The Identity Theft Resource Center & BBB are participating in an initiative by the Identity Theft Council called “100 Cities in 100 Days.” The purpose of this event is to reach out to 100 cities across the US, then equip those cities with the right training and tools to raise awareness of identity theft and cybercrime. The focus of this campaign, which aims to build bridges of communication and resource sharing in order to make awareness a reality, is on education and prevention of this fast-growing crime. The following tips will help businesses prepare for data breach attempts.
Just as individual consumers can fall victim to data breaches and identity theft, businesses can be targeted as well. The following tips will help business owners and organization leaders defend against data breach attempts in order to protect their customer base, internal data, and reputations.
While there are some things that are outside your control, there are actionable steps to put in place to minimize your vulnerability to data breaches. Addressing computer security issues, company policies, and data usage will prepare your business in the event of a breach or theft, and give you confidence, by having a proper plan to follow.
The most important thing to do is rid yourself of the mentality that hackers won’t bother with you because you are too small. That couldn’t be further from the truth. Your company may do contract work for a much larger company, and hackers are counting on being able to access that bigger fish through your little pond. Also, data thieves are aware that smaller companies think they don’t have the budget for high-stakes security measures or the time to properly prepare for a breach. But you can be prepared to fight data breaches and identity theft just like bigger corporations by arming yourself with the most important aspect of prevention: knowledge.
While it’s a broader term with farther-reaching applications, for the purposes of this tip sheet your IT (information technology) refers to the antivirus, anti-malware, and other software that protects your computers and network from attacks. While IT can represent a significant investment, there are lower cost options which offer much of the same features and still serve as an important safeguard for protecting your company.
Not only do you have to secure your technology with strong IT software, you must run the updates. Whenever a new virus or other malicious software is uncovered, your IT provider writes a new update to discover and block that threat. By failing to run your updates as they’re offered, your computers are left open to attack, even though you’ve paid for the protection. Employees must be trained not to exit or “click out of” the updates while they’re running, as these updates are what help your computer recognize a threat.
Another aspect of computer security is the network shared by your employees. A safe wireless network is one that is password-protected. Never leave your business’s network as “public,” meaning that anyone can access data on the network. It’s also a good practice to periodically change the network password, especially when employees leave the company. In the case of businesses that share their wi-fi passwords with customers, like coffee shops or bed and breakfasts, do not put sensitive company information on the same network. Remember that anyone who has access to the network basically has a key to your office.
One of the largest sources of data breaches in 2014 was what’s known as “data on the move,” meaning devices that can leave your company’s offices. This includes company phones, laptops, flash drives, and other data storage devices. Of course, if your employees use their personal devices on your business network, they’re still vulnerable to hacking even though they’re not your company property. The loss or theft of these devices has been responsible for an incredible amount of consumer data being widely accessible. All devices that leave the office or connect on your company’s network should be password-protected to prevent easy access to information on the device.
It is important to have a routine employee training schedule that prepares everyone in the company for expectations, both with computer use and data that is passed around the office.
Too often, companies fail to have a documented computer policy in place until after a breach occurs. But you can work to minimize the chances of a breach if you institute a simple technology policy now, and make sure employees are trained to understand the very real consequences of violating the policy. It’s not enough to just say, “No personal emails at work.” There are a wide variety of threats which don’t always come through your personal email account. Of course, that doesn’t mean you can overlook the emailed threat, either.
Next, develop and implement a policy about bring-your-own-devices (BYOD), an increasingly popular way for businesses and employees to accomplish tasks, but one that can leave your network vulnerable. Just because the email came to your employee’s laptop or device doesn’t mean you’re safe; remember, that email still came over your company’s wireless network and can therefore impact your data security.
Ask every new employee to sign an agreement to follow your company’s confidentiality and security standards for handling sensitive data. Employees should understand that abiding by your company’s data security plan is an essential part of their duties. Regularly remind employees of your company’s policy—and any legal requirement—to keep customer information secure and confidential.
After defining proper computer use, don’t forget to address physical data. Physical breaches, while less common than electronic or digital breaches, often provide thieves with an abundance of personal information. If your business prints out paperwork containing sensitive information, you need to have a proper way to handle and destroy the data. Keep forms containing employee and customer information in a locked room, and train employees to use a cross-cut shredder for documents that are no longer needed. Check your state laws regarding document disposal and remember to thoroughly vet any third party or outsourcing company.
Stress the importance of customer data with your employees, and be sure that they understand exactly what can be done with this information. A clear understanding is often the first step to limiting data breach exposure. If your employees have concrete examples of the types of theft that can occur if data is not protected, they are more likely to closely follow the proper procedures.
A Plan for Protecting Personally Identifiable Information
PII, or personally identifiable information, is all of the data gathered on employees and customers. Depending on the type of business you run, this data may be limited to names, addresses, or email addresses, but can be as involved as credit card information on customers, bank account information on employees who are paid by direct deposit, Social Security numbers on your employees or your customers, and more.
But the problem is this: where did that data go after it was obtained? Who can access it? Where is it stored? What do you do with the data when it is no longer needed?
