Data Breach Protection Essentials

How to Prevent a Small Business Data Breach

How can you protect your company from a data breach?

Recent Data Breaches

Seems like every time you turn around, you’re hit with news of another major data breach. Just in the last few months:

Ransomware Attacks

We’ve also seen the rise of the threat of ransomware. Ransomware is malware that encrypts your files, making them unusable. You may see an image like the one below

Ransomware Example

data breach via ransomware

In a ransomware attack, the perpetrators promise to unlock your files if you pay the ransom. If you don’t have a reliable, recent backup, you may have no choice but to pay the ransom because everything in your system is unusable – including email, Word docs and databases.

The City of Atlanta recently experienced a ransomware attack where the than attacker demanded a $50,000 ransom. So far it’s cost the city $2.7 Million Dollars and major headaches to restore their system and tighten up their data security settings. Employees have resorted to paper-based applications and manual processes to keep operations running.

You may be thinking…

If these major companies can’t protect themselves from data breaches, how can small businesses expect to?

If you’re a small business, you have a few advantages over major corporations. First, small businesses are less of a target. Hackers go after big businesses because the payoff is big. Additionally, small businesses typically have more control over their IT environment. You actually have an advantage in protecting your data if you follow a few basic data security steps.

What is a data breach?

A data breach occurs when an unauthorized person gains access to your data.  The question is how they were able to access to the data.

The most common data breach causes are:

1.      Malware in email.

A user could click on a link in an email that causes malware to be installed on their computer.  This malware could then allow the attacker access to the computer, which then replicates itself to computers, servers and may even send emails to all the contacts in your contact list (including clients). This malware can slow down system performance, crash your system or display annoying popup ads. See 13 warning signs that your systems have been infected by malware.

Solution: Hover over any link and inspect where that link is going to. When in doubt, go to the company website and login there. For example, if you get an email from PayPal saying you need to update your password, instead of clicking the link in the email “PayPal” sent you, just go to the PayPal website and see if they’re prompting you for a password reset.

Also, be careful about opening any attachments. Computer viruses can be disguised as .PDFs, .XLS and other familiar formats. Have a reputable anti-virus software program installed on all machines at all times. Keep your anti-virus software up-to-date and regularly scan your computer.

2.      Email phishing tricks.

We recently had a user who was tricked into entering their email credentials into a fake web site.  The attacker was then able to login into this mail account.  They would have had access to any email in her mailbox (financials, emailed passwords, etc.).  In this case the attacker used the credentials to send spam from her account, probably trying to infect other systems.

Last year, even a White House officials were tricked into responding to a fake email that purported to be from Jared Kushner, but in reality was sent by an email prankster.

Solution: Adopt Office 365 or G Suite for your business. These solutions come with added security measures that consumer email systems don’t provide. Don’t EVER provide confidential information through email.

3.      Insecure websites.

Attackers can also gain access to servers through insecure web sites.  Once they have access to the website, they can then access any database on the server and the content in the databases.  This could be anything from e-commerce orders to financial or medical information. As an example, Drupal recently released a patch for a major security hole that allowed a virus to execute simply by browsing to a URL. Because WordPress runs about 25% of all websites today, it’s a big target for hackers.  The database, themes and plugins are continually being updated with added security measures. If you don’t apply the patches, you leave yourself vulnerable.

Solution: Companies who have had a web site developed, but don’t maintain it are putting themselves at risk. Website data security best practices create rigor around keeping your database, themes and plugins up-to-date. You’ll also want to ‘harden’ your website security settings and have a strong firewall in place.

4.       Password sharing / password weaknesses.

The easiest way to gain access to your small business software programs is to give someone your password. You may be sharing your password intentionally. Some companies share one password among employees to save money or for convenience. Other times password sharing may happen unintentionally. We’ve seen passwords written on post-it notes stuck to laptops. Now everyone who passes by while you’re working in the coffee shop can get into your systems.

Solution: Don’t share your password. Give each employee and contractor their own passwords. Have strong employee onboarding and offboarding procedures in place. Use a password software program like LastPass or Dashlane to create more sophisticated, and unique passwords for every site.

What about SaaS Software Solutions?

A question we commonly receive from clients is about online data security and the risks of SaaS (Software as a service) solutions. For example, with QuickBooks Online your financial data now resides on a server managed and maintained by QuickBooks. While that may feel risky, studies show that your data is usually significantly MORE secure when managed by a major online software company than when it resides on your own internal server.

Major software vendors like Microsoft and QuickBooks have invested in building sophisticated, multi-layer security systems.  They do all the backups and keep the system up to date. DIY IT Services can be a mistake, costing you more in the long run than you’re saving. If you are considering using a smaller, lesser-known company, you should investigate their data security measures. If you’re not sure what to buy, consult a reputable IT services provider for help in software selection.

What about Cloud Business Application Hosting?

A trend in small business IT strategy is to move your databases and applications from your physical location in your office to a cloud hosting platform like Amazon Web Services (AWS) or Azure. The security measures you need to take are the same, EXCEPT with AWS and Azure, you have the advantage of using their multi-layered security measures, and you’re at less risk for things like fires, flooding, hurricanes and other disasters.

Most data breaches are preventable.

Following these simple steps you can avoid most data security breaches.

Small Business Data Breach Security Steps

1.       Train employees to be wary of suspicious emails and websites.

2.       Don’t share passwords.

3.       Change your passwords frequently and make them hard to guess.

4.       Keep your software programs up to date.

5.       Keep your website up to date.

6.       Routinely use anti-virus software, firewalls and other data security measures.

7.       If you don’t have IT staff, hire an outsourced IT services company to keep your IT environment secure.

8.       Have backup and recovery procedures in place. If you need to restore your data, you can.

What if you get infected by a computer virus, ransomware or other malware?

Act IMMEDIATELY.

The quicker you can respond, the more likely it is that you’ll be able to thwart your attacker. Your employees should know who to go to in the event of a data breach. Seek the help of IT Support for malware removal, and just as importantly, close the security holes that caused the data breach in the first place.

If you need help, give us a call at 586-275-1775!

Request a Tech Check