By Bruce Bechhold, CPA, Walthall CPAs
Risk management is key for a successful business plan. Today data breaches are common, and it is especially important for business owners to understand the digital risks. Are you doing all you can to mitigate the risk of a cyberattack?
Small-business owners often think their organizations hold little appeal to hackers. However, they can be ideal targets. Small businesses keep employee and customer data, financial account information, and intellectual property. If not adequately protected, their systems may inadvertently provide access to larger supplier networks.
To protect your organization, you must first understand your vulnerabilities. How are your systems protected? Do you collect and store personal information of customers and employees, such as credit card information, Social Security numbers, and birth dates? If so, how is this information stored and who can access it? Do you store it in multiple locations and formats? Are the files password protected, and are you using multiple complex passwords? Do you have separate Wi-Fi accessible to employees and customers? How do your third-party service providers protect their information? You may want to engage a professional to help identify your risks.
When monitoring your security, ensure you have firewall and encryption technology that protects your Internet connections and Wi-Fi networks. Make sure your computers and mobile devices have antivirus and anti-spyware software installed that updates automatically. Require employees and others who access your systems to use complex passwords that are changed regularly. Keep only personal data that you need and dispose of it securely as soon as it no longer needed. Back up critical information and data on a regular basis, and store the backups securely offsite. Assign individual user accounts to employees and permit access to software/systems only as needed. Question third-party vendors to ensure that their security practices comply with your standards.
When backing up your data, redundancy is not only recommended but critical. This means having multiple data backups stored in different locations. Here are some examples:
- Regularly back up all digital files you don’t want to lose on both your computer and mobile device. Depending on how much you use your devices, you may want to back them up as often as every few days.
- A good rule to follow is the 3-2-1, which helps reduce the risk that any one event — such as a fire, theft, or hack — will destroy or compromise your primary data and backups.
- Have at least three copies of your data (a minimum of the original plus two backups).
- Use at least two different formats (external hard drive, flash drive, tape, cloud, etc.).
- Ensure that at least one backup copy is stored offsite. Cloud storage is considered offsite.
Cloud storage is Internet-based service providers that store digital files (even important documents). It is increasingly popular, but is it right for you? If you use a cloud service, be sure it is reputable and review the company’s policies and procedures for security and backup of its servers. Another good idea is to encrypt data (that is, convert to code) to protect sensitive documents and your external drives. Other considerations include:
- Consider the provider’s own security and procedures. Look for such features as two-factor authentication and complex password requirements. Does the company store copies of your data on servers at multiple geographic locations, so that a disaster in one area won’t result in an irretrievable loss of data?
- Review the provider’s service agreement. Make sure you understand how your data will be protected and what recourse you have in the event of a breach or loss. Know what happens when you delete a file — will it be completely removed from all servers? In the event a government subpoena is issued, must the service provider hand over the data?
Establish clear security policies and procedures and put them in writing for your employees. Cover such topics as handling sensitive information, appropriate use of Internet and social media, and reporting vulnerabilities. Spell out consequences for failing to follow the policies. Train employees on the importance of cybersecurity. Ensure that employees understand the risks associated with phishing emails, as well as manipulative tactics criminals use to trick employees into divulging confidential information.