Data breaches are not limited to external threats. Sometimes an employee is responsible for the breach, so the business needs to clearly identify the flow of data from entry to exit. Have you created a company policy on who can see and use PII? Do all of your employees really need access to their co-workers’ Social Security numbers? Does the person who loads the trucks (and therefore has a computer station in the warehouse for inventory and fulfillment) need access to customers’ sensitive data?
All too often, small businesses rely on one network that joins all of their computers, leaving them open to an internal data breach. Securing your network and the stored data will help keep prying eyes away from it.
Step 1: Decide what information is actually needed from customers and employees. Limit your collection to what is truly necessary.
Step 2: Identify the flow of data through the company. Each position in the company that has access to the data should be recorded. Restrict data access to only those essential positions.
Step 3: Clearly communicate the plan for data collection and disposal. Once the data is no longer needed, it should be safely removed from access. Refer to your employee training procedures for data disposal.
Desktop Audits to Ensure Security
A desktop audit sounds fairly threatening, so for your company’s security sake, it’s important the audits be conducted in an open, supportive, non-frightening way. The last thing you want is for word to spread through your company that “they’re checking computers!” and have someone delete important files in a rush to clear their computers.
A desktop audit helps the company by making sure IT is up-to-date, all programs have their necessary upgrades completed, and there are no browser histories which could leave your network vulnerable. It’s surprising how little company leadership may know about the age, operating systems, and security threats to a computer in the office, as in the case of a manager asking an employee, “You’re still trying to work on that old thing?”
The audit should also review each employee’s access points to sensitive data, and can be used to determine if their position truly needs access, and for how long.
Use these audits not to catch employees in the act of violating company policies, but instead to retrain and reinforce your policies to protect important information.
Data Breach Response Plan
A data breach response plan, also known as an incident response plan (IRP), defines how you will respond in the event of a data breach. Unfortunately, unlike knowing how to respond if there’s a fire in your building or if a weather emergency strikes, a data breach can be a lot less obvious. In some cases, corporations have wasted valuable time—even months or years—before informing their employees and clients of a breach, largely because they didn’t know it had occurred.
How will you know your company’s sensitive information has been accessed?
There are a few tip-offs that a breach has happened:
• In the case of a credit card breach or your POS system being infiltrated, you’ll largely know when customers start calling about their credit cards being used without their knowledge.
• Your office computers or the network you’re on suddenly starts running a lot slower. Are you locked out of certain accounts, meaning someone may have accessed your account and changed your password? Have you noticed computers running different programs you don’t usually run? Was your computer on one morning when you arrived at work, even though you always shut it off? All of these can be signs someone else has gained access to your technology.
Having a well-defined plan to deal with the aftermath of a breach incident is more important than knowing how you were breached or who’s behind it.
Given the statistics on data breaches, which are available in the 2014 ITRC Breach report, there’s almost no such thing as overkill when it comes to responding. If you have reason to think your system has been breached, you’ll need to:
• Monitor your company’s financial accounts regularly and carefully. Don’t forget to check your own accounts if you’ve ever accessed your personal information while on the network.
• Send a data breach notification letter to inform employees and customers that their information may have been accessed so they can also monitor their accounts.
• Turn on two-factor authentication on all aspects of business technology, and train employees immediately on not responding to the increase in phishing attempts that you may expect following a breach.
• Arm your employees with the information they need to address concerns from customers and explain clearly and calmly what a data breach means.
The Identity Theft Resource Center offers independent consulting services regarding data breach response issues. These services include: review of your data breach notification letter, creation of informative, co-branded webpages and documents for clients and customers including FAQ’s, and training of your first responder call center to ensure the consumer/victim perspective is not an afterthought. We emphasize that a person affected by a breach is not an identity theft victim. Our goal is to minimize any fear and distrust your customers may have following a data breach incident. We do so by providing your customers with the specific information they need and reassuring you that each person will be provided answers and assistance as needed.
For more information, visit our website or call 858-444-3286.
Clear steps to take to put a Data Security Policy in place, plus links to legal requirements in the US. People today are overwhelmed with choices – and often unsure about where to find verified, unbiased information. There are more than 30 million businesses in North America alone; and hundreds of thousands of sites around the world where people shop online. There are thousands of free and subscription websites that offer a range of information, including reviews, reports, directories, listings, and gripe sites. BBB is the one place you can find it all. BBB offers its national and local consumer services online and in person and helps millions of people each year.
The Identity Theft Council’s Think Security First! Guide
This guide provides easy-to-use information on protecting against identity theft, malware, mobile threats and scams, as well as protecting your small business. Suggestions for small businesses include creating a clear security strategy, conducting regular testing, and free security tools to add an extra layer of protection.
Securing our eCity Business Resources
Offers a free cybercrime prevention workshop at your company’s facility. It is one of the best ways to understand common pitfalls. To make an inquiry please submit a workshop request here: http://securingourecity.org/business.
Resources include documents and templates provide information, tips and general awareness of cyber security: http://securingourecity.org/resource.