Protect Your Small Business From Being a Target

Over the last year, data breaches in businesses have been big news: Target, Home Depot, eBay, LinkedIn ... but this only happens to large businesses, right? Wrong.

The Target breach actually occurred when an employee of a small HVAC company opened a malware-laced email, allowing the HVAC company's system to be hacked. It just so happened that this particular company was contracted with one of the Target stores and had remote access for maintenance purposes. This allowed the hackers who accessed the little guy to jump right into the big guy's system and gather more than 40 million debit and credit card numbers from Target's point of sale (POS) system. But the initial target was the small HVAC company.

The variety of ways that cyber criminals can intrude your computer network and gather private information is staggering. And the truth is they often specifically target small businesses because they don't have the time, attention or funds to provide the same security measures as large companies, making them easier to infiltrate.

So what precautions can you take? Here are some essential data safety practices that businesses of any size should use.

Secure Your Website

Increasingly popular forms of cyber crime involve injecting malware into innocent, unknowing, legitimate websites. Once it's slipped into the code of a website, it sits and waits to infect site visitors. To prevent this, scan your website daily for malware and implement an "always on SSL."

Use Encryption

Scrambling data in a way that can only be unscrambled with the correct key prevents anything intercepted from being readable or useful. Use this technique to secure any information traveling from one computer to another through email, an external device, etc.

Always Update, Always Patch

As software vendors recognize vulnerabilities in their products, updates and patches are developed and distributed. This is probably the easiest security measure you can take: simply turn on automatic updates.

Use Effective Passwords

Weak passwords are an easy way for someone to access your company's restricted data. They should be at least eight characters long and include: a mix of upper and lower case letters, at least one number and a special character. You can also use a string of three words together, such as 3w0rdSmushedTo{gether.

It's vital to use different passwords for each account and to change them every few months. Otherwise, a hacker only needs to crack one to access everything. A good password manager program can keep this from being overwhelming.

Implement A Social Media Policy

Most of your employees use Facebook, and any information shared on social media, even if "private," can be found and distributed. That includes any confidential or proprietary information from or about your business.

Create a social media policy that clearly states what can and cannot be shared about the business via social media and outline consequences for failing to abide by the rules.


Defense-in-depth is a strategy that employs overlapping security controls and monitoring systems. The purpose is to identify and reduce vulnerabilities, as well as log activities for later review. Tools used in this type of strategy include antivirus and anti-spam applications, firewalls, privacy controls and activity monitoring systems.

The best defense-in-depth tactics depend on a variety of factors that differ between each individual business. An IT security professional can help customize the right strategy for your business.

Secure All Devices

Any device used on the company network, including personal devices and vendors with remote access, should follow all of the company's security protocols before being granted access to the network.

Removable media such as flash drives can introduce malware, so set up all devices to automatically scan for viruses and use data loss prevention (DLP) software to restrict the copying of confidential data onto unencrypted media.

Back Up

No matter what precautions are in place, a data breach is still possible. Your business may be the victim of a malicious computer virus that shuts down your operation or a ransomware virus, which scrambles your data and then demands money in return for the encryption key. The best way to recover from something like this is restoring from a backup. Consult an IT professional to determine the best way to back up all the devices used for your business and check regularly to be sure the system is operating properly.

There are thousands of criminals interested in gathering your important electronic data via a variety of means that can be deployed through email, websites, web browsers, social media, clickable ads, external devices such as flash drives, physical theft and more. No business is safe.

The idea is to recognize vulnerabilities that would allow hackers in to compromise your company and clients. Once these weaknesses are identified, you should work with an IT professional to reduce risk as much as possible while still supporting a functional system.