Most of you have heard the words fraud, identity theft, and cyber security. But, what do those words mean for a small business like yours? I was recently listening to a webinar hosted by the IRS telling me standards and procedures to keep my firm’s data safe and I started thinking to myself. Data security is crucial to me but also this is important for other small businesses too.
Small businesses have a big threat on their hands. Criminals often target the little guys. Why? Because they know it is difficult and costly for them to protect their data. Whether you know it or not, there is a wealth of information cyber crooks look for that is available right on the computers in your office.
Scammers are out there targeting small businesses just like yours every day. If you have a dental office or doctor’s office, you are a prime target for data theft. However, other companies are at risk as well. Criminals spot a small business that stores client information on its computers and hack into unprotected/insufficiently protected systems. What can they do with my customers’ information? The answer is a lot. Small offices hold copious amounts of identifying information like social security numbers, date of birth, addresses and much more.
In the hands of skilled thieves, that information is gold! They can take that basic account information and file a tax return on someone’s behalf. They can create a fictitious business or fraudulent claim for refund in a taxpayer’s name. Then all they have to do is route those refund checks to their address or their personal bank account and BAM! They just stole money from the government with an unsuspecting taxpayer on the line for all of it. Who is to blame? Ultimately, you can be held responsible for improperly securing your customers’ data.
These crooks are looking anywhere they can to steal information. If you find yourself at the wrong end of a computer crime, your business could lose its good reputation in the community; your customers could lose faith in your abilities, and you could be indicted. All of this hardship can result from not securing your clients’ personal data.
So what can you do to protect yourself and your customers?
You should have plans and procedures in place and train all your staff to make sure they understand the importance of why these rules were created. Explain that this is not just to give them busy work, but rather to protect them and your clients. Keep in mind if your staff members see you as an active participant in the security process, they will be more likely to adhere to the rules. If all new hires know that as an owner, you are serious about your company-wide security, this may make them less likely to let things slip through the cracks or even worse, steal information from you.
It has been reported that much of today’s theft comes from small businesses. Shockingly, a significant portion of this happens from the inside. If a worker turns into a disgruntled employee, they may want to steal from your organization to get back at you. It sounds terrible but it happens all the time. However, if all your employees know that your customer database is secure, they may think twice about stealing; especially knowing all the cross checking and procedures you have in place.
What not to do:
- – Never take a lax attitude towards your security rules.
- – Never send sensitive information via a personal cellular phone.
- – Never send confidential information while in an unprotected zone.
- – Never discuss clients’ personal information with others.
- – Turn off computers at night
- – Use passwords on all computers and devices
- – Backup client data
- – Secure all wireless devices before use
- – Use antivirus and run frequent scans
- – Encrypt emails
If you find your company has become a victim of a computer crime
One of the first things you need to do is notify your customer base and let them know what has happened. Honor their commitment to you as a patron by putting your ego aside. Don’t argue or point fingers. Instead, take an active part in helping them rectify the situation. Read up on protocols and procedures; let them know if a theft does occur, that you have taken actions and are willing to help guide them through the next steps to protect themselves.
Tell your customers to call the three major credit bureaus: TransUnion, Experian, and Equifax. Each person is allowed a free credit report at least once a year. Advise them of this and let them know how to contact and report the incident to the agencies. If your client sees anything out of the ordinary on the credit report, the bureau can help them take steps to start protecting their credit. Also, if you have a vast client database you may want to call the bureaus yourself such as to alert them of the theft as well as a possible influx of calls from your clients.
Protect your computers
Cybersecurity insurance is a new and upcoming offering that many businesses are adding into their necessary budget allowances. Even if you take every step to protect your client’s data, it is still in your best interest to shield your data one step further.
Create a staff protocol and make sure all your employees are trained to not only be aware of them but to thoroughly understand and put them into practice. Make sure they understand how to perform functions like how to correctly save files, send encrypted emails, lock up file rooms, and secure client data. Also, continue their education and make sure they retain their previous knowledge. For those less computer savvy on your team, educate them on the appearance of phishing scams.
