As more customer information is stored online, data breaches pose an increased risk to business owners and consumers alike.
A data breach often involves the loss of personally identifiable information. “Think about any information that is unique to you as an individual, or when combined becomes unique,” says Scott Mitic, senior vice president of Equifax Personal Solutions.
For example, information compromised in a data breach can include customers’ and employees’ names, addresses, Social Security numbers, dates of birth or medical insurance information.
A data breach—especially one that includes the loss of personally identifiable information—poses obvious threats to your customers, including the threat of identity theft. According to the “2013 Identity Fraud Report” by Javelin Strategy & Research, which looks at 2012 data, 1 in 4 consumers who received data breach notifications became victims of identity theft.
But it’s not just consumers who are impacted—small retailers also lose out. The Javelin study found that victims are more selective about where they shop after a fraud event, with 15 percent of victims choosing to avoid smaller online merchants.
How do data breaches happen?
According to Mitic, two common ways that companies become data breach victims are through physical access to confidential information and online computer vulnerabilities.
“In general, data breaches are most frequently perpetrated by someone the business owner knows,” Mitic notes. “It can be a vendor, an employee with access to a customer database, or an outsourced IT team who comes in to do desktop support or update software.”
In less common cases, data breaches occur when online hackers are able to gain access to your company database that holds confidential information, such as the personal information of your employees and customers.
“There are vulnerabilities that can be created through a company’s website or interface—where data is being moved electronically,” Mitic says.
What are a few signs that your business has fallen victim to a data breach?
A data breach can be incredibly damaging to your small business. In fact, in a March survey of small business owners conducted by the Ponemon Institute, 70 percent of respondents agreed that the loss of employees’ and customers’ sensitive personal information would do more harm to their businesses than the loss of confidential company data.
As a victim of a data breach, you could lose customers, business partners or employees, so it’s important you catch a data breach early. That way, you can help retain as many of your current customers, business partners and employees as possible.
Mitic says there are some red flags that may indicate your company has been victimized. A few examples include:
Missing inventory. This can include items such as a company laptop, phone or tablet that contains sensitive personal information.
Suspicious phone calls. Scammers may take advantage of social media to target your company. For example, if an employee posts that she is sick on Facebook and a scammer targeting your company sees it, that scammer may call your office pretending to be a friend or family member of that employee.
“I might call you and say that I’m the husband of the employee who is out sick,” explains Mitic.
“I might say that my wife is trying to get access to her email and can’t remember her password, and ask that you give it to me. Through this ‘social engineering’ activity, I now have access to any personal identifying information associated with that email account.”
Strange solicitations. Abnormal emails (such as those which ask you to reset your account password by clicking on the link in the email) and phone calls (people calling asking for remote access to your computer system, for example) are often indicators that you’re being targeted.
Be sure to also monitor your website and computer system for clues. “You should have in place monitoring systems which are able to detect unauthorized access to your computer infrastructure,” Mitic says.
“For online unauthorized data access, it’s incredibly helpful to be able to see these types of attacks when or shortly after they happen. [These monitoring systems] are how many tech-savvy companies learn of data breaches.”
What are some tips for avoiding a data breach?
No matter the size of your business, if you accept credit cards, typically you must be in compliance with the security standards of the Payment Card Industry (PCI). These standards dictate how data is processed and secured after a customer swipes their credit card.
While the regulations specifically outline how businesses should protect credit card data, “these guidelines can be used to protect other data, like birth dates and Social Security numbers,” says Mitic.
Additionally, the Federal Communications Commission offers these 10 cyber security tips for small businesses:
- Establish security practices that all employees must follow, including password and Internet usage policies.
- Regularly update your computers and software.
- Secure your Internet connection and private network with a firewall. If you have employees who work from home, ensure their home computer systems are protected as well.
- Create guidelines for accessing the company network via mobile device, including password protecting these devices and installing security applications.
- Back up your important business data, or store copies offsite or on the cloud.
- Manage user accounts on each computer to limit who has access to sensitive data, and lock up laptops when unattended.
- Secure your wireless networks—password protect routers and ensure networks are encrypted.
- Follow best practices when accepting credit and debit cards.
- Do not allow employees to install software without permission, and limit the data to which they have access.
- Require employees to use unique passwords and change those passwords every three months.
If your company does fall victim to unauthorized data access, check into applicable laws regarding unauthorized data access, including your state’s laws surrounding data breach notification. “Like any illness,” says Mitic, “the prescription will be dictated by the malady.”