Network Security Tips for Small or Home-Based Businesses (Part 2)
It is important for businesses of any size, whether small or large, to employ network security tools, such as encryption or anti-virus software, to protect their systems and information. One of the biggest Network Security hurdles small or home-based businesses face is they rarely have an experienced network security staff on call 24/7. Part two of our two-part series focuses on actions you can take related to your data. Cyber Liability insurance is also becoming a key component to protect a business from a security incident. However, there are additional, “low tech” steps most businesses can take themselves to minimize their exposure to a network security breach that require nothing more than a little time and planning.
The 2018 Cost of Data Breach Study from the Ponemon Institute, sponsored by IBM, places the average cost for each lost or stolen record containing sensitive and confidential information at $148. In other words, 1,000 records equate to a cost of $148,000.
More Data, More Problems
Be ruthless about data retention. If you are storing information you are not either 1) legally required to store; or 2) actively and currently using in your business operation; get rid of it. The cost of keeping it is far greater than the potential that it might come in handy someday.
Too many businesses and individuals are data packrats or hoarders. We hang on to data we no longer need, have no business storing and keep it for far longer than we should. If a system is breached and the data stored is accessed, it does not matter when you saved it, why you saved it, whether it is information you should have saved in the first place, how old it is, how accurate it is, or how valuable it is. At that point it is all treated the same and you are responsible for all of it.
Using Multiple Systems?
On a related subject, you may think you’ve deleted a record but a scan of your system shows you saved it eight different times in different folders and on different dates with a slight change in the file name. Schedule time to periodically scan your system and network for duplicate copies and delete them. Store a record one time.
Data Retention Policy
Even if you are the only person using your computer and accessing this data, take the time to create a formal data retention policy that includes a regular schedule for reviewing and deleting data. Specific professions often have unique legal requirements regarding how long certain data must be retained and specific requirements on how it must be deleted and destroyed. Many professional and industry organizations provide this information to their members or on their websites and offer templates for data retention plans geared towards that industry.
Data Backup
Back up your data frequently. If you are not continuously backing up your data then at least do it daily. Since you likely don’t have access to your own backup servers stored in separate, secure locations, use a 3rd party back up storage/cloud service. Research multiple providers, review online comparisons about their services and history, study the features of each to see which best matches your needs. Read the contracts and terms and conditions. Understand their responsibilities for protecting your data and your recourse if they fail to do so. Select a sizable, reputable provider that has been in business for several years. This is not a decision made lightly or based solely on cost. It is critical to the livelihood of your business.
The Legal Stuff
Know what state and federal laws, regulations and industry standards apply to you. All 50 states, DC, Puerto Rico and the Virgin Islands now have laws requiring notification of security breaches involving personally identifiable information (PII), each one is different and many of these laws change frequently. If you suffer a breach and PII you store is accessed, you are subject not only to the law in your state, but to the laws in every state that the owners of the PII reside in. There are lawyers and consultants you can hire to assume responsibility for this task, either pre- or post-breach. But having a basic understanding of the privacy-related regulatory environment you are operating in is essential.