From 2013-2014, Yahoo was breached by hackers and over 3 billion user accounts were compromised. Three billion. The fallout from the security breaches was estimated to have knocked off $350 million from Yahoo’s sale price when it was ultimately acquired by Verizon in 2017.
While most businesses won’t find themselves victims of breaches of similar magnitudes, every single company should still be concerned with information security. Moreover, one Ponemon Institute study shows that, on average, each stolen record containing sensitive information costs $148. The total cost, worldwide, was $3.86 million in 2017, according to that same report. Attacks are more common than you might think. According to Wombat’s 2018 State of the Phish report, more than 76% of organizations surveyed reported phishing attacks in 2017.
Shifting businesses and data models to cloud solutions make businesses like startups, which usually can’t afford private or dedicated cloud solutions, more prone to things like phishing attacks and malware. This is especially important if your business handles consumer data.
On top of the legal and financial ramifications that come with a data breach, consider the damage your business’s reputation will also take. A data breach is costly, and a smart business owner would take every step possible to ensure that it doesn’t happen.
Here are seven tips to help you get your (security) ducks in a row.
1) Adhere to Basic IT Security Principles
When it comes to IT security, start with the basics. Use complex passwords, don’t open emails from suspicious addresses and don’t open links from sources you don’t recognize. While it may sound basic, even, the U.S. Department of Homeland Security talks about the importance of something as simple as using complex passwords.
Hackers will often look for the simplest ways into any system—and they start with these basics first. Firms may invest millions in sophisticated computer systems, outfitted with top-of-the-line antimalware systems. At the same time, the company will have an admin account that uses “123456” as their password. Make sure no one at your company uses any of the following passwords: “123456,” “123456789,” “qwerty,” “111111,” “google.”
2) Train Your Employees (All of Them)
As stated above, a heavy majority of businesses suffer from phishing attacks. These refer to instances when targets are contacted by thieves looking to steal valuable information. These often come in the form of emails, and these hackers can make themselves appear very real to recipients. Employees should all be trained on IT security and coached to never hand out sensitive information to anyone they don’t recognize.
This goes double for senior level executives. A common form of phishing, referred to as “spear phishing,” involves targeting a high-level employee with a lot of access to sensitive information. Unlike regular phishing attacks, spear phishing can be harder to detect. That’s why it’s crucial your employees are trained on how to detect such attempts.
3) Use Two-Factor Authentication
Don’t settle on just having a single username and password combination. Take it a step further by using two-factor authentication. Users will be tasked with a secondary authentication sequence like confirming an email or inputting a code sent to their phone. This can be used for both employees and consumers.
Know that two-factor authentication isn’t foolproof. Again, training is crucial, and without it, two-factor authentication can fail. For example, an employee might see a request for access in an email and blindly click the link—allowing a fraudster to gain access.
4) Encrypt, Encrypt, Encrypt
Data encryption is key for sensitive information. Encryption simply means changing data into an unreadable state. Take it a step further by having encrypted data and keys on different servers. A startup most likely won’t have an in-house encryption expert, but there are plenty of technology solutions that will encrypt data for you. Companies like IBM will often provide affordable prices backed with the expert of a large IT company that takes data security seriously.
5) Make Penetration Testing Part of Your Security Routine
Another tool available in the market is penetration testing. Tools that perform these sorts of tests will be able to identify weakness and vulnerabilities in your IT security measures. The comprehensiveness of these tests will vary as there are different price points for different companies. We highly recommend that these risk assessments be carried out on a regular basis. Be sure to check industry guidelines, since some industries like the health-care industry are required by law to conduct risk assessments on a regular basis.
6) Install Software Updates
Operating on an outdated version of operating software can be dangerous. Don’t ignore software updates when they’re rolled out since they can contain security patches to vulnerabilities that hackers exploit. The older the system is, the more serious this issue is. For example, it probably won’t be too much of an issue if you miss the latest update for Windows 10, but if you’re still running on Windows 2000, we’d recommend you upgrade immediately.
7) When Possible, Use Cloud Solutions
As a small business or startup, you likely won’t have the capital to construct an entire on-premise IT infrastructure. This is why most businesses house their data and information on cloud solutions. However, we recommend that businesses choose their cloud hosting solutions carefully. Cloud solutions are typically more prone to security breaches than on-premise solutions. This is why we’d recommend going with a cloud solution from a reputable IT company like Amazon, Microsoft, IBM or Salesforce. There are plenty of large IT companies that take data security very seriously and offer enterprise cloud solutions.
If hosting your IT infrastructure on a cloud-based solution isn’t right for your business, and you absolutely need 100% availability at all times with no downtime, you’ll have to utilize on-premise solutions. However, carefully consider the costs of on-premise solutions. Ignoring the space and energy consumptions costs, the physical servers themselves can get quite expensive. Servers are typically known to reach upward of $30,000. If you can’t yet afford a serious piece of equipment like that, consider a small-business loan to help finance your solution.
These security measures might seem overblown to some business owners, but we do stress the importance of them. Protecting your information is crucial to the survival of your business, and when measured against the cost of closure, we’d say these costs are pretty small.