Preventing data breaches: A small business guide
Worldpay Editorial Team
July 24, 2019
Did you know that every business is at risk of experiencing a data breach – regardless of size? Contrary to perception that they're too small to be targeted, small businesses are commonly victims of cyberattacks.
Criminals aren't necessarily looking for the biggest score; they're simply seeking the path of least resistance. That path is often opened by small businesses that don't believe they're a target and don't take proper precautions.
Like locking up at night, small business owners should make data security part of the regular routine. In this guide, we'll examine data breaches from the perspective of small businesses: why they happen, the implications for businesses like yours and, most importantly, how to reduce the risks to your business.
The costs and causes of data breaches
Many businesses fail to plan for a potential data breach. The results can be financially devastating. Exactly how devastating? IBM’s 2022 Cost of a Data Breach Report, which features research by Ponemon Institute, found that the average cost of a data breach has reached an all-time high. It reports that the average cost climbed from USD $4.24 million in 2021 to USD $4.35 million in 2022 (a 2.6% increase) – but that’s a 12.7% jump from USD $3.86 million in 2020. They also note that the financial damages a breach inflicts can be equivalent to the total value of a small business.
Small businesses are vulnerable to data breaches for a three key reasons:
- Small businesses tend to think they are too small to be a target. Nearly 87% of small business owners believe they are not at risk for a data breach.
- Small businesses often lack the time, resources and know-how to implement measures to protect themselves.
- Small businesses typically take longer to detect a breach quickly enough after one occurs.
Unpacking the costs of a data breach
If your business is the victim of a data breach, the costs you will incur to resolve the situation span many areas including the following:
- Notification costs that include creating customer contact lists, mail and email communication procedures, postage costs, consultant fees and more.
- Forensic investigations to determine the source and reach of a breach. Depending on their individual rules and thresholds, the payment brands and acquirers require engaging the expertise of a Payment Card Industry Forensics Investigator.
- Industry fines and penalties may include those from the PCI Security Standards Council, the payment card associations, government offices and the merchant's own financial institution.
- Card replacement, credit monitoring and identity theft repair. In many cases, a business may have to pay the cost of reissuing credit and debit cards to customers whose personal data was compromised.
- Depending on the source of the breach, a merchant may have to pay to upgrade or replace their POS system, payment software and hardware, server and related peripherals in order to prevent future breaches.
- After other post-breach activities have been performed, merchants are often required to implement additional security monitoring services that ensure ongoing PCI compliance.
Perhaps the most significant cost of a data breach is the hardest to quantify: the loss of trust. When customers patronize a business, they trust that their sensitive payment information will be kept safe and secure. Businesses that are victims of a data breach risk damaging the reputation that they've built with their customers.
How can small businesses prevent a data breach?
While there's no single silver bullet, there are a variety of strategies to help reduce your risk of becoming a victim. The following are 10 small business best practice processes, technologies and strategies to protect your business from a data breach.
#1 – Develop a comprehensive cybersecurity plan.
Criminals seeking to breach your systems are sophisticated and organized. The threats they pose demand a plan in response. Small business cybersecurity plans don't need to be elaborate or expensive, but they should be tailored to fit the unique needs of each individual business. Enlist the help of a cybersecurity expert when possible. Start with the big picture and work down to the details.
#2 – Install and maintain anti-virus software that can protect your business systems from viruses and malware.
Malware (malicious software) attempts to damage, disable or disrupt computer systems. Installing and maintaining the latest version of antivirus software is a common sense, inexpensive best practice that should be followed on all of your business systems and access points.
#3 – Regularly update all software including applications, browsers and operating systems.
Software providers are continually upgrading their software in response to specific security vulnerabilities as they are uncovered. These efforts are of little use if the updates aren't installed on your systems. Conducting routine updates of all business software will ensure that you have the latest defenses.
#4 – Create a regular data backup routine in order to reduce the vulnerability of your business to ransomware attacks.
Data breaches are no longer limited to the unauthorized exposure of confidential data. Ransomware is a type of malware that criminals use to block your access to your own data. Criminals will then demand payment to release or unlock your data.
Ransomware attacks can cripple business operations. Imagine not being able to access your customer or accounting databases for an extended period of time. The best defense against ransomware is developing a comprehensive data backup and recovery procedure that safeguards your essential data off-site.
#5 – Conduct ongoing security training for your staff.
Fraudsters target our human vulnerabilities as the likely weakest link in any system. Introducing simple, consistent, easy-to-follow security measures to the regular trainings and routines of your staff will help keep your business safe.
Protect confidential data by limiting access to internal systems and data on a need-to-know basis. You needn't train your entire staff to become cybersecurity experts, but anyone with any system access should be trained in basic security measures.
#6 – Implement strong authentication for all system access.
Complex passwords are a must. Poor password management leaves individuals and businesses extremely vulnerable to data breaches, account takeover and other forms of system penetration.
Strong passwords and password management practices are important as a minimum baseline. Even the best password management practices can be broken by determined attackers. The cutting edge of security is seeking to solve the password problem through multifactor and biometric authentication.
#7 – Follow wireless security best practices.
Wireless networks open many doors for small businesses, but easy access to systems can be a double-edged sword. Far too often, the unprotected wireless system of a small business is the door criminals seek.
Following a few simple wireless security best practices is time well spent. Be sure to disable remote logins to wireless networks as they pose unnecessary security risks.
#8 – Establish strong physical security procedures.
Securing your digital assets is a necessary but not sufficient condition for keeping your business safe. You need to safeguard your physical assets as well.
The threats from data breaches and other cybercrimes have created a new layer of security concern for the small business owner. It's critical that this new threat doesn't divert attention from old-fashioned physical security.
#9 – Become complaint with PCI-DSS.
Payments data is among the most highly priced data that cybercriminals seek. If you accept credit and debit cards, you'll need to become compliant with the Payment Card Industry Data Security Standards.
Following PCI-DSS compliance for the possession, transmission and storage of credit card data is more than an obligation – it can protect your business from the costly consequences of a data breach. Develop strong data encryption routines both “at rest” and “in motion.” Employing the latest encryption and tokenization technologies will help reduce the scope of PCI compliance, reducing costs.
#10 – Partner with a credit card processor who understands small business security.
Credit card processing is often viewed as a commodity business that serves an essential function, much like an electric utility. That's changing. Small business owners are learning that credit card processing companies are differentiated by many factors including reliability, price, customer service and, critically, defenses against a wide array of security threats.
FIS® is a payment technology leader that can help protect your business with secure transactions that minimize fraud and reduce risk. Connect with one of our payment security experts today to learn how FIS can help your business reduce the risks of a data breach.