Skip to content

Data Security Risk & Safeguards for Small Businesses

By Tosin Ojo, Founder and Principal Consultant at CITSAP Consulting

Data is the heart of every business, which makes it a core asset of an organization, and a prime target for hackers and bad actors. The importance of data in driving business value cannot be underestimated, likewise, its protection should also be adequately prioritized regardless of the company size. However, most small businesses consider their threat level to be comparatively low when compared to larger organizations.

Based on recent reports, this school of thought does not stand up to reality. Recent figures show that small businesses are uniquely vulnerable to data breaches. According to Verizon’s 2019 Data Breach Investigations Report (DBIR)1, approximately 43% of data breaches target small and medium-sized businesses (SMBs); while another report noted that 60%2 of SMBs that have been victims of data breaches end up going out of business and closing within the next six months.

The increasing reliance on cloud computing and proliferation of e-commerce businesses gives SMBs, similarly to large organizations, increased access to sensitive customer, or personal data such as credit cards, social security numbers, email addresses, IP addresses.

Some of the risks that may materialize due to inadequate data security measures are:

  1. Reputational Risk: An immediate aftermath of a data breach is bad publicity/press, resulting in loss of credibility among customers, clients, and potential investors. Oftentimes, customers may lose trust in the ability of the business to protect their sensitive data and would seek other companies with stronger safeguards to provide the same or a similar service.
  2. Financial Risk: Lack of data protection can result in financial losses for the organization. The high costs of data breaches tend to relate to the actions companies have to take after a data breach, such as, cost of investigation, implementation of security controls, legal or regulatory fines etc.
  3. Regulatory or Legal Risk: Regulatory fines could also be an aftermath based on breach of data protection regulations. Customers can take legal action against the organization when their data is breached. Regulatory or legal fines could be higher when organizations cannot show due diligence was taken to adequately protect customers’ personal or sensitive data.
  4. Operational Risk: Another major impact of a data breach is the potential downtime the organization may face in the aftermath of the event. Depending on the nature of the event, the business may need to shut down its operations, including the core revenue generating systems or websites, while investigating and/or containing the damage from the breach or unplanned business disruptions; further leading to increased customer dissatisfaction and potential loss of revenue.
  5. Customer or Client Risk: Hackers can use the breached customer data to commit fraud or scams, further increasing the liability on the SMBs.

For small businesses often faced with resource constraints, it is important to identify and implement measures to effectively reduce risks to an acceptable level.

Below are 10 essential measures that SMBs can implement to protect against data security risks.

  1. Prioritize Staff Training and Awareness

Employees are essentially a human firewall, and the organization’s first line of defense. Companies should provide mandatory security awareness training for their staff at least annually, to educate them on security risks, such as phishing, and ransomware.

  1. Maintain an Inventory of Systems and Data

Businesses should take a periodic stock of their environment and maintain an inventory of critical systems and data to understand where the most sensitive data resides, and the safeguards to be implemented.

  1. Safeguard Sensitive Data

The primary target for cybercriminals is your company’s sensitive data including personally identifiable information (PII), trade secrets, financial data, and other confidential information. Implementation of strong access control, encryption, and secure data disposal procedures can help to protect your sensitive data.

  1. Use Multifactor Authentication (MFA)

MFA provides an added layer of security, requiring one or more means of verifying an individual’s identity e.g., a one-time passcode, other than a username and password.

  1. Implement Firewall and Antivirus Solutions

Businesses should safeguard their network by using a firewall, and antivirus software should be implemented on all company devices to protect against malware, ransomware, and related threats.

  1. Keep System Patches Current

Businesses should ensure they are up to date on required patches to reduce the risk of the company’s systems being susceptible to cyber threats.

  1. Review Third-Party Security Controls

Businesses that rely on third-party vendors for critical aspects of their operations should ensure procedures are in place to periodically validate the adequacy of the vendors’ security controls, as a security breach of the vendor’s systems may have cascading impact on your business.

  1. Ensure Periodic Vulnerability Assessments

Perform or engage a manage service provider to periodically scan your systems, websites etc. to timely identify and remediate vulnerabilities that may be exploited by hackers to gain unauthorized access to your systems.

  1. Have an Incident Response Plan

A documented and tested incident response plan outlines the necessary steps to be executed in the event of a security incident such as a data breach.

  1. Perform Periodic Backups and Disaster Recovery Planning

Periodic backup of critical systems and data can prevent a prolonged business disruption in the event of a data loss due to a security breach, accidental deletion, or natural disaster. A disaster recovery plan would assist the business in bringing its systems back online using available backups and other system components following a major business disruption.

While the safeguards provided above is not an exhaustive list, it provides a baseline of data security safeguards. It is also important to note that if there are specific laws or regulations in your industry or jurisdiction regarding data security, you must keep abreast of, and implement all applicable requirements.

 

References:

1 https://www.verizon.com/business/resources/articles/small-business-cyber-security-and-data-breaches/ 

2 4 main reasons why SMEs and SMBs fail after a major cyberattack | CSO Online