It’s a question you should be asking yourself. And I’m not just talking about small to medium businesses (SMB’s) but individuals too. Unfortunately, many companies and individuals don’t take the time or dedicate resources to plan and address this critical issue. If you don’t, you’re putting your business and/or yourself at a substantial risk that you may not be able to recover from.
If you’re like most SMB’s you probably have a server or multiple servers in your office, or they are in the cloud – and physically located in some non-descript datacenter located in Texas.
Unfortunately, there is a bevy of digital thieves that are constantly probing vulnerabilities in our systems to gain access. And once they are in, you may not even know it. They can be stealing employee records, customer credit card information, intellectual property, and accounts payable/receivable data. Information you, your employees, your customers and your business can’t afford to lose.
Take a moment and think about it. Are you doing enough to protect your sensitive data from hackers?
The good news is there are ways you can protect your organization and yourself. And at least reduce the chance of hackers targeting your system and data. Let’s face it, hackers are always looking for an easy score, and by implementing multiple defenses it will most likely discourage them from your data and redirect them to move to the next target.
Here are some steps you can take to better ensure your data is protected:
- Perform an audit of your system (and set up an annual review). First identify all your data and determine where it is currently stored. Then hire an outside IT firm to conduct an audit. Even if you are confident in your own IT expertise, it’s still a smart investment to hire an outside firm to thoroughly test your system for vulnerabilities, provide a written assessment and a list of recommendations to protect your system. They may find areas you missed or have suggestions you did not consider.
- Install anti-virus (AV) and anti-malware (AM) protection. Ransomware and other forms of malware are on the rise. More and more businesses and individuals are being attacked every day. When your data is held for ransom, you must meet the financial demands of the perpetrator or lose your data. And I’m sure that’s something you or your business does NOT want to do. To protect your data, you and your organization should have AV and AM software installed. Use a provider that has a strong track record and is highly recommended by industry publications and forums. Here are a some of my favorites:
- Anti-virus: BitDefender, Kaspersky, Sophos and Webroot
- Anti-malware: Emsisoft, Hitman Pro, and MalwareBytes
Remember, it’s critical to keep ALL your internal and external devices updated with the latest versions of AV and AM software.
- Prepare backups. In today’s world, it’s critical to back up your data should an unforeseen event or attack occur. In my opinion you should take a two-tier approach. First create a local backup in your office or home. Data is subsequently copied to external hard drives, direct access storage (DAS) or network access storage (NAS) devices on an hourly, daily, or weekly basis depending on your needs. The benefits include complete control of data, easy setup and quick local access to files. The cons include physical theft of the unit(s), impact of a fire or flood, and reliability of the hard drives.
For the second tier, sign-up to use an online backup service. These cloud storage services have various levels of support and features to match your needs. Basic cost usually depends on how much data is stored and what subscription plan you select. Pros include 24/7 support, coverage for all devices including mobile, scalability and offsite storage. Cons include losing control of your data, slower upload and restoration times, and privacy/security concerns. Make sure you choose an established, reliable provider that stores encrypted data on servers in multiple secure locations. Always ask how quickly your files can be accessed in case of an emergency. Here are a few providers that are highly rated: Barracuda, IDrive, SOS Online, Mozy, and Crashplan.
By using a two-tier approach, you will have a complete and comprehensive backup plan in place.
But remember no matter which method(s) you choose, always test the backups on a regular basis to ensure nothing is corrupt and your data can be recovered when you need it.
- Implement a Disaster Recovery Plan (DRP). What happens when your business or home is the victim of theft? Or you’re flooded by a broken water pipe that is located in the ceiling above your server? Or a fire runs rampant through the building at night? Are your server(s) and their data safe, protected? How quickly can you get back up and running? We hate to think about these possibilities but they do occur and you need a plan to protect yourself. DRP’s contain step-by-step procedures which will help you recover quickly from any disaster and get you back to normal operations. The process can seem daunting but there are plenty of online resources and books that can assist you. You can also look at outsourcing this task too. Most IT providers offer this service.
- Control user access levels. Not everyone in your organization needs access to payroll, accounts receivable or client information. Data should be partitioned based on specific categories and business requirements. Then assign different levels of access based on employee and client needs. Only individuals who need access to specific data should be able to view and edit it.
- Put security policies in place: Here are a few examples:
- Do not share passwords or network access with anyone that is not authorized to have this information.
- Be careful not to copy any sensitive or personal data to public file transfer services like (i.e. Dropbox, WeTransfer). If you must, make sure the data is encrypted.
- Employees should not store important data on their laptops or tablets where it can be easily stolen or lost.
- All remote laptops/tablets must have active anti-virus and anti-malware software and use a secure connection when accessing data from server(s).
- Improve password strength. It sounds so simple but most of us still don’t do it. We continue to use basic easy to remember passwords (i.e. first name and birthday). And worse yet, we use the same one for various login applications. You need to have a separate unique password for each system you are accessing. Use a combination of lower and upper case letters, numbers and symbols. 6-8 characters at a minimum but 10 are best. Never write your passwords down; either commit them to memory (good luck) or use a secure encrypted app with dual authentication.
- Educate yourself and your employees. You and your staff are your front line defense and everyone must be vigilant when it comes to security. This includes consultants, partners, and vendors that may access your system. Attackers are sending sophisticated emails which appear like they are from legitimate sources – for example your bank, shipping companies (UPS, FedEx, USPS) or business connections (Jenn your financial advisor). Start training your employees on security best practices and make sure they are diligent in reporting suspicious activity so the proper action can be taken.
Securing your data is an important business and personal requirement. Implementing these steps will ensure you and your business are better protected. There is no one guaranteed solution for all. Using a multi-faceted and defensive approach is the best course of action.