Data security is becoming one of the important issues of the 21st century. As technology advances, so does the risk to companies data, with retail giants such as Target, Michaels, and Home Depot already experiencing high profile data breaches. They haven’t only been caught out by criminal hackers, they have unwittingly left themselves vulnerable. Most small and medium sized business would go into bankruptcy due to fines for such data breaches, but these companies are just far too large, and have too many lawyers standing in their corner.
Its not just data security that can affect small and medium sized business, its the rules governing data compliance which also haunts them in highly regulated sectors, or businesses that have government contractors as clients. More than ever in today’s advanced and at risk world do small and medium businesses face an uphill challenge. What are some of the most common data security mistakes that happen and how can you avoid them? Here are the top 3 data vulnerabilities.
Personal email policies
One of the most high profile scandals that have hit the headlines is the email policy arrangements that Hillary Clinton had been found adopting her personal email and home premises for use in official government business. This has become a major centre stage news story after The New York Times broke the story regarding her habits as U.S. Secretary of State.
According to reports in the New York Times, and other news outlets, Hillary Clinton used her own personal email address which was hosted on an email server located at her home address for all her official Department of State email correspondence. This also included other emails containing very sensitive and confidential government information. Even some of Hillary Clinton’s aids used her private email server to conduct official business via it.
This scandal has highlighted the concerns of data security, privacy, and compliance when it comes to using personal email systems with correspondence in your workplace. First thing to note is that the employee’s email may be unsafe, or their computers not properly secured, so hacking and data breaches would be a large concern. Divulging customer information directly over a personal email system can easily violate data privacy regulations that have to followed by the employer. This is especially important in highly regulated government and financial sectors, and this behaviour can easily result in a fine, or subsequent penalty actions.
Its important that your clear on how to use company emails and personal emails for outside of work personal use in your business. This should be conveyed by training in the aspects of data compliance that the business faces with regards to this separation. If the employee uses their own devices to conduct work outside of the office, then the device should be configured by the IT department to match the systems and policies of the business, and prevent an inadvertent mix of the data. Its a good idea to allow employees personal email access inside the workplace, purely so they can access it during lunch breaks, which is good for company morale, and draws the line with regard to the use of personal emails inside work.
Cloud Computing Guidelines
The cloud has enabled users to run their business in easier ways than ever before. However the simplicity of the cloud can turn into a storm of trouble for any small and medium sized business that throws caution to the wind in regards to a cloud computing contract. The typical cloud service level agreement (SLA) contains numerous policies and guidelines that have to be followed involving compliance issues, privacy risks, and data security.
If you store your customer’s data in the cloud, it can be difficult to track that data and to pinpoint where geographically that data lives. This can create some uncertainty about meeting the law of a particular state, and the regulations that your clients data may be subject to. Its important that your cloud service provider’s SLA spells this out completely, so you can ensure compliance of national and international laws, and mitigate any potential liabilities.
For regulated industries such as healthcare and financial services, as a small business owner, its your possibilities to ensure that the cloud provider meets the compliance with the relevant laws and standards that govern your industry. This should be done well in advance of signing up to a cloud service. Many cloud providers can not guarantee their compliance for complex technical reasons, and so you have to be aware it.
A good SLA by your cloud provider will address and mitigate any risk of data compliance compromises, including details on the customer notice in the event of any data breach or loss. For added security, you can easily ensure that the cloud provider holds and controls any of the encryption keys for its cloud stored data. You have to review SLA’s in regards to performance too. A contractual guarantee of 99.9% uptime still leaves room for nearly 9 hours of downtime every year. Cloud providers can also define the terms uptime and downtime differently from how their customers perceive it.
Using cyber Insurance
A data compromise for a small and medium sized business can be very expensive. In 2014 the Ponemon Institute reported that the average cost of a data breach to a business has now increased 15% in 2013 to around $3.5 million. Above average data breaches are far worse. Research by Gartner indicated that more than 90% of businesses suffer a major data loss or breach go out of business within a maximum of 2 years, with about 50% of that group going ceasing trade immediately
Every small business should seek to insure its valuable mission critical data. Cyber insurance is becoming increasingly common amongst firms that are in a position of responsibility with our data. When applying for cyber insurance your business will be subject to undergo a number of invasive security evaluation procedures to reveal the true extent of your companies infrastructure protection and internal policies.