Cyber threats: Protecting your small business
As a small-business owner, it’s up to you to avoid scams, protect your computers and networks, and keep data safe. The Federal Trade Commission’s (FTC) Stick with Security blog series, based on its Start with Security guide, distills lessons from 60 or so data security cases the agency has settled since 2001. The following highlights can help your business improve its cyber and data security practices.
- Use widely accepted industry-tested methods for securing data.
- Collect and store only the customer or user information that your business legitimately uses. Securely dispose of information once it is no longer necessary; make it unreadable by using available technology to wipe devices; and destroy documents.
- Tailor administrative access. If workers don’t need to use sensitive information as part of their job, don’t give them access to it. Help protect sensitive data by housing it in a separate, secure place on your network.
- Implement robust authentication procedures (including password standards) to ensure only authorized individuals can access information.
- Require employees to choose complex passwords and don’t allow use of similar passwords for different accounts. Require two-factor authentication. Protect your network from hackers by implementing a policy to suspend or disable user credentials after a certain number of unsuccessful password login attempts.
- If you’re developing new products like software or an app, adequately train employees in secure coding practices. Assess products for commonly known vulnerabilities before they are in consumers’ hands. When offering privacy and security features, make sure your product lives up to its advertising claims.
- Take steps to ensure that any service provider you hire to process collected information or to help with product development implements appropriate measures to keep data secure throughout its life cycle. Include contract provisions that require service providers to adopt reasonable security precautions and oversee their practices on an ongoing basis.
- Use tools to monitor activity on your network. Place limits on third-party access and ensure that computers with remote access have appropriate endpoint security.
- Have an effective process in place to receive reports about security vulnerabilities and have a plan to respond to security incidents. Move quickly to fix vulnerabilities that come to your attention before a problem grows.
- Don’t leave items such as paper files, laptops, external hard drives or flash drives with information in an open or easily accessible area. Train staff not to leave information in files, on computers or on devices unprotected, unattended or exposed to the public when traveling for work.
The National Institute of Standards and Technology’s Cybersecurity Frameworkcan help you identify and manage cybersecurity risks to your business. For more information on how your business can use the framework and the FTC’s Start with Security guidance to identify, implement and improve data security practices, click here. For information on sensitive data and the law, click here.