Is your small business and customer data protected by the latest software updates, firewalls and encryption? If you’re feeling confident your data security is unbreachable, don’t be so sure. The weak link in your data security system is staring you right in the face—in the form of your employees.
Even if all of your data security precautions are in place, employees could be putting your and your customers’ data at risk, according to a new survey. Human error was the number-one cause of data security breaches last year, according to a study by BakerHostetler, accounting for 36 percent of incidents. The next most common causes were outsider theft (22 percent), insider theft (16 percent), malware (16 percent) and phishing attacks (14 percent).
Only two-thirds of the data security incidents were detected by the company itself; in the rest of the cases, the company didn’t know about it until an affected party contacted them. Worse yet, the average time that passed until a breach was detected was 134 days—more than four months!
A lot of bad stuff can happen in four months, especially if your industry involves sensitive customer data like credit card numbers, Social Security numbers or health data. So how can you protect your small business from employee error when it comes to data security?
Of course, you should still use basic security measures, such as automatically installing software updates, setting up firewalls and using antivirus software. But those technical protections alone are not enough. “Social engineering” is the biggest risk small businesses face when it comes to data security, according to IT security expert Kevin Mitnick, founder of KnowBe4. Social engineering is any method by which hackers or thieves trick individuals into divulging information—whether it’s a phishing email that has them click on a malicious hyperlink, or a phone call posing as a bank employee and asking to confirm an account number.
To alert employees to these risks, set data security policies and stick with them. Make this part of your employee handbook and require every employee to demonstrate knowledge of the policies.
For instance, policies requiring employees to select complex passwords, change passwords every three months and always log out at the end of the day can help keep you safe. Use one of the many automatic password generators and/or password keepers, such as RoboForm, LastPass or Norton, to ensure employees aren’t just picking “password” or “123456” as their passwords. You should also restrict what type of information is given out over the phone.
Habits die hard, and employees tend to revert to easier ways of doing things. Updating your policies and providing new training every six months will help keep employees on top of security trends.
Of course, your employees aren’t the only weak links in your business’s data security. You need to be just as aware of the risks and equally strict in following your own procedures.
Last, but not least, know that not all security breaches are electronic. According to the BakerHostetler study, more than 20 percent of breaches in 2014 involved paper records. Limit access to sensitive paper records to employees who really need access, and regularly shred documents that are no longer needed for your files.