An eye clinic, a payroll processor and a yacht club—all these small businesses appear alongside Sony Pictures on a list of 2014 data breaches reported to California’s attorney general. While the movie giant’s hack got headlines around the world, smaller breaches quietly take place much more often: A 2013 Ponemon Institute survey found that 55 percent of small and medium-sized firms admitted being breached, most of them multiple times.
The data lost in these breaches is similar—credit card numbers, customer data and other sensitive business information—but the financial impact can be even more devastating for small firms. And, unlike big corporations with multimillion-dollar cybersecurity budgets, data safety is often an afterthought at smaller businesses. A 2014 Trustwave survey of mostly small and medium-sized firms found that one in eight had no process for keeping software security patches up to date, and one-third hadn't formally identified where their sensitive information was kept.
Taken as a whole, the continuing string of data breaches at companies large and small raises the question of whether some information is simply too sensitive to ever entrust to a computer. If the likes of Sony Pictures, Target and Home Depot can’t keep their digital data safe, can anyone? Not really, according to Robert Siciliano, a personal security and identity theft expert and consultant. “Nothing is completely secure on a computer,” Siciliano says.
Indeed, as the infamous WikiLeaks episode illustrated, even the U.S. government isn't invulnerable to embarrassing digital disclosures. And any organization anywhere risks breaches, according to Siciliano. As he says, “The reality of it is, there’s no such thing as 100 percent security.”
Taking Steps to Secure Your Business
So what's a small-business owner to do? It's best to assume that no digital information can be kept private at all, according to Philip Lieberman, president of Los Angeles-based security company Lieberman Software. That means any email or file on a computer or smartphone should be treated as if it might become public. “If you’re being realistic," Lieberman says, "you shouldn't have an expectation of privacy.”
With that in mind, Lieberman notes, there are, indeed, certain things that shouldn't be on a computer. Those obviously include records relating to illegal, ethically questionable or simply embarrassing activities, he says. But they may also include authentication data providing access to financial accounts. To initiate bank transactions, he recommends using physical tokens that generate single-use passwords instead of virtual identification tools, such as usernames and passwords.
Of course, the problem with not keeping information on a computer is that it's prohibitively inconvenient for many purposes, Siciliano notes. To address this, IT professionals have developed techniques for making digital data much safer. For instance, Siciliano notes, security firms such as McAfee, whom Siciliano has worked for, employ “sandboxing,” which involves isolating computers by not connecting them to the Internet in order to safely test computer viruses that could cause widespread damage if they were released onto the Internet.
Lieberman says companies can also use the “air gap” technique to isolate a computer from the Internet or, perhaps, to any network or other company computers. This means the device isn't physically connected by networking cables to other devices. “There’s literally air between the computers,” Lieberman explains. In order to get information onto or out of an air-gapped computer, a human has to physically insert a USB flash drive, a CD or some other data storage device. In a variation, Siciliano says some computers, notably in call centers, are connected to networks but are isolated from physical access by gluing shut or otherwise rendering useless USB ports, CD drives and other input-output channels.
Air gaps are used extensively by the military and financial services, Lieberman says, but smaller businesses should use them as well to protect their data backups. Hard drives, CDs, tapes or other media containing backups should be physically isolated from networks to ensure that, even if a network is breached, backups will be safe, he says.
Another move smaller businesses can make to greatly improve security is to use cloud-based applications and data storage. Large cloud-based computing providers have rigorous, state-of-the-art security procedures, including air-gapped backups, Lieberman notes. Cloud providers test security constantly, including checking backups to make sure they're usable. “They’re much better at cybersecurity than most small businesses or even large corporations,” Lieberman says.
Even the best security can be overcome, however. The WikiLeaks exploiter jumped an air gap by recording data on CDs that were smuggled out of a secure building. Keeping materials on paper doesn’t guarantee safety either. In a low-tech 2014 data breach of a Little Caesar's pizza shop, nearly 100 paper employment applications that included confidential data about applicants, such as Social Security numbers and birth dates, were found discarded in a trash can behind the Salem, Oregon, shop.
Even if some information probably shouldn't be on any computer, smartphone or tablet, sent in an email or posted on social media, most businesses can adequately protect the majority of their information. Keeping antivirus and firewall software up to date and properly configured and making sure backups are current and usable is adequate in most cases, security experts say. For higher-risk applications, such as bank accounts and securing backups, physical tokens and air gaps may be appropriate and enough to keep your information secure.
“People shouldn't be paranoid and not use the Internet,” Lieberman says. “They should use their computers. It may appear to be an impossible or a no-win situation, but with just a few things like tokens, they can secure their transactions. Data should be backed up regularly, and really sensitive data should be kept on external storage that's normally disconnected from the computer and only connected when needed.”
A few smart steps can help any business owner protect their most sensitive information from those trying to steal it.
Read more articles on technology.