Data Protection for SMBs

Data is the root of everything we are trying to protect in cybersecurity. Data is how your small business fulfills orders, negotiates contracts, and invoices for services. Additionally, customers care about what happens to their data. Significant data breaches have made it into the news, and consumers take note of businesses they trust.

When we talk about business data that needs protecting, what are we talking about? For most businesses, the categories are customer data, financial data, and proprietary information.

The three steps to small business data protection are backup, encryption, and authentication.

Backup

Data should be backed up to recover from expected technology failures like a hard drive malfunction. Small businesses should also back up their data to recover from structural events like a fire, flood, or stolen equipment. Because of structural events, it’s most common to have both on-site and cloud backups for security.

Encryption

The cybersecurity world views business data in two states: data in motion and data at rest. As a small business owner, it’s essential to consider security when moving data to a third party. Sensitive or personal data should never be sent in the body of an email but instead sent through an encrypted email service. Data at rest should be encrypted until it’s needed to perform a job function.

Authentication

How is business data stolen? The most common way for a criminal to access your business data is through a working employee login discovered by phishing. We can find a few cyber hygiene principles if we work backward from that common attack vector. First is the principle of least privilege (PoLP). This concept states that users should only have access to the data they need to complete a required task. If each user login can only access the small segment of the network needed to do their job, it makes stealing large amounts of business data much more difficult. Additionally, small businesses should have rules that require complex passwords, multi-factor authentication if available, and continued employee security awareness training to remind users of the current attack vectors.