authentication.
Security statistics and tips are not here for fear mongering, but rather to insight the need for any growing business to address the many variables that influence the security of its data and resources. A simple and convenient security strategy will reduce the risk from a security breach and allow you to maintain and grow your customers’ trust.