Cyber breaches of mega-retailers like Home Depot and Target, health care insurers like Anthem, Premera and Excellus and federal agencies -- most prominently, the Office of Personnel Management -- dominate the headlines, but it's only a fraction of the story. What most people don’t realize is that a staggering 90 percent of breaches impact small businesses. Those figures, released by payment technology solutions powerhouse First Data, highlight the seriousness of the cyber security issue for small businesses.

Unlike larger organizations with revenues in the billions, small businesses might easily experience a near extinction-level event from a data breach. The recovery expenses mount quickly -- credit monitoring for affected customers, lost revenue, crisis management, customer notification and investigation of the breach, just to name a few -- and can create a financial loss so staggering it has the potential to crush a small business. With 2016 already on pace to see a 4.7 percent rise in the number database compromises over last year, according to data released by the Identity Theft Resource Center, members of the business community have a right to wonder if or when this seemingly never-ending assault will plateau.

Small businesses need to follow the 3Ms in order to navigate a most dangerous digital world. Minimize the risk of exposure; monitor networks; and have comprehensive incident response and resolution programs in place in order to manage the damage. In other words, respond urgently, transparently and empathetically to customers and employees in the event of a compromise.

Here are four strategies that can help small businesses better defend against malicious insider and hacker attacks and more effectively deal with them if a breach does occur. 

1. Know your risks

It’s imperative that small businesses acknowledge the value of their data and do what they can to protect it. Companies of every size can reduce the chance of an exposure if they scour their network and data assets with an eye toward where vulnerabilities might be lurking.


First, review the type of data that you are collecting and storing. Businesses handling medical or financial information, for example, may need to comply with industry regulations or state and federal laws that require specific security measures. Also, understand where sensitive information currently resides. A server with remote access could present an easy target for hackers. Consider keeping top-level data somewhere that’s more difficult to reach. 

Get a handle on how data moves across your network. How are mobile devices authorized to connect? Which data is shared with third parties? See if security gaps exist at those connection points and fix them.

2. Make employees your first line of defense

Employees typically have wide access to stored information -- from customers’ financial data to personnel records. A better strategy is to match network access permissions to the requirements of specific job duties. If an employee doesn’t need access to sensitive data, don’t give it to them. When you change an employee’s role, update his or her login credentials to maintain a strong security posture. Equally important, immediately deactivate the network access of any employee who leaves the company, regardless of the circumstances of their departure.

Employees represent a delicious target. Hackers view them as the weakest link, making the small business workforce a crucial link in the security chain. Raising employee awareness is essential. Educate them about the dangers of phishing and falling for other common scams. Be sure they know what to do if they think they might have clicked on a malware-laden link or mistakenly provided information on a clone website.

3. Focus resources in the right areas

Like their larger counterparts, small businesses often hold enormous amounts of data. Trying to deploy an impenetrable fortress around all of it would be prohibitively expensive. Instead, identify the information that is most sensitive -- and most valuable -- and focus security resources in those areas. Consumer data (payment data and personally identifiable information such as Social Security numbers, names, addresses, birth dates, etc.) and employee data should be among the files afforded the highest level of protection.


Strong security doesn't have to be prohibitively expensive. Encryption technology is often free or very low cost, so look for opportunities to use it. By encrypting sensitive datasets, a stolen laptop or lost thumb drive will still be an annoyance but it may not result in a breach.

4. Invest in cyber insurance with coverage that matches your business risk profile.

Because the financial implications associated with even a minor breach are significant, small businesses must consider mitigating their risks by adding a cyber insurance policy. Coverage is available that helps pay costs related to forensic investigations, customer notification, reputation management and even legal counsel. Some policies also provide access to experts who can help the business evaluate its risks and address potential vulnerabilities.

Adam Levin is a consumer advocate with more than 30 years of experience in security, privacy, personal finance, real estate and government service. A former director of the New Jersey Division of Consumer Affairs, Levin is chairman and founder of IDT911 and co-founder of Credit.com. He is also the author of "Swiped: How to Protect Yourself in a World Full of Scammers, Phishers, and Identity Thieves."

