Small businesses spend a lot of time working on growth, but Bianca Lopes says it's just as important to know how to avoid shrinkage because of lax security.
"Businesses really need to have a basic knowledge of where their data is held," says Ms. Lopes, director of strategy for BioConnect, a Toronto-based company that develops identification software for banks and other corporate clients.
For any business, security can mean more than simply protecting data. It can be everything from making sure people don't shoplift chocolate bars and gum from the counters to being sure that employees and suppliers aren't secretly putting the cash flow into online poker.
Today, though, cybersecurity is the biggest imperative. A 2014 global survey by the U.S.-based Ponemon Institute, which conducts independent research on privacy, data protection and information security, found that 55 per cent of small businesses and professionals said they had suffered at least one data breach in the previous year and 53 per cent reported multiple breaches.
Ponemon's 2016 research in Canada looked at 24 companies and found that the average per capita cost of a data breach is $278, up from $250 the previous year, and the average total cost to businesses (large as well as small) was more than $6 million, up 13 per cent from 2015.
While Ms. Lopes' company is busy in Canada and overseas outfitting companies with biometric ID software, she says all businesses can start with basic security steps. Here are a few from her and others:
Know what data you're actually holding
"What's being stored? Where is it being stored? Who has access to it? With more and more people bringing in their own devices and working on mobile devices it's important to know where everything is," Ms. Lopes says.
Train your employees
Staff and managers alike who handle company or customer data should know the rules and boundaries about opening and sharing files. If you don't have a policy for gathering, handling and keeping information, get one.
Getting into a business database by typing in a weak password is as easy as 123456 ... or any other poorly kept secret signal. "Password" is a terrible password and with "welcome" you might as well be welcoming in any old crook to your system. While not every business can afford to upgrade to a biometric fingerprint or iris scan ID, there's no reason you can't have slightly better passwords, Ms. Lopes says. You should change them regularly, too.
Improve general office security
Even when good security policies are in place, it's easy to get sloppy. Don't. "I have actually worked with banks – I won't say which – where the IT team was sharing passwords. We locked them out until they stopped sharing," Ms. Lopes says.
Do a data inventory
You should know as accurately as possible which employees have particular access to data about your company and customers. This is not to be snoopy; it's a matter of keeping track so that if you are hacked you can find out where the hack occurred and how much information was compromised. A breach might not necessarily be an employee's fault, just as it's not necessarily the employee's fault if his or her company car is stolen. In both cases, though, it's important to know where the crime occurred and what happened.
Trust but verify
It's great that data can be stored on the cloud, but businesses should know what security their cloud provider offers, how much of the data can be accessed from the cloud by the public and what can only be accessed with permission. It's simply a matter of a little due diligence about whom you're trusting to handle your data.
Pay attention to your physical space
In your workplace, who gets keys to restricted areas? Who gets proxy cards to access data that others don't get to see? Workplaces where physical security is absolutely critical, such as airports or hospitals, keep close track of who is allowed in the work area and who is not. It's something a lot of small businesses can think about, too.
Understand your security policies and have backup
If your IT specialist gets hit by a bus, do you know how to fill in right away? You can't afford downtime looking for information that should be at your fingertips.
Review and upgrade
Hackers get more sophisticated every day and your protection should be up to date, too. Make sure you have adequate virus protection and that your system can be consistently improved to meet the latest threats.
Don't be paralyzed
Just as it's easy to be dazzled by technology, it's easy to be frightened by all the security measures you might need. But whether it's cybersecurity or physical security, most of the measures start with common sense.