Procurement · 11 June 2021

How to protect your business from a data breach

How to Protect your Business from a Data Breach

No business can afford to neglect their cybersecurity. Whether you run a small business or have a rapidly growing enterprise, protecting your own data and the data entrusted to you by your partners and clients should be one of your top priorities.

A data breach occurs when information is accessed or used without the owner’s permission. Because information about a person is considered personal and private, and because its use can cause emotional and financial harm, data breaches are looked upon as serious crimes. Perpetrators can use personal information to harass victims, steal identities, steal money, or commit any number of crimes.

As a business, it is your responsibility to protect any data that you store. This includes your own data as well as information about your customers and partners. Just as you would secure any physical files in locked cabinets and rooms, so any digital files and folders need to be properly safeguarded against misuse.

The digital age has made collecting and storing data easier than ever, but it has also made illegally accessing and stealing data from anywhere in the world a lot easier. Security companies work constantly to keep up with the growing demand for protection from hackers and scammers. You can’t afford to take cybersecurity lightly.

 

How do data breaches happen?

Information is worth a lot of money. It can be used for something simple like marketing or can be more harmful in the use of identity theft and bank fraud. Regardless of the type of data, thieves can make a lot of money from stealing information. There have also been cases of disgruntled employees taking revenge by leaking data to open companies up to lawsuits.

Some data breaches are accidental, such as sending an email with personal information to the wrong address, but a lot are malicious. Both of these can be dangerous and you need to watch out for any form of data breach.

Generally, data breaches happen when one of the following conditions is met: there are system weaknesses, there are user errors or weaknesses, there are not adequate guards over networks, there is a targeted attack. If we break these down further, you can see how each one takes advantage of weak spots.

System weaknesses are caused by outdated software or faulty software that fails to protect data. Because developments in hacking happen so quickly, you need to make sure your security software is up-to-date and able to properly protect your information from new tactics and bugs.

User errors can also be problematic. Unfortunately, people are likely to mess up – however, you need to put safeguards in place to stop human error from causing data leaks. Weak passwords are one of the easiest ways for hackers to gain access to information. Despite this, most people still opt for simple, memorable, short passwords that they can recall easily. Unfortunately, hackers are usually great at figuring out simple, memorable, and short passwords.

Network insecurity is another big area of risk. Opening compromised websites, using external devices such as USB drives, or clicking on questionable links can all introduce software onto your computer. Often, this software will go undetected while it collects your data. Malware like this is often referred to as “drive-by downloading” because all it takes is for your slip up while using the network and “drive by” the wrong website.

Targeted Attacks are usually the most dangerous of all data breaches because the attackers are after specific information from a specific party. Hackers will use scams, phishing, or clever coding to gain access to information. Targeted attacks are often disguised to look like secure links or emails from trusted sources, or trustworthy websites. Having the right digital security training and software is vital in protecting against this kind of attack.

 

How can a company protect against a data breach?

With so much at stake, companies need to take every measure they can to ensure they are protected against data breaches. There are a lot of simple measures that can be put in place to offer protection, including training for staff and secure password requirements. More complex systems can also be used to protect data.

  1.       Passwords

As already discussed, this is one of the easiest ways to protect against data breaches. Make sure there are requirements built into company systems for passwords to match certain criteria. Passwords that don’t have repeat or consecutive characters, that contain at least 12 letters, and that use uppercase, lowercase, numbers, and symbols are going to be the strongest passwords. This is a basic level of protection, but it is incredibly strong.

Two factor authentication is also useful (when a second device or app receives additional information like a code that you then enter into the original device or app). This ensures that even if a password has been hacked, the attacker would need the second device or app permissions as well.

  1.       Encryption

A lot of software comes with encryption abilities now. Encryption allows the recipient to read the intended message but prevents anyone else from being able to see it. Make sure you use encryption software if you ever need to send information.

Storage software should also use encryption so that if someone manages to break into the stored data, the data would still be unusable for them.

  1.       Education

Because you will have employees working with client and partner data, it is vital that they have the correct training on properly handling data. Proper training will include information on:

–          What is classified as personal identifiable information

–          What information you should gather

–          What information you are not allowed to have

–          How to safely store data

–          How to safely remove or delete data

–          How to safely transfer data

–          How to set up a secure password

–          What red flags to look out for on websites or emails that could indicate dangerous activity

–          What to do if there is a suspected data breach

  1.       Software

Invest in good quality, trustworthy antivirus, antimalware, and firewall software. The right software will detect any threats to your system security and block websites that are historically dangerous or have any questionable code.

