June 13, 2017

Why All Small Businesses Need a Data Security Policy – and How to Implement One

Small businesses often think they’re not big or important enough for information thieves to bother with... but that’s not what the research shows.

Close to half (43%) of cyber attacks on businesses worldwide in 2015 were against companies with less than 250 employees, up from 18% in 2011, according to the 2016 Internet Security Threat Report by Symantec. 

In fact, most small and medium sized companies collect and store confidential data about employees, customers, and the company itself. Information thieves sell this kind of information on the dark web or use it to commit identity theft and other crimes.

For a small business, a data breach can come with crippling costs. According to Ponemon, the average cost of a data breach involving theft of assets cost these companies € 787.065 ($879,582). Plus, after an attack, they had to spend an average of € 854.935 ($955,429) more to get their business back to normal.

7 steps to create an information security policy for small business

Take security serioulsy

Information thieves consider small businesses to be easy targets because many don’t take security seriously or budget for it. Develop a data security plan that provides clear policies and procedures for employees to follow. Create a culture of security in the workplace too, with security-driven processes and messaging.

  • Assess possible risks
    Identify all information assets that contain confidential information and conduct risk assessments to pinpoint physical and digital security vulnerabilities. Assess existing databases to see if any nasty bugs have gotten through. Establish a data management process to protect information from creation to disposal.
  • Apply controls
    Protect all devices that connect to the Internet – computers, smart phones, tablets and any web-enabled devices. Use firewalls and the latest security software, web browsers and operating systems, and keep them patched. Always scan USBs and external devices with security software. Use strong passwords too. Limit access to information.
  • Manage mobile
    Employees are increasingly storing business data on their mobile devices. Set up a security checklist for all mobile devices so they comply with data security policies. Encrypt all devices, avoid public Wi-Fi, and create a Guest Network in-house for customers or company visitors.  
  • Provide employee training
    Best practices training will help reduce breaches caused by human error and phishing/social engineering attacks, which are common forms of attack.
  • Embed security
    Standardize security by embedding processes into the workplace. For example, partner with a document destruction company that provides locked consoles for storing paper documents that need to be securely destroyed. Monitor employee activity for unusual behavior that might indicate insider fraud too.
  • Be prepared
    Automate the process to back up data – and do it regularly. Store copies at another location. Create an incident response plan so that all employees know what to do if systems are compromised.
Start Protecting Your Business

To learn more about how Shred-it can protect your documents and hard drives, please contact us to get a free quote and security risk assessment.