If you do find an unsafe email or attachment, immediately alert all workers. Send an email or verbally advise of the potential threat. Notifying your team is necessary to keep the emails from continuously circulating and infecting your server(s) with malware. Make sure everyone understands that if a link or email is deemed unsafe, no one should open the email or click on the enclosures.
If you miss a potential scam before it happens, learn how to spot a new infection quickly. If computers send or delete strange emails, you should also be aware of this. If you or your workers notice emails in their outbox they did not send, or maybe a large amount of mail is in the deleted box, this could be an indicator of a possible phishing scam. These are all signs of a potential threat. Once the malware is on the computer it may be too late. Hackers can place key entry programs on your device, thus monitoring your staff as they enter passwords. Always update passwords and don’t leave password lists laying around. The only person in your organization that should have the passwords to a specific device is the user. Don’t share passwords for the convenience.
Everyone in your business should lock their screens on computers after 10 minutes; making entering a password necessary to enter back into the computer. You should have a regularly scheduled update your programs and hardware.
Create a safe environment with safe attitudes
Your business mission statement should include the importance of safety. Create an open environment for your staff to feel comfortable approaching you if they think they may have made an error. It is better for your assistants to trust you and not fear for their job, rather than for them to worry about their livelihood and cover up their slip up.
Have a company handbook that details the rules for singing in, keeping passwords and everyday computer use. You can have fun with it. Provide lunch and have someone come in to speak to your staff about cyber threats. Help them become informed and update their training on a regular basis.
Your staff cannot be the only ones learning. You must educate yourself as well. Stay abreast of recent updates in security and programs. It is your job as a business owner to keep learning and
growing with your business and the times.
Things to secure
- – Sales records
- – Social security numbers
- – Date of birth
- – Security questions
- – Credit card numbers – get your company some PCI DSS security classes
- – Mailing receipts
- – Employee payroll information
- – Business leads
- – Email lists
Everyday office life should be safe too
Reward employees in front of your whole team who show exemplary skill in understanding your procedures and guidelines for protection. If one person gets a bonus, their coworkers may aim higher to obtain one as well. It is a small price to pay to have a well-operating machine. As hard as it is, have proper penalties in place if an employee does not follow your company’s security guidelines. No one likes to be the bad guy, but your customers and clients will thank you for your dedication to his or her privacy.
Protect your paper:
- – Dispose of paper waste in an appropriate way.
- – Have shredders on site or opt for a monthly shredding service.
- – Lock it up! If you have a file room or documents in your desk, lock them up.
- – Never leave clients or customers alone around clients files.
- – Maintain a record of where all your data is located and stored.
- – Create a scale to categorize your data (secure, sensitive, and internal use).
Investigate your company
Many business owners do a mock audit from an outside source to evaluate their procedures and protocols. An independent party may see things you and your staff never noticed. This process will also prepare you if an actual audit of your systems were ever to take place. A completed review can be presented to your insurance company and possibly reduce your premium for cyber security insurance.
Hire the right staff
As a business owner, make sure you do your due diligence and start off with a great team. Your clients and vendors do not want to hear that you could not do a simple search on your employees to protect your business. Don’t just look at a resume and assume it is all in order. After their interview, be sure to call their previous employers, run a credit check and look them up on the local judiciary database. Do whatever it takes to find quality employees.
Be aware of whom you let work on your network. You should review your IT company as if it was an employee and make them aware of the protection rules and procedures you created.
What are the fees if you fail to secure your data?
- – Attorney fees
- – Credit monitoring fees
- – Computer security fees
- – Penalties for privacy law breach
- – The list goes on!
Data security sounds like a massive amount of work, but times are changing. Computer threats are very real. It is much better to be proactive and put these plans in place, rather than reactive once something has happened to you and your loyal customers.