Security software is often developed with special features in place for different business or individual requirements. Doing your research beforehand and finding the right software for the kind of work you do could end up saving you a lot of time and stress.

The other advantage of getting good software is that software developers will be working on updates constantly. Provided you keep your software updated, new patches and technology will be used constantly in protecting your data.

  1.       Hire an expert

Your business needs you to be focusing on the industry and on business growth and health. Tech security is a niche area of expertise and learning as much as you can will only be able to get you so far. If you are serious about improving your cybersecurity, then one of the best things you can do is hire a cybersecurity specialist.

Specialists will be able to easily identify areas of weakness, provide advice on staying protected, and advice on and install software that your business might need.

Make sure that you do your research before hiring an expert. You will want someone with demonstrable results who comes with good recommendations. After all, they will be handling all of your data as well.

  1.       Keep your accounts separate

This is especially important for smaller businesses. If you are just starting out the temptation is to use your personal email address, subscriptions, and bank details. Unfortunately, this can pose a risk to you, your business, and your clients. By keeping your personal and business accounts separate, you ensure that even if one account is compromised, the other is still safe.

People often get careless with their own information, especially if every website requires your email address. Accidentally allowing your personal data to be accessed is bad, but having it lead to a full business data breach could be catastrophic. Get a secure email and bank account for your business as a point of priority.

  1.       Internal protection

The majority of data breaches are not sophisticated high-tech attacks. Most data breaches occur when employees have access to more information than they need and accidentally leak it or misuse it. Avoid internal leaks that could lead to lost time and money by regularly checking security within your business. Ensure shared files are only shared with the people who need them and for the right length of time. Check protected folders regularly to make sure they are not being accessed by the wrong people. Require regular password updates and make it policy not to share accounts or passwords.

  1.       Test and audit

Conducting regular tests, checks, and audits on your cybersecurity can help you prevent a data breach. Having evidence of these tests can also add a layer of protection should anything be leaked because they show you have taken all necessary precautions to protect the data you store and use.

Can companies be sued for data breach?

Yes, companies are responsible for keeping information safe that has been entrusted to them by clients and partners. Both individuals and businesses can bring legal action against a business if they feel that their personal information has been mishandled and can sue for both financial and emotional damages.

Because cyber crime is relatively new to the field of law and because it is constantly changing, there are a lot of places where there is no precedent. Don’t take this to mean that you are not liable. Over the past few years big companies have taken huge hits when bank records, medical records, and other personal data have been leaked. In some cases the breaches are an inconvenience because they lead to spam emails, but there are cases where a data breach has led to families needing to relocate and change their lives. For this reason, courts look seriously upon data breaches and are likely to hold businesses to account in most cases.

You also shouldn’t think that ignorance is an excuse. As a business, you are required to understand how to protect the information you are gathering and using. Everything you do will need to fall in line with the Data Protection Act 2018 (the UK response to GDPR), so make sure you are familiar with the act and the ramifications for your business.

 

What should a company do after a data breach?

If you are the unfortunate victim of a data breach, you should act as quickly as possible. The faster you act, the less damage is likely to be done. If you have an IT specialist then you should contact them immediately as they will be able to help you with these next steps.

  1.       Isolate

Shut down any networks, take your work offline, and, if possible, isolate any compromised servers. Stopping network flow could mitigate the amount of damage done and could stop data transfers if they are still in process.

  1.       Assess the damage

You will need to ascertain exactly what and how much information has been breached. If any information has been removed, make sure you know where your backups are stored so that you can restore your system once it is safe from attackers.

  1.       Fix the problem

Once you have assessed the damage, you should also have a better idea of where the breach took place. You will need to immediately address the problem and apply whatever fix is necessary to prevent the data breach from happening again. You may need to revoke employee access for a period while you ensure data is safe.

Once you have applied your fix, test it to make sure there is no longer a security risk.

  1.       Inform

You are required by law to report data breaches within 72 hours of becoming aware of them. You can report the breach to ICO who will want to follow up and ensure you have taken all precautions to protect the people whose data you use.

You should also be honest and up-front with your clients. Tell them what data has been breached, what steps you have taken to rectify the situation, and be courteous and kind. Remember that this could be traumatic for them as well and taking care of your clients will help to regain trust.

  1.       Strengthen your system

Once you have alerted authorities, staff, and clients, and after you have put fixes in place, you should spend time firming up your security and looking at ways to ensure a data breach never happens again.

 

Sign up to our newsletter to get the latest from Business Advice.


 
TAGS:

ABOUT THE EXPERT

Legal Advice