Source : https://www.entrepreneur.com/article/276221

Categorized in Business Research


Startups are usually in a rush, and they often forget about data security as they try to get an MVP out.With new businesses, a data breach can result in the company closing down. To address the mistakes most commonly made, I asked ten YEC entrepreneurs the following:

What’s the one crucial mistake that tech startups seem to make when it comes to data security nowadays and why?

1. Personal and professional borders

Bring your own device (BYOD) has become increasingly popular during the past years, even more so in the startup scene. People don’t like carrying several smartphones and having to get proficient in different operating systems for tasks as checking their email or updating their calendars. However, convenience often compromises security. Workers’ personal devices can access and store sensitive corporate information locally. When the person leaves the company, the information leaves with them, forever stored on his or her device. Security-wise, this is a crucial mistake.


2. Ignoring two-step authentication

Two-step authentication – the system that sends your mobile phone a code via SMS, to enter when logging in a new web page – is an easy, but often ignored, initial step. It is now offered in all the key business platforms, including Salesforce and Google Apps for Work. You can even enable this security system in social networks at will. Since password breaching is becoming more and more common, the wise thing to do is to enhance your online-stored sensitive information with an added protection layer.


3. Security issues

Racing to get a sustainable product on the market and getting those all important sales is a top startup priority, which may cause security mishaps early on. Ensuring that your systems are secure is a meticulous process which can rob resources from product development. However, when startups “cheat” during security setup, it is almost certain that they’ll come across the same problem in the future. Privacy and safety should be top priorities from the beginning.

4. Insufficient exit protocols.

Data lapses and security breaches are more common with companies that depend mostly on freelancers or part-time staff unless they incorporate a predetermined exit procedure. Data loss, in the form of confidential information sharing, account access and other, is not hard to take place when sensitive corporate data remains stored on the devices of these people; they are not so security-conscious on their personal devices, or they even forget about having the information stored in the first place. You ought to protect your company’s and your client’s information by planning ahead with your legal team.

5. Forgoing SSL from the beginning

SSL (Secure Sockets Layer) is easily implementable from day one. It should be enabled by default in every website. It reassures your users, while upgrading the security level of your communications.


6. Failing to prioritize security

Startups often think they can leave security for later when they will have grown larger. The problem with this approach is that the company fails to incorporate security in its core values, which makes it harder to deal with when the time comes.


7. Having no policies for cloud storage

Cloud Storage services like Dropbox, Box and Google Drive, are an amazing way to keep your team up to speed and handle documents. However, failing to lock them down properly renders them vulnerable to ransomware, viruses, and unauthorized access. The main vulnerability is the convenience of file sharing itself, which means that backups, anti-virus, password, email attachment and access policies must be set up before a single user is allowed to cause trouble for a whole company.

8. Disregarding security best-practice

Change in security practices follows the pace of technological evolution. This means that security standards from a decade ago are now obsolete. Many startups fail to keep up with the most up-to-date security developments and as a result, they use outdated encryption protocols or old techniques that can be breached by hackers and crackers.

9. No internal policies and infrastructure

Tech startups are in a prime position regarding data security because they have the ability to apply best industry practices from the start, without being kept behind by outdated systems. This has resulted in unprecedented product security. However, despite the increased security, internal protocols and practices at tech startups have not evolved accordingly. Limited use of single log-in, sharing of credentials and insecure password policies are all aspects of the failure of technology startups to invest adequate resources in their internal systems and infrastructure or their influence on data security.



10. No suspicious activity notifications

About half-a-year ago, I suffered a data breach that brought me close to a significant financial setback. For starters, I used a single (weak) password across many organizations, as well as for personal use. Someone figured out the password, and I suffered breaches in multiple points at the same time. I could have easily avoided this catastrophe with a simple policy regarding password strength. What’s more, I found out that sophisticated data security tools exist in many systems for mitigating data breaches. On Google Apps for Business, for example, I set up a notification alert to be sent whenever weird activity takes place.

Source:  https://www.entrepreneur.com/article/277086





Categorized in Others

airs logo

Association of Internet Research Specialists is the world's leading community for the Internet Research Specialist and provide a Unified Platform that delivers, Education, Training and Certification for Online Research.

Get Exclusive Research Tips in Your Inbox

Receive Great tips via email, enter your email to Subscribe.

Follow Us on Social Media

Finance your Training & Certification with us - Find out how?      Learn more