Data Breach Prevention and Your Small Business

by

August 25, 2021

From Data Breach Prevention Techniques, to Navigating the Data Breach Prevention and Compensation Act, We’ll Show You How to Keep Your Information Safe

If you read the headlines lately, data breach prevention can seem like an impossible task. In just the second quarter of 2021, The Identity Theft Resource Center noted that cyberattacks leading to data loss are up 38 percent. And yes, it’s not just enterprise level companies that are experiencing this problem. Small businesses often have few cyber protections and a trove of customer and competitive data to mine. If you operate a small to medium sized company, you’re a ripe for a data breach.

What exactly is a data breach? How are cybercriminals getting into networks? Do you know how to prevent data breaches from occurring? Let’s break that down.

What is a Data Breach?

The answer to this question is simple. A data breach is the loss of a record—a file with sensitive competitive information, customer’s personal or financial data, or any intellectual property belonging to your company that isn’t meant to be shared.

The consequences for a data breach can be severe. Loss of business and trade secrets. Customer anger over having their personal and financial data hacked. Loss of reputation, for having sloppy practices. Lawsuits. Class actions, and more.

Depending on the industry you’re in, data compliance regulations can become a factor. Stiff consequences with steep fines exist for those who haven’t properly protected their records. Strict laws regarding patient data have become increasingly important as healthcare information has become more shareable and portable. And the Data Breach Prevention and Compensation Act, made law in 2019, aims to keep it that way, by establishing an Office of Cybersecurity within the Federal Trade Commission (FTC) to enforce data compliance guidelines, especially for credit reporting agencies.

How Hackers Are Upping Their Game in 2021

Cyberthieves have gotten so sophisticated, that internationally, they’re bringing in more money in ransom than the GDP of many countries. Their attacks are more sophisticated and more deadly to your network than ever, as evidenced by some of the big hacker-induced outages of the pipelines, electrical grids, and more that have been in the headlines. Here’s some of the key ways they’re getting around company’s efforts at data breach prevention:

  • Phishing—Emails sent with a link that downloads malware
  • Spoofing/Pretexting—Sending out a phishing email that impersonates a company’s CEO, an employee’s supervisor, or IT department, and encourages employees to click a malware link
  • Baiting—Sending malware disguised as freebies or special offers
  • Vulnerability attacks—installing malware code through opened security doors, or weaknesses in your servers or firewalls
  • Admin tools attacks—where criminals attack common IT admin tools, and by infecting them, infect all the companies who use the platform. An example of this is the Kaseya breach in spring of 2021, which had long-range effects.

Eight Data Breach Prevention Techniques for the Smaller Company

Do you know how to prevent data breaches at your company? While large, enterprise-level companies often have lengthy complex processes around data handling, we generally find our clients with smaller companies can create data protocols by working through these eight data breach prevention techniques.

#1: Identify Data Paths

The key to data breach prevention is to first understand how critical data travels through your system. For instance, how is customer payment data entered into your system, and stored? Are there logs, applications, folders or social accounts where that information might pass through? Are there hidden caches of data? Backlogged files that haven’t been trashed? Is that data vulnerable during any part of the transmission process? To have a truly compliant data handling process, you have to know the answers to these questions, even if this information is being handled by a third party processor.

While we’ve used the example of a financial record above, this rule really applies to all your data in your company—from your simple product development files, to email records, health data, accounting information, and more.

#2: Identify Who Has Access

What devices handle your data? Is it stored in the cloud? Or on a company server? Who has access to the company server? And then there’s the issue of permissions. Who has the ability to see or modify your data? Just the team that’s created it, or system admins and senior management?

While modern cloud tools have made sharing of files and transparent access possible, we generally recommend companies adhere to the “principle of least access”. Essentially, this means only allowing access on a need to know, need to use basis, avoiding giving out “super user” or “privileged access” as much as possible.

