The consequences of a data breach can be devastating for small businesses and the customers whose information is compromised; these tips can help business owners and consumers alike to avoid becoming a victim of digital thieves.
The biggest data breaches generate the biggest headlines. Last year, a data breach exposed the usernames, email addresses and passwords of 150 million accounts on MyFitnessPal. Also last year, hackers stole email addresses, phone numbers and some credit card information from 500 million customers of Marriott hotels.
But those are rarities. Most data breaches don’t affect millions of customers. Consumer Reports recently analyzed a database of 8,980 data breaches organized by the Privacy Rights Clearinghouse. Consumer Reports found that 94 percent of these incidents – from as far back as 2005 – exposed the records of fewer than 100,000 consumers.
Small businesses frequently impacted by data breaches
Small businesses, then, are frequently hit by data breaches. Small business owners need to be careful when handling consumer information and must take the steps necessary to protect themselves.
At the same time, consumers need to be mindful of the information they provide to their corner pharmacy, local eye doctor or favorite bakery. Just because a business is small doesn’t mean scammers won’t try to steal the data they are storing.
“Data breaches at small businesses are very common,” said Heather Engel, chief strategy officer with Suffolk, Virginia-based cyber risk management firm Sera-Brynn. “We hear less about specific incidents because the amount of data lost is typically small and doesn’t impact a large number of consumers.”
Data breaches: Small business, big impact
Data breaches can be especially devastating to small businesses. Engel said the costs associated with a breach and the damage they cause to a company’s reputation can result in the small business closing its doors.
Eva Velasquez, president and chief operating officer of the Identity Theft Resource Center in San Diego, agrees that data breaches targeting small businesses don’t receive enough press, and that this can make both small business owners and consumers lax.
“The victims of these breaches, the people whose data has been compromised, don’t care if they are one out of 100 million, one out of 100,000 or one out of 10,” Velasquez said. “The effect is the same. It is about the data that was compromised for the individual, not about how many other people are in the same boat with them.”
Velasquez said 1,244 data breaches were reported last year. The majority of these breaches targeted small businesses, she said.
“If you went by the headlines, you’d think there were five or 10 data breaches last year,” Velasquez said. “No, hundreds of billions of records were exposed. Most just didn’t make the headlines because they hit smaller businesses. The data breaches at smaller businesses are ubiquitous.”
How consumers can protect their data when shopping at small businesses
Eva Velasquez, president and chief operating officer of the Identity Theft Resource Center, says it starts with deciding to part with your data in the first place.
- Consider when you sign up with a new dentist. One of the forms you have to fill out might ask for your Social Security number. Why should you provide that number to your dentist? Velasquez recommends you refuse to provide it if you want to keep thieves from accessing it.
- “Consider if you really do have to share this information,” Velasquez said. “Your dentist doesn’t need your Social Security number. If you are paying for services upfront, there is no reason for your dentist to have that number.”
- Consumers lose control of their data and personal information as soon as they give it to someone else. That’s why it’s important to only provide information to businesses when it’s necessary. If a small business asks for your email, for instance, it’s OK to decline to provide it.
- “Think about what the business actually requires to serve you, and what information might be used to make your experience better but isn’t strictly necessary,” Engel said. “Reward programs are a great example. You don’t have to provide your phone number to purchase something at a drugstore. You might get perks if you do, but it isn’t required.”
What can small business owners do?
Small business owners should put more thought, too, into the information they collect, Velasquez said.
- If you own a small business, how much sensitive information do you really need from your clients or customers?
- Consider, too, who gets to access that information. If you do collect the Social Security numbers of your customers or clients, is that information collected and viewed only by employees who have been trained to detect and avoid phishing schemes?
“There is no panacea out there,” Velasquez said. “The thieves are relentless. They know the data is valuable. That is why they are after it. They are looking for the low-hanging fruit. Don’t be the low-hanging fruit.”
Small business owners should remember, too, that it’s not just the information of their clients or customers that is at risk. Data breaches can expose the information of their employees.
Employee training and awareness of data risk is key
Velasquez cites one example: At tax time, criminals often send phishing emails that look like they’re from high-ranking company executives who are looking for the W-2 records of employees.
If small business staffers aren’t trained to recognize these phishing attempts, they might expose the personal and financial information of their fellow workers.
- It’s important for small businesses to have processes in place that can help employees detect and respond properly to scam attempts.
- Supervisors should tell their workers, for example, that they will never ask for personnel records in an email. That way, if employees do receive an email requesting this information, they can quickly identify it as a scam.
Bart McDonough, CEO of New York City-based IT and cybersecurity firm Agio, said small businesses should focus on their accounting and financial staff when training their employees to recognize phishing attempts and other scams. These key personnel need to be educated, too, on how to avoid downloading malware.
But generic training rarely works, McDonough said. Companies need to tailor their training to their own businesses. If a business handles tax returns, they might face different risks than does a small clothing store or bakery.
“I would say that the majority of businesses still don’t do much custom training of their staff,” McDonough said. “Some just do it so they can check off a box. They read that they need to do phishing training, so they do it and check it off their list. The firms that have more leadership from the top, who look at this as a true risk-management issue, they are the ones that are more likely to do custom training.”
See related: How to protect your cards and accounts online
Software and technology defenses against data breaches
To lessen the odds of suffering a breach, McDonough recommends that small businesses install and approve software updates as soon as they are available. The latest anti-virus software is important, too.
Another key step? McDonough recommends that small business owners not provide their employees with administrative rights on their computers.
Employees with admin rights can install software on their machines. This means they could also accidentally download malware. If admin privileges are reserved only for owners or high-ranking executives, small businesses will lower the odds of infecting their machines with malware.
McDonough said a combination of employee training and the latest anti-virus protection and software updates is the best defense against data breaches.
He referred to this as “defense in depth.” There is a chance that a scammer can trick an employee, even one who is trained to recognize phishing attempts or malware. But it’s more difficult for scammers to both trick employees and get past strong anti-virus software.
“It’s like making a taller fence,” McDonough said. “If you keep stacking a five-foot fence atop another five-foot fence, eventually a scammer will look at that and decide to go after someone else. Scammers will go after the easier targets.”
What small businesses can do after a breach
If a small business does suffer a data breach, there are steps that owners can take to at least minimize the damage.
- Contact your business attorney and local law enforcement immediately, Velasquez recommends. Rules on reporting data breaches vary in different states, but by making these calls, business owners can make sure they are in compliance with any state regulations, Velasquez said.
- Isolate any computers that are infected with malware, according to McDonough. Business owners might need to rebuild infected machines to make sure the software is fully erased.
- Only store the minimum amount of data necessary so when a breach happens, the amount of important data leaked is minimized, Engel suggested.
“Small business owners should understand what data are critical to their business, then look at the sensitivity of that data,” Engel said. “If you don’t need it, then take it offline.”