Cyber security
© Getty Images

Protecting small businesses from data breach

Technical bulletin

Today, virtually all businesses collect and store personal information about customers, employees and others. The frequency of data breaches - the theft, loss or  mistaken release of private information - continue to make headline news.

Data breaches aren’t just a big business problem; small and medium-sized businesses with fewer data security resources are particularly vulnerable.

In fact, 39% of small and 65% of medium-sized UK businesses experienced a cyber security breach or attack in 2020(1). As a result, it’s important for businesses of every size to take steps to prevent a data breach. Here’s how:

1. Only keep what you need

Inventory the type and quantity of information in your files and on your computers. Reduce the volume of information you collect and retain only what is necessary. Don't collect or keep information you don’t absolutely need. Minimise the number of places you store personal private data. Know what you keep and where you keep it.

2. Safeguard data

Lock physical records containing private information in a secure location. Restrict access to that information to only those employees who must have access. Conduct employee background checks. Never give temporary employees or vendors access to personal information on employees or customers.

3. Manage use of portable media

Portable media, such as DVDs, CDs, USB hard drives and 'flash drives' are more susceptible to loss or theft. This can also include smartphones, MP3 players and other personal electronic devices with a hard drive that 'syncs' with a computer. Allow only encrypted data to be downloaded to portable storage devices.

4. Destroy before disposal

Cross-cut shred paper files with private information you no longer need before disposal. Destroy disks, CDs/DVDs and other portable media before disposal. Deleting files or reformatting hard drives does not completely erase your data. Instead, use software designed to permanently wipe the hard drive or physically destroy the drive itself. Also, be mindful of photocopiers, as many of these scan a document before copying. Change the settings to clear data after each use.

5. Update procedures

Do not use National Insurance numbers as employee ID numbers or client account numbers; develop another ID system. Make sure that your procedures comply with any applicable laws or legislation. Also, make sure that they align with any applicable industry required standards, such those that may be required by the Payment Card Industry (PCI) Data Security Standard.

6. Educate/train employees

Establish a written policy about privacy and data security, and communicate it to all employees. Require employees to put away files, log off their computers and lock their offices/filing cabinets at the end of the day. Educate employees about the different types of cyberattacks, what types of information are sensitive or confidential  and what their responsibilities are to protect that data.

7. Control computer usage

Restrict employee usage of computers to business use. Do not permit employees to use file sharing peer-to-peer websites or software applications, block access to inappropriate websites and prohibit use of unapproved software on company computers.

8. Secure computers

Implement password protection and 'time out' functions (requires re-login after period of inactivity) for all computers. Train employees to never leave computers unlocked or unattended. Restrict tele-commuting to company-owned computers. Require the use of strong passwords that must be changed on a regular basis. Don't store personal information on a computer connected to the Internet unless it is essential for conducting business.

9. Keep security software up-to-date

Keep security patches for your computers up-to-date. Use firewall, anti-virus and anti-spyware software; update virus/spyware definitions daily. Check your software vendors' websites for any updates concerning vulnerabilities and associated patches.

10. Stop unencrypted data transmission

Mandate encryption of all data. This includes data 'at rest' and 'in motion'. Also consider encrypting email within your company if personal information is transmitted. Avoid using Wi-Fi networks; they may permit interception of data.

HSB Cyber Insurance and HSB Computer Insurance

HSB Cyber Insurance provides a computer, data and cyber insurance policy all in one for small and medium-sized businesses, and HSB Computer Insurance provides comprehensive cover for commercial computer hardware, data losses, increased costs, and virus, hacking and denial of service.
(1) Cyber Security Breaches Survey 2021 - Department for Digital, Culture, Media and Sport