Skip to main content

Ponemon’s 2016 research in Canada looked at 24 companies and found that the average per capita cost of a data breach is $278 and the average total cost to businesses (large as well as small) was more than $6 million.

ISTOCKPHOTO

Small businesses spend a lot of time working on growth, but Bianca Lopes says it's just as important to know how to avoid shrinkage because of lax security.

"Businesses really need to have a basic knowledge of where their data is held," says Ms. Lopes, director of strategy for BioConnect, a Toronto-based company that develops identification software for banks and other corporate clients.

For any business, security can mean more than simply protecting data. It can be everything from making sure people don't shoplift chocolate bars and gum from the counters to being sure that employees and suppliers aren't secretly putting the cash flow into online poker.

Story continues below advertisement

Today, though, cybersecurity is the biggest imperative. A 2014 global survey by the U.S.-based Ponemon Institute, which conducts independent research on privacy, data protection and information security, found that 55 per cent of small businesses and professionals said they had suffered at least one data breach in the previous year and 53 per cent reported multiple breaches.

Ponemon's 2016 research in Canada looked at 24 companies and found that the average per capita cost of a data breach is $278, up from $250 the previous year, and the average total cost to businesses (large as well as small) was more than $6 million, up 13 per cent from 2015.

While Ms. Lopes' company is busy in Canada and overseas outfitting companies with biometric ID software, she says all businesses can start with basic security steps. Here are a few from her and others:

Know what data you're actually holding

"What's being stored? Where is it being stored? Who has access to it? With more and more people bringing in their own devices and working on mobile devices it's important to know where everything is," Ms. Lopes says.

Train your employees

Staff and managers alike who handle company or customer data should know the rules and boundaries about opening and sharing files. If you don't have a policy for gathering, handling and keeping information, get one.

Story continues below advertisement

Better passwords

Getting into a business database by typing in a weak password is as easy as 123456 ... or any other poorly kept secret signal. "Password" is a terrible password and with "welcome" you might as well be welcoming in any old crook to your system. While not every business can afford to upgrade to a biometric fingerprint or iris scan ID, there's no reason you can't have slightly better passwords, Ms. Lopes says. You should change them regularly, too.

Improve general office security

Even when good security policies are in place, it's easy to get sloppy. Don't. "I have actually worked with banks – I won't say which – where the IT team was sharing passwords. We locked them out until they stopped sharing," Ms. Lopes says.

Do a data inventory

You should know as accurately as possible which employees have particular access to data about your company and customers. This is not to be snoopy; it's a matter of keeping track so that if you are hacked you can find out where the hack occurred and how much information was compromised. A breach might not necessarily be an employee's fault, just as it's not necessarily the employee's fault if his or her company car is stolen. In both cases, though, it's important to know where the crime occurred and what happened.

Story continues below advertisement

Trust but verify

It's great that data can be stored on the cloud, but businesses should know what security their cloud provider offers, how much of the data can be accessed from the cloud by the public and what can only be accessed with permission. It's simply a matter of a little due diligence about whom you're trusting to handle your data.

Pay attention to your physical space

In your workplace, who gets keys to restricted areas? Who gets proxy cards to access data that others don't get to see? Workplaces where physical security is absolutely critical, such as airports or hospitals, keep close track of who is allowed in the work area and who is not. It's something a lot of small businesses can think about, too.

Understand your security policies and have backup

If your IT specialist gets hit by a bus, do you know how to fill in right away? You can't afford downtime looking for information that should be at your fingertips.

Review and upgrade

Hackers get more sophisticated every day and your protection should be up to date, too. Make sure you have adequate virus protection and that your system can be consistently improved to meet the latest threats.

Don't be paralyzed

Just as it's easy to be dazzled by technology, it's easy to be frightened by all the security measures you might need. But whether it's cybersecurity or physical security, most of the measures start with common sense.

Report an error Editorial code of conduct
Comments

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • All comments will be reviewed by one or more moderators before being posted to the site. This should only take a few moments.
  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

Comments that violate our community guidelines will be removed. Commenters who repeatedly violate community guidelines may be suspended, causing them to temporarily lose their ability to engage with comments.

Read our community guidelines here

Discussion loading ...

Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.
Cannabis pro newsletter