Data security has been in the news a lot lately. The allegations of widespread and systematic misuse of data by political analytic tools have shocked a lot of people. At times we forget how important it is to secure our data and if you’re a small business, how vital it is to secure your client’s. With the new EU rules on data protection (GDPR) coming into effect from May, if you’re running a small business it’s worth examining your data security arrangements.
The following is not a comprehensive list, nor is it legal advice. It is intended as a quick guide of things you need to consider.
Perform a Data Audit
If you’ve been trading for any length of time, you’ve probably collected quite a bit of personal data from your customers. Names, email addresses, phone numbers, etc. There has been a tendency to gather more data about an individual than a business needs. Therefore, you should run a data audit.
Look at all the data you’ve collected and ask yourself ‘what do I need this for?’ If you’ve got an address for a customer you with whom you haven’t had contact in several years, it might be time to think about deleting the information.
The more data you keep about your customers, the higher your risk should a data breach occur. The new GDPR rules put the onus on you to delete data that is no longer required after a reasonable period, but this is good practice anyway. If the worst should happen, the fewer records affected, the better.
Another question to ask is whether your people are taking data offsite. If they are, do they really need to do that?
Using the Cloud? Encrypt!
You would have to be living under a rock not to have seen ‘The Cloud’ marketed as the greatest business innovation of the past decade. However, storing lots of information in The Cloud isn’t without its risks. You’re trading whatever security setup you have on your local machines for the security provided by a third party.
Cloud data breaches are comparatively rare, but they do happen. Encrypting data before you upload it to The Cloud – particularly if you’re a sole trader using personal services – provides an extra level of security in the event of a breach.
A variety of services exist to encrypt data in The Cloud. The best ones use zero-knowledge encryption.
Take Backups and Encrypt Them Too
The rise of virtual offices and working from home means that a lot of small businesses or sole traders run their business from a laptop or two. Without taking adequate precautions, a hard drive failure or spillage can prove very costly. It’s vital you get into the habit of backing up your data regularly and securing those backups with encryption.
You should also turn on any encryption utility you have on your device to make sure that should it be lost/stolen, you have a better chance of not passing on info to criminals.
Turn on Two-Factor Authentication
It can be inconvenient, but many services now offer two-factor authentication. What this means is that a username and password is no longer all that is needed to access an account. Use of physical authenticators or a smartphone app requires an extra piece of information – usually a security code – to be entered to grant access.
There are some risks with two-factor authentication. If you lose your third-party authenticator you might have to go through a time-consuming process to regain access to an account but it’s a small thing compared to the extra layer of security.
One Password to Hack Them All
Do you use the same password for everything? You shouldn’t. If one service you have an account with is breached, all your accounts are vulnerable – and by extension, all your client’s accounts too. You should use a different password for every online account. It might be a nuisance when you suddenly find you need hundreds of different passwords, but it is a vital step towards good data security practice.
There are password managers out there that store your passwords in an encrypted form you may find useful. Many can even generate secure passwords for you. Some examples are LastPass and RoboForm. Note, however, that you are transferring trust to a third-party and you should always do your own due diligence on whether this is the right solution for you.
Be Suspicious
Most malware infections are triggered by opening attachments or clicking links in emails. Ransomware is a particularly nasty new trend whereby your files are encrypted by criminals who demand a fee to unlock them. In many reported cases, the files remain encrypted even after the ransom is paid. Criminals gather email addresses wherever they can, including from publicly available information.
If an attachment arrives in your inbox, even if it appears to come from a legitimate source such as HMRC or a client, don’t be in a rush to open it. Email addresses can be spoofed with basic IT know-how. Instead, ask yourself, are you expecting an email with an attachment? If not, does the email itself indicate what the attachment is? Is it written in the style of the person purporting to have sent it? If from an ‘official’ or government address, are there basic grammar or spelling errors?
If you are not certain the email is legitimate, simply email the person who is purported to have sent it and ask them whether they did. If it is genuine, it might be a bit embarrassing, but they may well appreciate your approach to security.
Don’t Use the Same Email for Everything
It’s easy to use the same email address for everything, particularly if you’re a sole trader. However, you shouldn’t. Not only does it lead to a disorganised inbox, it makes you more susceptible to the type of threats listed above. Try to have different email accounts for different purposes – one for business, one for bills, one for shopping, one for entertainment, etc.
It might sound cumbersome, but it can save you time and headaches. It also means that if you end up on a dodgy mailing list by accident, you’re not risking hundreds of nonsense emails landing in your business inbox. Remember, it’s a lot easier to change your bills or shopping email address to something new if the junk becomes too frequent than it is to change your business email address.
Remember the Basics
Don’t forget the basics of data security. Ensure that you have up-to-date protection against viruses and malware and that all your systems use a firewall. Ensure that you have a policy in place on what to do in the event of a lost or stolen device containing customer data. Always be security conscious – it’s easy to leave a laptop or phone in the back of a taxi when you’re rushed.
Finally, if you employ others, make sure that you keep them up-to-date on all data security policies and threats. It’s surprising how many issues occur because people forget to tell their people.
