One of the most common responses I get from small-business owners when I talk to them about data security goes something like this: "Who would want to steal anything from us? It's not like we're the NSA."
The hard truth is that any business is a target for bad guys. Just like any home can get robbed, any car can get stolen, and any eBay account can get hacked. It doesn't matter what kind of business you're in. You are vulnerable.
Especially now. Because every business is connected to a network in some way, it means that one bad apple can test the security of thousands of businesses--all with the push of a button.
And these breaches can be costly. Ponemon Institute is an independent research group that has been studying the cost of data breaches for nearly a decade. It factors in everything from lost business (or customer churn) to public relations efforts to notification letters. The institute found that the average cost per each record lost is $202, a number that has been climbing steadily over the last few years. Multiply that number by however many records you have and you'll start to get some idea of why you should take data security seriously.
So what can you do about it? The Federal Trade Commission has a terrific guide that details the steps small businesses should take to protect sensitive information. Below I've listed the high-level steps the commission recommends, but don't forget that these rules apply to both physical and digital records and that threats come from both outside and inside your organization.
- Take stock. You can't manage what you don't measure. As a business owner, it's your responsibility to know what information you're keeping, how far back it goes, and which records qualify as sensitive. Knowing all of this is not just good for security purposes, it's also good business.
- Scale down. The less information you have around, the less vulnerable you are to theft. Only collect those pieces of data that you really need to make your business more efficient. Don't put your customers (and your business) at risk by storing credit card numbers you don't need. And never make customers use their Social Security number as an identifier unless absolutely necessary.
- Lock it. The information you're keeping around must be kept secure. That means physical records must be locked in boxes and in secure locations. And digital records must have sufficient safeguards. All PC hard drives should be password-protected. That means that before the computer even boots up it prompts you for a password (this is different than your login screen). Screensavers should come up in no more than 20 minutes, requiring a password to log back on. And servers that house records must have robust security measures and, in some cases, encryption.
- Pitch it. Most businesses hold onto thousands of unnecessary, outdated or otherwise useless records. Tax records and supporting documentation should be held onto for seven years, on average. But other things, like paycheck stubs, bills, investment records and such, should be kept no longer than a year. Get a shredder and use it.
- Plan ahead. Prepare for the worst. You need an action plan for how you will investigate a breach, notify customers and remediate any security vulnerabilities.
Security is often an afterthought for a small business, but it's simply not enough to hope these things don't happen to you. Getting out ahead of these kinds of issues is critical. And building security into technology systems before you start using them is always a good idea.
Dan Briody is the author of two books and is the former Executive Editor of CIO Insight Magazine, a leading publication for information technology managers. He is also a frequent contributor on technology topics for Wired, Inc. and Business Week magazines.