From 2013-2014, Yahoo was breached by hackers and over 3 billion user accounts were compromised. The fallout from the security breaches was estimated to have reduced Yahoo’s sale price when it was ultimately acquired by Verizon in 2017 by approximately $350 million.
While most businesses likely won't need to worry about breaches of similar magnitudes, every single business should still be concerned with information security. Moreover, one Ponemon Institute study shows that, on average, each stolen record containing sensitive information costs $148. The total cost, worldwide, of data breaches was $3.86 million in 2017, according to that same report. Attacks are more common than you might think. According to Wombat's 2018 State of the Phish report, more than 76% of organizations surveyed reported phishing attacks in 2017.
The emergence of cloud computing has made life a lot easier for many startups and small businesses. Cloud based solutions are typically far cheaper and easier to scale than expensive on premise solutions. However, the downside is that some cloud solutions make businesses more prone to phishing attacks and malware.
On top of the legal and financial ramifications that come with a data breach, it’s important to consider the damage your business's reputation will also take. A data breach is costly, and a smart business owner will take every step possible to ensure that it doesn't happen.
Here are six tips to help you tighten up your security.
1. Adhere to Basic IT Security Principles
When it comes to IT security, start with the basics. Use complex passwords, don't open emails from suspicious addresses and don't open links from sources you don't recognize. While it may sound basic, even, the U.S. Department of Homeland Security talks about the importance of something as simple as using complex passwords.
Hackers will often look for the simplest ways into any system—and they start with these basics first. Firms may invest millions in sophisticated computer systems, outfitted with top-of-the-line antimalware systems. At the same time, the company will have an admin account that uses "123456" as their password. Make sure no one at your company uses simple passwords like "qwerty," "111111," or "google."
2. Train All of Your Employees
As stated above, a heavy majority of businesses suffer from phishing attacks. These refer to instances when targets are contacted by thieves looking to steal valuable information. These often come in the form of emails, and these hackers can make themselves appear very real to recipients. Employees should all be trained on IT security and coached to never hand out sensitive information to anyone they don't recognize.
This goes double for senior level executives. A common form of phishing, referred to as "spear phishing," involves targeting a high-level employee with a lot of access to sensitive information. Unlike regular phishing attacks, spear phishing can be a harder to detect. That's why it's crucial your employees are trained on how to detect such attempts.
3. Use Two-Factor Authentication
Don't settle on just having a single username and password combination. Take it a step further by using two-factor authentication. Users will be tasked with a secondary authentication sequence like confirming an email or inputting a code sent to their phone. This can be used for both employees and consumers.
Know that two-factor authentication isn't foolproof. Again, training is crucial, and without it, two-factor authentication can fail. For example, an employee might see a request for access in an email and blindly click the link—allowing a fraudster to gain access.
4. Encrypt Everything
Data encryption is key for sensitive information. Encryption simply means changing data into an unreadable state. Take it a step further by having encrypted data and keys on different servers. A startup most likely won't have an in-house encryption expert, but there are plenty of technology companies that will encrypt data for you. Companies like IBM will often provide affordable prices backed with the expert of a large IT company that takes data security seriously.
5. Make Penetration Testing Part of Your Security Routine
Another tool available in the market is penetration testing. Tools that perform these sorts of tests will be able to identify weaknesses and vulnerabilities in your IT security measures. The comprehensiveness of these tests will vary as there are different price points for different companies. We highly recommend that these risk assessments be carried out on a regular basis. Be sure to check industry guidelines, since some industries, like healthcare, are required by law to conduct risk assessments on a regular basis.
6. When Possible, Use Cloud Solutions
As a small business or startup, you likely won't have the capital to construct an entire on-premise IT infrastructure. This is why most businesses house their data and information on cloud solutions. However, cloud solutions are typically more prone to security breaches than on-premise solutions, so businesses ought to choose their cloud hosting solutions carefully. There are plenty of large, reputable IT companies that take data security very seriously and offer enterprise cloud solutions including Amazon, Microsoft, IBM and Salesforce.
If hosting your IT infrastructure on a cloud-based solution isn't right for your business, and you absolutely need 100% availability at all times with no down time, you'll have to utilize on-premise solutions. However, carefully consider the costs of on-premise solutions. Ignoring the space and energy consumptions costs, the physical servers themselves can get quite expensive. Servers are typically known to reach upward of $30,000. If you can't yet afford a serious piece of equipment like that, consider a small-business loan to help finance your solution.