#3: Determine Your Risk Tolerance

How much risk is acceptable? Of course, most companies will say none. However, the type of data will dictate how far you’re wiling to go to safeguard it. You must set parameters around which data must be defended, and which is less important. You must decide which risks you’re willing to:

Accept— by not pursing aggressively. (ie–someone copying and pasting material from your website)

Refuse—by putting up hardwired controls like firewalls and password protections that live in your system

Transfer—by allowing cybersecurity insurance to cover the risk, or

Mitigate—by relying on security controls present in cloud-based or third-party systems.

#4: Set Controls

Once you’ve determined the “security level” your data must be stored under, then you can begin to apply the proper controls to govern it. There are many tools are your disposal for this, including:

  • firewalls
  • encryption
  • identity management/password protection
  • continuous data flow monitoring
  • Cloud-based backups

#5: Create a Data Policy

Now that you’ve sectioned off your data by its importance and determined how it will be protected, it’s time to make those protections part of your standard operating procedure. You must identify who is assigned to what access levels, determine how the data will flow and be handled by your system, and how it will be disposed of once it’s no longer needed. All this needs to be clearly spelled out, ideally, in a written data prevention and handling policy. This applies for your company-issued devices, as well as when employees access the company network using their own devices.

#6: Make Multifactor Authentication and Strong Password Policy Part of Your Culture

With the sophisticated techniques ransomware thieves now employ, it’s no longer enough to simply require an employee to type in their password to gain access. Today, most companies require multi-factor authentication, which requires a password, a check in with a mobile phone security app, and a biometric token, like a fingerprint, to open the network. It may sound like a lot to manage, but modern tools like Duo Mobile and others make implementing multi-factor a snap, even for smaller organizations. It’s one of our favorite data breach prevention techniques.

#7: Develop a Data Backup Plan

Are you backing up your data on a second server at your facility? If you are, that’s probably a mistake. In the event of a natural disaster, power outage, or serious data breach, you will have made your information completely inaccessible. We generally recommend sending your backups to a third party cloud provider that can easily download your data back into your system in the event of an emergency. Already sending your data to a cloud service, like Microsoft? Then we generally recommend a second, different cloud provider to provide your backups.

#8: Make an Employee Security Training Program Mandatory

Should your employees know how to prevent data breaches? Absolutely, because your employees and vendors are your biggest allies in running a good data management operation. It’s absolutely crucial that every employee be trained in password management, how to spot phishing attempts, and how data must be stored and shared amongst each other. At Iconic IT, we use several different employee security training programs that make it easy to take courses online. Simply make them part of your company’s standard HR training, and update it frequently. When employees understand your company’s data breach prevention techniques, they’ll help you implement them, every day.

Looking for More Resources on Data Breach Prevention?

Here at Iconic IT, we have a deep well of resources that can help you do your homework on data breach prevention techniques. Check out our recent blog on our six favorite ways to secure your network. And to really take a deep dive on cybersecurity, we offer our comprehensive Cybersecurity Essentials Kit. From assessments, to free webinar replays, to whitepapers and thought leadership pieces, you’ll have everything you need to understand the latest cybersecurity strategies. Download it now!

Susan Gosselin is a Solutions Writer for Integris. A career communicator and business journalist, she's written extensively on IT topics and trends for IT service providers like Iconic IT and ProCoders Ukraine, as well as business publications such as Technologyadvice.com, Datamation.com, The Lane Report and many others. Connect with her on LinkedIn.

Keep reading

Cyber Threat Analysis Training for Businesses

When it comes to your business’s cyber security, your employees are your front-line fighters. Ensuring every person who works for your company receives cyber threat analysis training keeps you and your private information safe from vicious and clever hackers. Even if...

Luck, Security, and St. Patrick’s Day Facts You Need to Know

Luck, Security, and St. Patrick’s Day Facts You Need to Know

St. Patrick's Day is one of the most beloved traditions in America. And it's only getting more popular. In fact, according to a recent report from the National Retail Federation, 54 percent of Americans plan to celebrate the day, and expect to spend $43 each while...