8 Things Small Businesses can do to Prevent a Data Breach

Big companies spend millions of dollars guarding against data breaches—and sometimes they still come up short. 

So how can small businesses prevent data breaches? Can it even be done? Fortunately, the answer is yes—and there are a number of simple, cost-effective things smaller organizations can do to minimize their risk and keep their customers safe.

Several of the insights in this piece came from our conversation data breach expert Troy Hunt, creator of the “Have I Been Pwned” data breach aggregation service. If you’d like to learn even more about data breaches and information security generally, read our full interview with Troy. 

1. 1

   Recognize the risks (and costs)

   Don’t make the mistake of thinking that data breaches only happen to big name companies like Capital One and Marriott. Unfortunately, if you’re a small or medium-sized business, you’re still an attractive target for hackers: Not necessarily because you offer any direct financial incentive to them, but because your customers’ data does. For one thing, hacked personal details be used for things like identity theft. But beyond that, because people reuse passwords so frequently, credentials from a “minor” site are often traded or sold on the dark web as a potential means of attacking other, higher-value accounts. And once they happen, data breaches are expensive—according to an IBM report, the average cost of a breach to organizations with 500-1000 employees came out to around $3,500 per employee!

2. 2

   Enforce Strong Passwords — And Make Compliance Easy

   Many data breaches are the result of employees failing to take the most basic of security measures. Passwords are a great place for small organizations to start when hardening their security. Make sure that all of your employees are using strong, unique passwords for all of the services they use at work. And make it easy for them to follow stringent protocols by getting an enterprise version of a password manager like 1Password.

3. 3

   Emphasize Device Security

   Lost or stolen devices are another common cause of breaches. Securing these devices is important for any organization, especially for those whose employees travel frequently. Make sure all employees are using strong passcodes or biometric locks on phones and tablets. Laptops should be password-protected as well—and should be set up to require a password prompt when powered on or after waking from sleep. Both Android and iOS devices have a “Find My” functionality that can be used to locate, lock, or erase a missing device: Make sure these are set up on every device.

4. 4

   Turn on 2FA

   If a password is somehow compromised, it doesn’t have to be the end of the world. Turning on two-factor authentication adds an extra layer of protection to your employees’ accounts, because they’ll need both a knowledge factor (the password) as well as an ownership factor (their phone) to log in. Without that second factor, the password alone won’t be enough for a malicious actor to access an account. 2FA is available for almost every major service used by businesses—and some even give you a discount for turning it on!

5. 5

   Update Your Software — Or Pay Someone To Do It

   Unpatched software is a huge security risk. Once the vulnerabilities which prompt a patch or update become public knowledge, hackers develop and share ways to exploit those vulnerabilities—and any teenager who knows how to use Google can research exploits for the out-of-date software that a company is running. Regularly updating software should be high on your list of priorities. If your IT staff is stretched too thin to keep on top of it all, be aware that you can outsource this kind of thing: Look into managed options for web hosting, CMS, bulletin boards, and antivirus software.

6. 6

   Train Your Staff

   Unfortunately, unwary employees innocently clicking on the wrong email attachment are a major cause of data breaches and other security incidents. If your staff can’t spot a phishing email—or if they don’t even know what one is—then you’re at risk. Remember that even governments and universities have fallen victim to these kinds of attacks, so there’s no reason to assume that your average marketing manager or salesperson won’t, however capable and intelligent they may be. Even listening to a short podcast or taking a brief quiz—something that takes 20 minutes—can significantly reduce your organization’s risk.

7. 7

   Train Your Developers

   If you employ web or software developers, make sure that they know the fundamentals of secure development. Unfortunately, many developers think of information security as someone else’s job, and thus aren’t as aware as they should be of their own role in creating secure sites and software. But a simple coding error—the kind of thing that should be completely avoidable—can undo all of your other security measures. There are many low-cost online training options available, as well as tools like automated code review to help developers build safe software while honing their secure development skills.

8. 8

   Get Help

   No one can do it all alone—especially when it comes to cybersecurity. If you have questions about cybersecurity issues or infosec best practices, reach out to a trusted source for guidance. Many organizations will be more than happy to help. At SecureMac, for example, we’re always glad to field questions from readers of our blog or listeners of our Checklist podcast, so feel free to drop us a line if there’s something on your mind, whether it has to do with macOS security or a more general topic. We’re here to help!

Several of the insights in this piece came from our conversation data breach expert Troy Hunt, creator of the “Have I Been Pwned” data breach aggregation service. If you’d like to learn even more about data breaches and information security generally, read our full interview with Troy.