Data security should be an important area of concern for every small-business owner. When you consider all the important data you store virtually -- from financial records, to customers' private information -- it's not hard to see why one breach could seriously damage your business.
According to the most recent Verizon Data Breach Investigations Report [PDF], an estimated "285 million records were compromised in 2008." And 74 percent of those incidents were from outside sources.
We consulted Roland Cloutier, Chief Security Officer for ADP and a board member for the National Cyber Security Alliance, and Matt Watchinski, Senior Director of the Vulnerability Research Team for cybersecurity provider Sourcefire, to find out the key security measures every small business should be taking.
1. Establish strong passwords
Implementing strong passwords is the easiest thing you can do to strengthen your security.
Cloutier shares his tip for crafting a hard-to-crack password: use a combination of capital and lower-case letters, numbers and symbols and make it 8 to 12 characters long.
According to Microsoft, you should definitely avoid using: any personal data (such as your birthdate), common words spelled backwards and sequences of characters or numbers, or those that are close together on the keyboard.
Use their convenient password checker to see how strong yours is.
As for how often you should change your password, Cloutier says that the industry standard is "every 90 days," but don't hesitate to do it more frequently if your data is highly-sensitive.
Another key: make sure every individual has their own username and password for any login system, from desktops to your CMS. "Never just use one shared password," says Cloutier.
And finally, "Never write it down!" he adds.
2. Put up a strong firewall
In order to have a properly protected network, "firewalls are a must," Cloutier says.
A firewall protects your network by controlling internet traffic coming into and flowing out of your business. They're pretty standard across the board -- Cloutier recommends any of the major brands.
3. Install antivirus protection
Antivirus and anti-malware software are essentials in your arsenal of online security weapons, as well.
"They're the last line of defense" should an unwanted attack get through to your network, Cloutier explains.
4. Update your programs regularly
Making sure your computer is "properly patched and updated" is a necessary step towards being fully protected; there's little point in installing all this great software if you're not going to maintain it right.
"Your security applications are only as good as their most recent update," Watchinski explains. "While applications are not 100 percent fool-proof, it is important to regularly update these tools to help keep your users safe."
Frequently updating your programs keeps you up-to-date on any recent issues or holes that programmers have fixed.
5. Secure your laptops
Because of their portable nature, laptops are at a higher risk of being lost or stolen than average company desktops. It's important to take some extra steps to make certain your sensitive data is protected.
Cloutier mandates "absolutely: encrypt your laptop. It's the easiest thing to do."
Encryption software changes the way information looks on the harddrive so that, without the correct password, it can't be read.
Cloutier also stresses the importance of never, ever leaving your laptop in your car, where it's an easy target for thieves. If you must, lock it in your trunk.
6. Secure your mobile phones
Cloutier points out that smartphones hold so much data these days that you should consider them almost as valuable as company computers -- and they're much more easily lost or stolen. As such, securing them is another must.
The must-haves for mobile phones:
- Encryption software
- Password-protection (Cloutier also suggests enabling a specific "lock-out" period, wherein after a short amount of time not being used, the phone locks itself)
- Remote wiping enabled
Remote wiping is "extremely effective," Cloutier says, recounting the story of one executive who lost his Blackberry in an airport, after he had been looking at the company's quarter financials. The exec called IT in a panic, and within 15 minutes they were able to completely wipe the phone.
7. Backup regularly
Scheduling regular backups to an external hard drive, or in the cloud, is a painless way to ensure that all your data is stored safely.
The general rule of thumb for backups: servers should have a complete backup weekly, and incremental backups every night; personal computers should also be backed up completely every week, but you can do incremental backups every few days if you like ("however long you could live without your data," Cloutier explains).
Getting your data compromised is a painful experience -- having it all backed up so you don't completely lose it will make it much less so.
8. Monitor diligently
"All this great technology […] is no good unless you actually use it. You have to have someone be accountable for it," says Cloutier.
One good monitoring tool Cloutier suggests is data-leakage prevention software, which is set up at key network touchpoints to look for specific information coming out of your internal network. It can be configured to look for credit card numbers, pieces of code, or any bits of information relevant to your business that would indicate a breach.
If you don't monitor things, warns Cloutier, "it's a waste of time and a waste of resources." And you won't know that you've been compromised until it's far too late.
9. Be careful with e-mail, IM and surfing the Web
It's not uncommon for a unsuspecting employee to click on a link or download an attachment that they believe is harmless -- only to discover they've been infected with a nasty virus, or worse.
"Links are the numbers one way that malware ends up on computers," says Cloutier. "Links are bad!"
As such, never click on a link that you weren't expecting or you don't know the origination of in an e-mail or IM.
You have to "be smart when surfing the Web," Watchinski warns. "[You] should take every "warning box" that appears on [your] screen seriously and understand that every new piece of software comes with its own set of security vulnerabilities."
10. Educate your employees
Teaching your employees about safe online habits and proactive defense is crucial.
"Educating them about what they are doing and why it is dangerous is a more effective strategy than expecting your IT security staff to constantly react to end users’ bad decisions," Watchinski says.
It's not easy: "One of the most difficult things to do is protect end users against themselves," he adds. But ultimately, prevention is the best approach to handling your data security.
Make sure your employees understand how important your company's data is, and all the measures they can take to protect it.