The very idea of lost files or a data breach is enough to keep a small business owner up at night. While some security incidents are caused by intentional and malicious acts, countless others are the result of careless mistakes or poor planning.
Jack Newton, the CEO and co-founder of Clio, a Vancouver-based company that offers web-based practice management software for solo practitioners and small-to-medium sized law firms, offers six tips on how any type of small business can better protect its data from a security breach.
1. Communicate in the cloud
Email is the de facto communication channel for businesses of all sizes. However, e-mail is typically transmitted in unencrypted form, making it vulnerable to eavesdropping. Furthermore, when using an email client, email is automatically saved to disk and generally not encrypted, meaning it can be easily read by anyone with physical access to your phone, tablet, or computer.
The bottom line is that e-mail is prone to both eavesdropping and leaks via the theft or loss of physical devices. Even if you attempt to secure e-mail from your business’ end, you also have to consider what security measures are in place on your customer’s devices. How many consumers will have stringent security measures in place to safeguard their home laptop or phone?
Putting all communications in the cloud opens the door for two-way, securely encrypted communcations that eliminate the threat of unauthorized physical access when content is stored in a client application, as is the case with e-mail. Password-protected web apps ensure only authorized individuals can access your sensitive data.
2. Use cloud storage
In many cases, the level of security offered by a cloud-computing provider is greater than the security you have on your in-house servers. This is particularly true for small to mid-sized businesses that don’t have the financial or technical resources to properly secure servers. On-premise servers can be subject to numerous risks, including: fire, flood, theft, cleaning staff, even mistakes from a well-intending, but inexperienced employee. When you data is stored in the cloud, it’s safe even if your entire office burns to the ground.
Based on economy of scale alone, it’s more economical for cloud computing vendors to secure their systems from hackers, natural disasters, and other threats. More importantly, considering security has been the chief concern with cloud technology, cloud-computing vendors have extra incentive to put special emphasis on security from the start. After all, the future of their business, and industry as a whole, depends on it.
3. Use full disk encryption on all devices
Even if you store your data in the cloud, temporary files and other data may find their way onto your laptop, smartphone, or other device. For this reason, you should use a full disk encryption (FDE) solution that encrypts a system’s entire hard drive, including the operating system, applications, and data. Consider FDE solutions from security vendors like Symantec, Check Point, McAfee, Sophos, and others. Also note that newer operating systems and mobile devices offer built-in hardware encryption.
4. Enable “remote wipe” on all mobile devices
What happens to your sensitive emails when you leave your smartphone behind in a taxi? A 2011 survey from Symantec found that 36 percent of U.S. consumers have had their cell phone lost or stolen.
To counter this risk you can provision a “remote wipe” that lets you remotely destroy data on a missing device. For example, iOS supports remote wipe commands through Find My iPhone or Exchange ActiveSync. Since the device must be connected to Internet to respond to a remote wipe command, you should consider enabling a Passcode Wipe as well. This means that if your PIN or passphrase is entered incorrectly enough times, the device will erase all user data – effectively keeping your data out of the hands of your phone’s “new owner” even when a remote wipe isn’t successful.
5. Use a password manager
Any security expert will advise you to use a different password for each site or online service. This will minimize the security threat when one site happens to be breached. For example, if you’re a LinkedIn user who uses the same password on multiple sites, you needed to change your password everywhere after the recent LinkedIn breach where a hacker posted around 6.5 million user passwords. At the very least, be sure to use a unique password for any business apps or services where you may be handling sensitive information. If you’re like most people and can’t remember 30 different passwords, you can use a password manager like 1Password to store all your passwords under a single secure key.
6. Don’t be resistant to change
One common mistake is thinking that it’s safer to stick with the known (flaws and all) than venture into a new process or system. However, these legacy procedures can pose big problems. Let’s consider the legal world. It’s an industry where privacy is imperative, yet faxing is still a common communication method.
Think about the last time you sent a fax, perhaps a legal document containing your social security number. Did you wonder where your information was going? How long would it sit in the fax tray, and how many hands would it cross before ending up at its intended recipient? The moral of the story is sometimes we all need to embrace change, as it’s the only way we can hope to abreast of the latest improvements in security.