NASE News

Straightforward Data Security for Small Businesses

The technological landscape has changed enormously over the past decades for small businesses with the explosion of smartphones, online shopping, and cloud-based data storage. Small businesses and the self-employed have the ability to more efficiently manage operations, communicate with employees and clients no matter their location, and reach vastly greater numbers of potential customers.

But the same digital innovations that open up new horizons for business can bring catastrophic security risks if basic data and IT systems protocols are not in place. The technical nature of data security can feel overwhelming for small businesses, especially if money and time constraints are tight.

But small business owners cannot afford ignorance when it comes to securing their data and operations. According to the Better Business Bureau, more than one in five businesses have been the target of a cyberattack, with a median loss of $2,000. Perhaps even more worrisome, “smaller businesses may be unaware that they have been attacked.” Security firm Fire Eye reports that, on average, it takes 146 days for a “cyber intrusion” to be detected.

So where do you begin? In this article, the National Association for the Self-Employed (NASE) provides practical guidance on the following topics:
 - Security and privacy policies
 - Simple ways to guard against cyberattack
 - Cloud-based data storage
 - Local backup and security tips
 - Free resources for cybersecurity planning

Secure The Perimeter
First, identify the what, where, who, and how of your sensitive information.

What: What is sensitive data?
Critical business data obviously includes your financial records, credit card transaction details, and any personal information of your employees.

Sensitive data can also include any documents, emails, spreadsheets, databases that contain any financial or personal information – in both electronic and paper form.

Where: Where is this information stored?
Whether it is on computers, smartphones, servers, ledgers, filing cabinets, or a desk drawer, you need to know every location of this data and secure it.

If you are using a wireless network for internet in your office or home business, there are a few highly effective precautions to take immediately:

 - Protect your network with a password
 - Hide your network name and password protect your router
 - Use WPA2 encryption rather than WEP
 - Review and change passwords every few months
 - Ensure all passwords in your system are strong and updated regularly.

The US Small Business Administration recommends that you use a firewall and encrypt information. Although these precautions may sound technically daunting, they are all relatively simple – and entirely free.

Encryption expert and IT consultant Stephen Cooper, who offers a plain-language, step-by-step guide to securing a wireless network, notes that “You don’t have to be a technical expert in order to improve the security of your home wifi network, you just need to be a little smarter in your habits.”

Who: Do you know exactly who has access to your sensitive data?
No employee needs access to everything, not even an IT technician. Limit access to records on a need-to-know basis, and separately store different types of information. Maintain a record of who accesses what, and when, in the event that sensitive data is compromised or disappears.

How: How do you access data?
Smartphones and personal laptops are increasingly used for work, which means work files and personal data can get mixed. It also means inadequate security precautions against an attack or accidental loss.

These devices are taken outside of the office, where they may be used on public wi-fi. Sensitive work data may also be exposed through apps that sniff through all the content on a user’s phone.

Besides inadvertent online exposures, phones and laptops are prime targets for loss or theft because of their portability. The Small Business Administration advises having a “mobile device action plan” in case physical devices like smartphones are lost.

Workplace culture
The best precaution against a data breach is establishing a culture of security in the workplace.

If you have employees, they should be trained in privacy and security practices. They should know what data they are permitted to access, and how devices containing work information should be used.

All employees should use passwords on their computers and phones, and encrypt their data. Antivirus and security apps can help prevent their devices from being compromised while they are on non-work networks that may not be secure. And everyone should understand the dangers of downloading random files that could contain spyware.

Even if you have no employees at all, a culture of security means consciously cultivating your own habits of proper data management and technological maintenance.

Keep your systems up to date, change your passwords regularly, and educate yourself about ransomware, phishing scams, and other common cyberattacks.

Call For Backup
The loss of essential data could render a small business inoperable. Recovering from this kind of problem is difficult without a backup plan. Indeed, a 2017 survey of small business owners by the Better Business Bureau found that only 35 percent of businesses “could remain profitable for more than three months if they permanently lost access to essential data” because of a cyberattack, and “more than half would be unprofitable in under a month.”

Although the discussion on data backup is often presented as a question of local storage versus “the cloud,” in reality small businesses can benefit from utilizing both methods. The purpose of storage solutions is to ensure your data is safely backed up in case of a disaster – including break-ins, fires, or just your garden-variety computer crash.

By having an out-of-office copy of your data, you can get back up to speed after an unfortunate event. “Out-of-office” is the key.

“We recommend backing up data through a cloud-service provider or a removable hard drive and keeping the backup away from your office, so if there is a fire, your data will be safe,” says Pat Toth, who oversees cybersecurity education for small businesses at the National Institute of Standards and Technology (NIST).

Whichever option you choose, it’s best to back your data up automatically if you can, or at least on a weekly basis.

Is your head in the cloud?
When we talk about sending data to “the cloud,” we’re actually talking about services that provide remote data storage space on secure servers, which you can access via high-speed internet from anywhere.

Chances are, you already use cloud-based filesharing systems like Dropbox or Google Drive. The difference between cloud backup and those free file services is security and comprehensive data backup.

The beauty of a service like Dropbox is that you can share a folder with someone else and it is synced when one of you uploads a file. A full-service cloud storage option allows this syncing for all of your data and system files in a secure manner.

Some affordable cloud options include:

 - Carbonite – Probably the most well-known of cloud storage systems, Carbonite offers unlimited storage and encryption during data transfer at a reasonable price.
 - SpiderOak – Similar to Carbonite in its encryption and backup syncing, SpiderOak offers up to 5 TB of cloud storage.
 - OpenDrive – A smaller company that offers a free option for personal use, OpenDrive places a 500GB limit on cloud storage space – which may be all you need.

Think local
Locally, backing up your storage can be as simple as plugging in an external hard drive and copying over your computer’s files. While you’ll need a separate external drive for each computer, with enough space for all your data, this is still a very affordable option for a micro-business or self-employed person.

A major upshot of this basic approach is that your data is secure as long as your hard drive is in a safe physical location. Again, away from your computer and place of work is best.

One obvious downside is that you can only access your backup data by physically plugging into it. Another is that external hard drives can crash just like your computer hard drive, resulting in data loss.

Unlike cloud services, with local backup no third-parties are involved, meaning only authorized personnel have access to the data. For this reason, local backup is preferred by companies dealing with personally identifiable information, medical records, or other sensitive data where state and federal laws may regulate how records can be stored.

Back to basics
Not all security measures are sophisticated. There are simple ways to prevent the loss of your data. For example, you should install surge protectors and power supplies that won’t go down the instant you lose power.

To lower the risk of cyberattacks, turn off computers and routers at night or when you are not using them. Configure your software to automatically install updates.

Finally, don’t forget about your paper trail. Regardless of company type, most small business owners generate their share of paper bills, receipts, or notes with the personal information of employees and customers.

It seems elementary, but two of the best security investments you can make are still a substantial, locking metal filing cabinet and a quality paper shredder.

Free Resources For Cybersecurity
The Computer Security Resource Center (CSRC) offers education in the fundamentals of information cybersecurity for small businesses.

The US Small Business Administration offers free courses for cybercrime prevention and tips to protect your business against ransomware.

The Financial Industry Regulatory Authority (FINRA) provides a free Small Firm Cybersecurity Checklist to help you identify vulnerabilities in your data security.