As the number of data breaches increase, small businesses must evaluate the strength of their data security measures. Most companies understand they’re vulnerable to cyberattacks and are investing in data safety with a balance of strategy, staff vigilance, and technical best practices. Small business cybersecurity is especially important with employees working remotely due to COVID-19.
New data breaches surged by 424% last year, fueled by hackers targeting more small businesses. This trend is forcing many companies and institutions to reexamine their approach to data security.
Consider the College of DuPage, which reported on March 16, 2020 that the personal and tax data of 1,755 employees, including W-2 tax forms, was exposed.
The college set up identity protection and credit monitoring following the breach, but the fraudulent use of employee data can’t be prevented now that it’s been exposed. The ensuing loss of reputation and revenue could be crippling for small businesses, and this grim scenario is increasingly familiar to businesses.
“It begins with small businesses believing — erroneously — that it cannot happen to them. Although a hacker might not single out a small business, businesses can certainly become victims of hacks and other cyber-criminality,” said Charles Lee Mudd Jr., founder and principal of Mudd Law Firm, a firm specializing in Internet, startup, intellectual property, privacy, defamation, space, and entertainment law.
The Manifest surveyed 383 small business owners and managers who use a mobile app and/or website to connect with customers. We wanted to understand small businesses’ experience with and plans for data safety — the process of protecting information from unauthorized access.
Our research shows that small businesses use a range of data security measures to protect their data, including limiting employee access and encryption, and are considering investing in more cybersecurity resources in the future. Cybersecurity has become only more important in 2020 due to dramatic increases in remote work and online business.
- Most small businesses (64%) say they are likely to devote more resources to cybersecurity in 2020.
- The most popular small business cybersecurity measures include limiting employee access to user data (46%), data encryption (44%), requiring strong user passwords (34%), and training employees on data safety and best practices (34%).
- Most small businesses (57%) faced no cybersecurity challenges in 2019. However, 15% faced either a hack, virus, or data leak.
- Approximately 1 in 5 businesses admit they need to devote more resources to cybersecurity (23%) and could improve the security of customer data storage (20%).
- The data companies most commonly collect is contact information (61%), customer name (52%), customer location (39%), physical address of customer (36%), and payment details (31%).
Small Businesses Are Prioritizing Users’ Data Safety
Businesses are increasingly aware that data safety is essential to success and longevity.
The majority of companies (64%) say they are likely to devote more time, money, and resources to data security in 2020. Only 7% said they were unlikely to invest more in data safety in 2020.
As of March 2020, more employees are working remotely due to the COVID-19 pandemic. Given this trend, data safety is more critical than ever.
Yet, maintaining data safety while working remotely can be challenging.
“When employees move away from office systems that are maintained by at least an outsourced IT administrator, [companies] become vulnerable to online threats,” said Naomi Hodges, cybersecurity advisor at privacy protection company Surfshark.
Remote work environments typically lack the security safeguards present in an office, including:
- Secure Wi-Fi networks
- Endpoint protection
- Secure work devices
- Encrypted drives
- Anti-virus software
Remote-work employees are also more likely to neglect antivirus updates, open malicious emails, and expose confidential data to third-parties via unsecured communications, Hodges said.
“If the devices employees use for business-related tasks are not protected — or are connected to unsecured Wi-Fi networks — the data handled by the company is at risk,” Hodges said.
Employees should use a virtual private network (VPN) to connect to the internet when working remotely.
VPNs use end-to-end encryption, or data scrambling, to create a secure private network that protects all data and online communications from remote locations.
Employees should activate the VPN whenever they access work data or services.
This helps protect against man-in-the-middle attacks (MitM), or when hackers use malware to intercept data sent via unsecured Wi-Fi.
For businesses without an existing IT department, though, it can be costly and time-intensive to integrate a business VPN for the whole company.
By contrast, cloud VPN services are a flexible, affordable way for small businesses to promote data safety for individuals who are working remotely.
VPNs can ensure data safety for individual employees working remotely and their companies.
Most Popular Data Safety Measures for Small Businesses Are Limiting Access, Encryption
Small businesses use a variety of cybersecurity best practices to protect data, most of which are easy and inexpensive to implement.
The most common security tactics include:
- Limiting employee access to user data (46%)
- Data encryption (44%)
- Requiring users to create strong passwords (34%)
- Training employees on data safety and best practices (34%)
Our research shows that businesses favor security measures that are easy and inexpensive to implement.
Limiting Employee Access to Data Reduces Likelihood of Cybersecurity Incidents
Nearly half of small businesses (46%) restrict employee access to data.
Employees may expose sensitive data accidentally if they are careless or intentionally if they are angry. Limiting access reduces the channels through which sensitive information can potentially be breached.
Restricting access to authorized users requires companies to segment sensitive data. Each authorized job role should have a unique password that corresponds to each set of sensitive information.
Creating separate user permissions is a quick task for IT staff, but it’s vital to mitigating cybersecurity risks.
Encryption Protects Data Even If It Is Exposed
Almost half of businesses (44%) encrypt data such as employee records, customer information, and financial data.
Encryption is the process of scrambling data to be unrecognizable to users without a key code.
If an employee’s device is lost or stolen or its data is intercepted, encryption prevents parties without a key code from accessing the data within.
Encryption software is free on both Mac and Windows operating systems and can be purchased from a third-party.
Be sure to back up all data before it’s encrypted. If an encrypted disk crashes, all data within can be lost.
Creating and Maintaining Strong Passwords Is the Easiest Cybersecurity Measure to Implement
More than a third (34%) of small businesses use password safety to secure data.
