Protecting small businesses from data breach

Inventory the type and quantity of  information in your files and on your  computers. Reduce the volume of  information you collect and retain  only what is necessary. Don't collect  or keep information you don’t  absolutely need. Minimise the  number of places you store personal  private data. Know what you keep  and where you keep it.

Lock physical  records containing private  information in a secure location.  Restrict access to that information  to only those employees who must  have access. Conduct employee  background checks. Never give  temporary employees or vendors  access to personal information  on employees or customers.

Portable media, such as DVDs, CDs,  USB hard drives and 'flash drives' are  more susceptible to loss or theft. This  can also include smartphones, MP3  players and other personal electronic  devices with a hard drive that 'syncs'  with a computer. Allow only encrypted  data to be downloaded to portable  storage devices.

Cross-cut shred paper files with  private information you no longer need  before disposal. Destroy disks, CDs/DVDs and other portable media before  disposal. Deleting files or reformatting  hard drives does not completely  erase your data. Instead, use software  designed to permanently wipe the  hard drive or physically destroy  the drive itself. Also, be mindful of  photocopiers, as many of these scan a  document before copying. Change the  settings to clear data after each use.

Do not use  National Insurance numbers as  employee ID numbers or client  account numbers; develop another  ID system. Make sure that your  procedures comply with any  applicable laws or legislation.  Also, make sure that they align with  any applicable industry required  standards, such those that may  be required by the Payment Card  Industry (PCI) Data Security  Standard.

Establish a written policy about  privacy and data security, and  communicate it to all employees.  Require employees to put away files,  log off their computers and lock  their offices/filing cabinets at the  end of the day. Educate employees  about the different types of cyberattacks,  what types of information  are sensitive or confidential   and  what their responsibilities are to  protect that data.

Restrict employee usage of  computers to business use. Do not  permit employees to use file sharing  peer-to-peer websites or software  applications, block access to  inappropriate websites and prohibit  use of unapproved software on  company computers.

Implement password protection and 'time out' functions (requires re-login after period of inactivity) for all computers. Train employees to never leave computers unlocked or unattended. Restrict tele-commuting to company-owned computers. Require the use of strong passwords that must be changed on a regular basis. Don't store personal information on a computer connected to the Internet unless it is essential for conducting business.

Keep security patches for your  computers up-to-date. Use firewall,  anti-virus and anti-spyware software;  update virus/spyware definitions  daily. Check your software vendors' websites for any updates concerning  vulnerabilities and associated patches.

Mandate encryption of  all data. This includes data 'at rest' and 'in motion'. Also consider encrypting  email within your company if personal  information is transmitted. Avoid using  Wi-Fi networks; they may permit  interception of data.