As a business owner, you take many preventative measures to protect your physical location. Locks and cameras ward off burglars. A safe insulates precious belongings. Business insurance protects your assets. But when it comes to online safety and security, businesses continue to remain vulnerable to data leaks and hacks.
Here are five ways to prevent fraud and secure your business's resources and customer information:
1. Conduct a Security Audit
Regularly conducting an audit of your online security measures is a way to verify if they’re strong enough to protect your business data and meet regulatory requirements. Below are a few types of audits you should consider running annually.
- A security audit evaluates internal and external information systems to determine the likelihood of a data breach.
- A risk assessment helps a business identify, evaluate, and prioritize risks. A vulnerability assessment is a study of a networked system to uncover security weaknesses.
- Penetration testing is a simulated attack by cyber friendlies (white hats) posing as hackers. This test aims to penetrate system security to demonstrate vulnerabilities without causing actual damage. This gives your business the ability to remediate them before they are detected and exploited by threat actors.
- A compliance audit determines if the system meets all regulatory requirements.
2. Always Use Encryption
Encryption should secure confidential data transmitted over an open connection through the Internet and when storing the data on servers. These transmissions should be encrypted point-to-point from one secured and encrypted system to another. To protect your data, never expose unencrypted confidential data to the Internet.
Some legacy systems rely on the public versions of secured socket layer (SSL) encryption, which have security flaws. The updated protocol is Transport Layer Security (TLS) for better security. An audit should check all encrypted connections to ensure they use TLS.
3. Be Careful When Relying on Outsourced Security
Many small businesses do not have the expertise or the resources to manage robust data security on-site. It is common for a small business to outsource the data management to a cloud service and hire the cloud service provider to handle the security issues.
The advantages of using secured cloud services include the cloud services provider handling the software updates and providing more robust security. Yet, businesses should not be complacent in thinking confidential information stored on the cloud is completely safe. The business should have ongoing conversations with their cloud services provider on how their data is being handled and secured.
Cloud services have unique vulnerabilities, which include:
- Misconfiguration: This is a major source of data breaches. A company may not be familiar with the security controls needed to protect a cloud-based system, so it is easy to leave cloud-based resources exposed to a hacker.
- Compromised Credentials: Stolen passwords or simple passwords may permit a bad actor to gain unauthorized access to confidential data.
- Insecure Application Programming Interfaces (APIs): APIs are convenient because they allow software programs to communicate with each other, however, if they are not secure, they may expose raw unencrypted data.
- Data Sharing: Cloud services make data sharing easy and allow links to give anyone access. Such ease of sharing creates risk.
- Insider Attack: A disgruntled person who works for the company and has access to confidential data could be the source of a data breach.
Cloud security requires a robust approach that identifies who is responsible for data protection at every level. Depending on the cloud service used, the security responsibility may be the cloud service provider, the business, or a combination of both. Robust cloud security should provide granular control over who has authorized access on a need-to-know basis.
4. Consider the Air Gap
Confidential information may be on an encrypted server not connected to the Internet. This method is "air gap" security because there is no connection to the data from external sources.
This method provides physical protection of the data. The data may have additional protection from other physical systems, such as having the computer hard drive containing the encrypted data stored in a safe deposit box kept in a bank's vault.
5. Improve Employee Training
Social engineering is a phrase that describes the tricks that hackers use to get people to make mistakes, give confidential information, and allow unauthorized access. Estimates by Cybint
are that human errors cause up to 95% of data breaches.
The most common error is downloading malware onto the network, which could happen by clicking on an email attachment, installing unauthorized software, or linking to a nearby device, such as a personal cellphone infected with a virus. It may also happen by simply visiting a website that automatically loads malware onto the user's computer without the person doing anything or even noticing it.
Employees need to recognize phishing attempts where a hacker uses an identical copy of a fake website to get the person to enter their user name and password so the hacker can steal it (known as “Credential Harvesting”).
A more-advanced cyber-attack is Business Email Compromise (BEC),, where a hacker captures the email account of a known person in a company and then uses it to send emails to others in the same company. These imposter emails try to trick them into revealing confidential information or perpetrate some fraud like getting them to send a bank wire.
These are just a few examples of what employees should be aware of and watch out for as a potential cyber-attack. Continual employee data security training and awareness is the best way to combat this weakness.
A business's cyber security responsibility includes everyone who works there, as well as any outsourced vendors that the company uses to manage data. The first step in improving security is to conduct an audit to hunt for vulnerabilities and then fix them to protect your business data. Ask your employees if they know what phishing is, and you may be surprised by how few actually do.
TLS vs SSL
Main Cloud Security Issues and Threats in 2021
What is Cloud Security?
Business Email Compromise