Cybersecurity is an issue that's probably on the mind of every business owner. The growing list of corporate data breaches, coupled with the more-secure EMV credit card chip technology that emerged last year, has made businesses and consumers alike highly aware of the security risks that exist in today's world.
Despite numerous studies and statistics on hackers targeting small businesses, many owners still have an, "It won't happen to me" attitude about security. This is a dangerous way of thinking that could ultimately leave your business open to a whole host of potential risks.
"Many small business owners underestimate how vulnerable they are to security threats," said Sanjay Castelino, vice president of marketing at Spiceworks, a provider of information technology solutions. "Our recent IT security report shows business owners are facing a number of threats from malware to phishing to ransomware, and the attackers range from lone hackers to rogue employees. Once [a business is] successfully attacked, earning back customer trust and fixing the damage is often too costly for small companies."
This problem is compounded by the fact that, unlike midsize and larger companies, small businesses don't have room in their budget for an on-staff IT professional. But the lack of an IT department is no excuse to let your business data go unprotected. Business News Daily spoke with security and technology experts about what entrepreneurs who take the "DIY" approach need to know about IT data management. [See Related Story: Cybersecurity: A Small Business Guide]
Why data management matters
Your business likely consumes and analyzes a steady stream of data from various sources every day. But what happens to all that data when you're done with it? Many small business owners might not think about this "discarded data," especially when they have access to large amounts of cloud storage to house it all. But Sam Pfeifle, publications director at the International Association of Privacy Professionals (IAPP), said that unused information that's just sitting around can become more of a liability than an asset.
"Sometimes, businesses err on the side of overcollecting, figuring they'll find a use for the information later, and that storage is cheap," Pfeifle said. "The first rule of breach prevention is that you can't lose what you don't have, [so] don't collect any information that you don't have a specific business purpose for."
That's why it's so important for any business to have a data management strategy in place, regardless of whether or not it has an IT department. Unencrypted files, poor password practices and even unsecured physical documents pose a threat to your business's security, Pfeifle said, and you need a solid plan for all the data you collect.
"Destroy data you're no longer using," Pfeifle told Business News Daily. "It's relatively easy to do a regular inventory of the data you have on hand. Have you accessed that data recently? Do you have a plan to use it in the future? Is it necessary to fulfill a contractual or regulatory obligation? [If not], then get rid of it."
Chris Roach, managing director and national IT practice leader for CBIZ Risk & Advisory Services, agreed that businesses need to be crystal-clear about what data is most critical to their organization and their customers.
"Once you know this, you can establish controls to ensure this data is secure and recoverable," Roach said. "To maintain a secure IT system, small business owners must train employees, vendors and customers about the acceptable use of company assets and what to do if something does not appear correct."
In house or outsource?
When you're deciding how to handle your business's IT data, you have two choices: You can keep it in house by delegating IT-related tasks to your savviest employees (or adding it to your own plate), or you can outsource it to a freelance consultant or security company. Depending on your budget, you may end up with a combination of both, but the question then becomes, Which items should you entrust to an outside party?
The answer depends heavily on what your business's primary function and goals are, as well as which IT processes directly impact your operations. John Swanciger, CEO of small business community Manta, said that things like customer relationship management (CRM) would be smart for most businesses to manage internally. This way, they can be in complete control of all interactions with current or prospective customers. Larger tasks such as infrastructure management or cloud hosting might be better off in someone else's hands, he said.
"Not only does this reduce the hours spent on IT management, it also reduces risk that something could go awry," Swanciger said. "With all of the data breaches in the news recently, small business owners should be wary about mismanaging internal and customer information."
If security isn't your strong suit, this crucial task should also be outsourced to a seasoned expert, said Sanjay Castelino, vice president of marketing at Spiceworks, a provider of IT solutions.
"When it comes to monitoring network activity and identifying threats on a day-to-day basis, small business owners often lack the time, know-how and internal resources they need to get the job done," Castelino said. "A security consultant can help decide what tools a small business needs and conduct a security audit to take a comprehensive look at all entry points and identify any vulnerable areas the company should address."
"Spend money on a specialist to establish a basic cybersecurity plan and business recovery plan," Roach added. "[This person] can ensure you are meeting regulatory compliance requirements and will provide valuable insight into your risks and requirements."
Roach also noted that any third parties you work with should be committed to and accountable for protecting your data, because if something goes wrong, your business will ultimately take the heat.
"Outsourcing IT functions or utilizing cloud services does not transfer your responsibility for protecting critical corporate or client data," Roach said. "Do your due diligence when engaging vendors and validate controls annually."
Best IT practices
Whether you're handling it yourself or using a third-party company, our expert sources offered their advice for protecting and managing your small business's IT data.
Educate your employees. "Small business owners should take ownership of ensuring employees understand the importance of protecting their and the company's information through common-sense practices," Spiceworks' Castelino said. "[Providing] best practices and instilling a mindset that everyone in the company is responsible for IT security."
Encrypt and/or password-protect everything. "Whether it's your phone, your laptop or your desktop computer, always password-protect it," said Pfeifle, of IAPP. "You don't want to know how many breaches are caused each year by phones that are left wide open because people want it to be easy for their small child to get to the games they like to play or watch videos."
On a similar note, Pfeifle reminded business owners to require password changes periodically for current employees, and immediately for exiting employees.
"One of the biggest [security] blind spots is former employees," Pfeifle said. "If an employee leaves the business for any reason, all of the passwords need to be changed immediately, and make sure they don't download information on their way out the door."
Always download updates and patches. "The biggest misconception is that your company can be protected by a single product," Castelino said. "Malware, ransomware and phishing schemes aren't going away anytime soon, and they're likely to get more sophisticated in the coming years. If you keep your systems updated and continue to educate employees about how to mitigate risks, you'll be better-equipped to turn the weaknesses attackers exploit into smart defenses."
Be realistic about your resources. "Use the available tech tools to your advantage and at a cost that makes sense," said Manta's Swanciger. "If it's taking too much time to list your small business on hundreds of small business directories, outsource that responsibility. If you feel comfortable designing your e-commerce site, go ahead and try it. Just be prepared to ask — and pay for — help when you need it."