Five Tips for Protecting Customer Data
A data breach could have severe consequences for a small business. Losing customer credit card data or employees' personal data could lead to loss of trust at best and legal action and hefty fines at worst.
Cyberattacks are indiscriminate and hit all sectors of the business world. Small business owners must practice as much diligence as a multinational corporation to prevent hackers from seizing their data.
A small business doesn't need the expensive custom-programmed firewalls that a big corporation installs around its servers. You can keep your business data secure with a few common-sense techniques and basic cybersecurity measures. Compliance with data regulations will keep your information from falling into the wrong hands.
PCI DSS Compliance
You must be PCI DSS compliant if your business takes credit card information. All businesses that accept major credit cards (Visa, Mastercard, American Express, or Discover) must be compliant with payment card industry data security standards. This complex process involves:
- Identifying weak points in the data collection system
- Repairing and correcting problems
- Reporting to PCI, banks, and credit card companies
PCI DSS compliance alone can ensure that much of your customer information is safe. This is because of the amount of review necessary for reporting.
General Data Protection Regulation
General Data Protection Regulation (GDPR) is a collection of data security measures. It went into effect in the European Union in 2018. Any company doing business anywhere in the EU must be GDPR compliant or face stiff fines. There are exceptions for personal use and businesses smaller than 250 people. But if you collect and maintain customer data or advertise in a way intended to be seen by viewers in the EU, you should be GDPR compliant. Check the GDPR website or consult a business law attorney if you need clarification.
Avoiding Security Risks in Daily Operations
Other than these requirements, what should a small business do to avoid data leaks in its daily routine? Follow these tips to protect your business from cybercriminals and accidental data loss.
- Know what you're collecting. What customer information do you have? Is it more than your business needs? Do you have multiple copies of one customer's data? Remember, a data breach is not always virtual. Duplicate files are a hazard, whether hard copies or electronic.
- Keep offsite backups. You also need regular, current backups. The current cyberattack trend is ransomware. This is when cyberthieves inject a virus into your system that destroys data if activated. Then, they demand payment to "cure" the virus. With a current backup, you can ignore the threat and reinstall your system.
- Keep all software up to date. You probably get notices every day reminding you to update drivers or install program patches. If you run Microsoft, you've been annoyed by your computer shutting down periodically to install security updates. All these small upgrades fix, or "patch" recently discovered holes in the programs. Even if the program isn't a security program, it still needs updating.
- Use reliable anti-virus software. Anti-virus software works with another software, the firewall. You may have encountered streaming services asking you to disable your firewall to improve your computer's performance. This isn't a good idea. Your firewall protects the network from viruses. Anti-virus software protects the hardware running other software. If you think of a computer system as a house, the firewall is the fence, and the anti-virus software is the outer wall. If you have both, the interior is fully protected.
- Use a reliable VPN. Now that remote work and hybrid offices are the rule, virtual private networks, or VPNs, are part of a company's equipment. A VPN lets remote employees securely access sensitive data from outside the company intranet. Install VPNs on any company-issued electronics whenever public Wi-Fi accesses company data.
- Discourage the use of public Wi-Fi. Sometimes, employees must use public Wi-Fi. Hackers and data thieves love it. If your remote workers are away from a firewalled network regularly, or if you don't have control over your business network, consider investing in a portable hotspot. The cost is well worth the protection of your data.
- Use multi-factor authentication. Multi-factor authentication requires several steps to log into a system. For instance, after using a password to access the computer, a user needs a one-time code sent to a different device. This can be a cell phone or tablet. This multiple-step system ensures that the user is authorized to access sensitive information.
- Encryption software. Encryption ensures that even if hackers break into your system, your data is unreadable. So, it's worthless. Encryption changes data into a string of random characters that can only be reassembled by the system with the decryption key. Encryption adds a little time to your workday, but if your data is high-risk, the time and cost are worth the expense.
- Invest in password management tools and strong passwords. Password management is a two-edged sword. On the one hand, security policies require strong and difficult-to-guess passwords. On the other, random passwords or ones that are changed too often are easy to forget. Employees may write them on sticky notes and leave them on their desks. But this causes the same security vulnerabilities. Good password management tools can alleviate these issues. They can randomize passwords and store them securely. Remember to update and back up your management software.
- Practice good PII awareness. Learning how much personally identifiable information (PII) is available on social media might surprise you. Even businesses and business owners fall prey to this. Consumer Reports tells a tale of a company that proudly reported its founding date on its website and social media page. Hackers found that that date was also the password to its company database. While there's nothing wrong with putting information on your public sites, keep your access numbers secret.
None of these data security techniques work unless everyone in the company practices them. You must teach your employees to spot and avoid risks, recognize data breaches, and limit the damage. Identity theft is possible because workers are careless. Employees used to throw carbons of credit card receipts into the trash. Today, they carelessly open emails without seeing if they're legitimate. So, employees are your first line of defense against hackers, phishing, and scammers.
- Prohibit downloading apps or programs onto business computers, including company laptops or tablets. Remind employees not to open any email or text they don't recognize.
- Modern phishing has evolved. Today's scams use people's tendency to click first and check where they're going later. Train employees to hover the mouse over a link and check the URL before clicking.
- Malware has become increasingly common in downloads, torrents, and streaming. The popular influencer platform TikTok is infested with malware and spyware. Installing anti-malware software is a good measure. But warning employees against downloading or viewing any downloaded images is better.
Prevention is the bottom line of data protection. It's better to keep viruses out than try to fight them once they're in. Taking proactive steps to fight cybercriminals before they compromise your customer data beats paying out fines and settlements.
Next Steps in Data Security
Maybe your business has suffered a data breach. Or maybe you hope to stop one before it happens. In either case, speak to a business and commercial law attorney in your area now. A skilled lawyer can help you make responsible decisions regarding sensitive customer data.
You Don’t Have To Solve This on Your Own – Get a Lawyer’s Help
Meeting with a lawyer can help you understand your options and how to best protect your rights. Visit our attorney directory to find a lawyer near you who can help.