Small and medium enterprises make up the vast majority of businesses worldwide, but generally don’t get the media airtime when it comes to data breaches. However, one study showed that around 72% of all breaches occur in SMEs, so why do we hear so little and what can you be doing to protect your small/medium business?
The Small Business Administration defines small businesses as independent companies which have less than 500 employees. Data from IBM’s Cost of Insider Threats report from 2020 shows that these organizations spent an average of $7.68 million to deal with a data breach. Obviously, this sum is enormous for the vast majority of small businesses and gives credence to the much quoted stat that 60% of small businesses cannot maintain their business in the six months following a breach.
The problem is that, although SMBs are hit most (and some would say hardest), 60% of leaders in these organizations believe that they aren’t going to be targeted. The reality is that, unlike large companies that have the resources for sophisticated monitoring and protection of their systems, small businesses lack the funds and knowledge of how to better protect their data. This makes it more likely that they will suffer data breaches.
So, if you are a small business owner, the most valuable data you have is your customer data, but what steps can you take to protect it?
Mistakes made in data practices are usually down to ignorance, so here’s some tips. There are several things you can put in place to help protect your SMB from data breach. Soveren’s CISO gives his recommendations on what you can do to shore up your security practices to help protect against data breaches:
The best way to fully understand what is going on inside your organization and then to enact a set process is to document everything you are doing. Start by documenting your practices and you will see where you could be going wrong and can make steps to correcting the situation.
Once you have documented what is (or is supposed to be) going on with your data practices, you will want to define the data flows. Here you will be looking at why certain data is transferred where and making someone responsible for it.
So now you have things set and people made responsible, you want to limit access to the data only to those that need it as part of their work. Make these people gatekeepers and set access and usage controls for them and others so that you can spot anomalies.
Where possible, you want to be monitoring access to personal data both from within your organization and from the outside by third party services you may use. Monitoring is one of the first and most important steps to preventing data breach.
Different data will require different levels of protection. SMEs can therefore separate personal data from technical data and give different protection to each. For example, you should store metadata about orders and website usage in one place, but store names and billing addresses elsewhere and give higher protection to the personal data.
Here you should look to adhere to the strongest data protection regulation that applies. For example, if you are a non-EU company that serves EU customers, you shouldn’t have one set of practices for non-EU customers and another for EU customers. Apply the most stringent regulation across the board.
A simple and effective way to protect data in your organization is to add additional layers for you and staff to authenticate themselves. The simplest way to do this is to make everyone activate two-factor authentication across all of your systems.
If you store any data onsite (in hard drives or on servers) apply additional security measures to protect them. These should be physical — i.e. locked cabinet — and digital — encrypted and password protected.
Be wary of the access you provide to third party services (e.g. SaaS apps) you use to optimize your operations. Do not let them “pull” personal data from your stores; only push the data to them. This basically means only sending data to them when you need it to be processed and not giving third parties open access.
Soveren’s CTO recently wrote about how you can reduce risks when you are sharing personal data with third party services.
Privacy regulations and good data practices involve retention periods where you should delete data or make it anonymous. Opt to anonymize data rather than delete it at the end of retention periods so that you can still make further use of it.
While large enterprises struggle with the scale and scope of personal data management to avoid breaches, small and mid-sized companies struggle to find the expertise to manage the complexities and generally have a lack of knowledge on what practices they should be implementing.
Use the above suggestions to help your small business protect its data assets and avoid costly data breaches.