Keeping passwords strong and varied is an inexpensive and effective way to safeguard data. A strong password includes:
- Lowercase letters
- Capitalized letters
- Special characters (symbols)
According to Verizon, 63% of data breaches in 2019 exploited weak, default-set, or stolen passwords.
Staff should check their login credentials for resilience and change their passwords if they are too simple.
Security tools such as password managers help employees set strong passwords and remind them to change passwords periodically for maximum protection.
Password managers both generate and store passwords for employees, which promotes strong data safety without frustration.
Training Employees on Data Safety Best Practices Sets Businesses Up for Long-Term Success
Uneducated employees can unknowingly compromise a company’s data safety.
Luckily, more than one-third of small businesses (34%) train employees on data safety best practices.
Proper training is key, as human error and carelessness from staff contributed to 46% of all business cybersecurity issues in 2019.
“The top cybersecurity threat to small businesses is an insider threat because employees let cybercriminals in,” said Cyrus Walker, principal at Data Defenders, a cybersecurity services provider.
Phishing and viruses are the main ways employees compromise small business security, according to a survey by Nationwide Insurance.
Cyber attacks on small businesses are most commonly viruses (44%) and phishing attacks (30%) that arrive via email.
Source: Nationwide, “Most Small Businesses Unprepared for Cybercriminals”
Phishing is a fraudulent attempt to obtain sensitive information such as passwords, usernames, or credit cards.
If someone clicks a malicious link, the cybercriminal can control computers, record employee keystrokes, and access sensitive company and customer information.
By educating and encouraging staff to participate in cybersecurity training, leadership can reduce their company’s risk of attack.
Two-Factor Authentication Adds an Extra Layer of Security
Fewer than one-third of businesses (29%) use two-factor authentication to enhance password security.
Two-factor authentication is software that sends users a text message with a one-time code to log in to a website or database. Users must enter both their password and the one-time code to log in.
Two-factor authentication adds an extra layer of security to passwords that would otherwise be compromised easily.
Google Authenticator is a free two-factor service that most password manager software includes.
Dedicated Servers Prevent Hacks but Are Expensive
More than a quarter (28%) of small businesses use dedicated servers to make it harder to hack their data.
Dedicated servers, or servers used exclusively by one business, are less vulnerable to viruses because they don’t communicate with other servers.
Dedicated servers are also better able to defend against distributed denial of service (DDoS) attacks that overload a server with requests until the target business’s website or network system shuts down.
Though relatively ironclad, dedicated servers are expensive because companies must purchase the hardware and employ IT staff to maintain them. This is also the only data security measure that cannot be implemented remotely.
Proactive Data Security Measures May Be the New Norm for Small Businesses
As data breaches become increasingly common and costly, practicing proactive data safety should be the new normal for small businesses.
Nearly 60% of small businesses (57%) didn’t experience a data security challenge in 2019; yet, most say they are likely to devote more resources to keeping user data safe.
These businesses may realize that even if they didn’t experience an incident, they must protect their data proactively. The consequences of even one data security incident can be severe.
On the other hand, 15% of small businesses encountered issues with hacking, viruses, or data leaks in 2019.
A cyberattack can ruin a business, and proactive data safety is a low-cost way to mitigate those losses.
Companies can reduce the cost of a data breach by nearly 47% if they implement data safety measures alongside a dedicated incident response team, according to research sponsored by IBM Security and conducted by Ponemon Institute, an independent research group.
Types of Data Security Measures for Small Businesses
Here are some techniques to include in your cybersecurity plan:
- Set employee data access guidelines
- Audit services and settings for data safety
- Install software updates regularly
- Establish an exit protocol for churned employees
- Develop password protocols with password managers
- Back up data periodically
- Implement antivirus software
Only One-Third of Small Businesses Collect Location, Credit Card Data Online
Most small businesses don’t collect payment and location information about their customers.
Nearly two-thirds (61%) of businesses collect customers' contact information, and more than half (52%) collect their names. Meanwhile, around one-third collect their location information (39%) and payment details (31%).
Businesses realize and avoid the risks associated with being responsible for sensitive customer information. Two-thirds of small businesses (66%) are concerned or extremely concerned about compromising customer data.
Source: Hiscox, “2018 Small Business Cyber Risk Report”
The research suggests that companies prefer to retain only enough customer data to support their marketing.
Meanwhile, businesses that collect and keep sensitive data on hand make consumers nervous.
According to Marketing Dive, 71% of consumers worry about how businesses collect and use their personal data.
Companies should request sensitive customer data transparently and as needed.
Let customers know how your company is protecting their data. Be brief and direct when you present this information instead of using a lengthy privacy statement.
The greater your efforts to protect customer information, the greater the level of comfort among customers. Your vigilance, if adequately communicated, can then benefit your bottom line.
Small Businesses Recognize Importance of Practicing Data Safety
Even though nearly 60% of small businesses did not face cybersecurity threats in 2019, there is a growing awareness that poor data safety makes companies easy targets for cyberattacks.
Small businesses are devoting more resources to data safety in 2020, including limiting employee access to user data, encrypting data, requiring strong user passwords, and training employees on data safety and best practices.
These measures are especially important with employees working remotely due to COVID-19.
Enforcing data safety will require greater vigilance and technical best practices from small businesses going forward.
About the Survey
The Manifest surveyed 383 small business owners and managers who use a mobile app and/or website to connect with customers.
More than half of respondents (60%) are female; 40% are male.
Nearly one-fifth of respondents (16%) are ages 18-34; 42% are ages 35-54, and 43% are ages 55 and older.