A Guide to Protecting Data and Information For Small Businesses

Whenever a customer provides you with their private information to complete a transaction, an application, or other request, you really owe them privacy and protection. If the data that you have in your possession is leaked — whether purposefully or inadvertently — you could be held liable. This begs the question: what are you doing to protect your customer data?

Data: Both a right and responsibility

When your customers input billing information, provide their social security number, or give you other personal information, they’re trusting that you will safeguard their confidential information.

Consider how your business approaches its own confidential information — for instance, filling out a loan application. You’re likely thinking about that data in a similar way as your customers are when they transact with your business.

To say that your business needs to be diligent about protecting customer data and information is an understatement. Your business has a serious responsibility to protect it.

Forrester Research security and risk analyst, Heidi Shey, says she believes data protection ought to be viewed as part of every corporate social responsibility (CSR) strategy.

“This is really a topic that matters to customers today,” Shey tells businesses. “The public is way more opinionated about security, privacy, breach response, than they’ve ever been before, with all the news of breaches that they see — and especially when consumers start to experience one, two, maybe more breaches themselves, it becomes much more personal. I don’t think people expect that companies can stop every single determined hacker, or some kind of malicious insider, but they really do expect that the companies they do business with to try to make it very, very hard.”

Many companies believe that protecting data is important, but they aren’t sufficiently prioritizing customer privacy in tangible ways. It may be only a matter of time before reality catches up; for EU companies and those serving customers in the EU, the upcoming General Data Protection Regulation will require business of all sizes to review their privacy and data controls and take action.

How you can protect customer data, starting today

The challenge of security in a world where advanced criminal cyber tactics is that you cannot address a few pain points and hope for the best. Your business will need to get serious about customers’ data integrity, and implement an all-encompassing strategy that takes all possible risks into account.

While the following list is not all-encompassing, there are a number of things you can do to start building a solid foundation, which will help you set your business up for success and better protect your customers going forward.

1. Review your point of sale

Many countries, including more recently, the U.S., have committed to moving away from magnetic strip cards and instead embracing EMV chip card technology. This new technology enhances security surrounding point of sale transactions.

As a result of this shift, there has actually been an increase in fraud related to use of magnetic strips, as hackers are aiming to swiftly make use of stolen cards before the technology becomes obsolete. Some experts believe that this type of hacking may be most common over the next several years as countries move from use of magnetic strips to machines that use chips and PIN codes.

For the time being, as a business, you’ll need to consider whether your POS mechanism makes it easier for hackers to tamper or gain access to your system on the front end.

2. Make sure you’re encrypting data

With so much discussion about security and encryption going on generally, it may become easy to tune out. However, few things are more important as data encryption is in today’s cyber security field. For those who are less familiar, encryption is the process of changing information to make it unreadable to anyone except those with access keys, that allows them to change the information back to its original, readable form.

Encryption is important because it enables businesses to securely protect data that they do not want anyone to have access to. While it’s best to take actions that will prevent hackers from gaining access to your company’s systems, encryption technology essentially renders your data useless, in the event that it winds up in the wrong hands.

Businesses that are regularly reviewing their encryption policies, technology, and scheduling updates to their data encryption, accordingly, are setting themselves on the right path towards successfully thwarting off hackers gaining access to their data.

3. Use a dedicated server

One of the most dangerous mistakes that small businesses make when it comes to security is making use of a shared server to host their data. Shared servers are often inexpensive and easy methods to host your data. However, if you consider the potential consequences of a data breach, the risks will likely outweigh any long-term benefits.

Running your files on a dedicated server is critically important. It means that you no longer will need to run your programs, websites, and scripts on the same servers that other teams and businesses are using. In the long-term, this mitigates the risk that outside hackers might breach your own server.

4. Review your bring-your-own-device policy

There has been considerable bring-you-own-device policies (BYOD) — also known as bring-your-own-technology (BYOT) — policies. One of the most common reasons for them is lower IT costs and higher employee morale, as they are able to use their preferable technology. Other companies are adamantly against them because of the increased risk. Irrespective of your business’s current policy, in the future, BYOD will likely be the norm, rather than the exception.

One of the larger dangers with BYOD policies is that they increase the likelihood of hackers getting access to a business, due to the number of access points. For example, Gartner research indicates that 40% of employees at large U.S. companies use their smartphones and other personally owned devices for work. That may require a significant shift if your business cracks down on what information can be stored on personal devices.

5. Shred sensitive hard documents

While data security policies and considerations surrounding breaches often lead business to consider virtual data only, it’s important to also review traditional methods of accessing confidential customer data, such as hard paper copies. Local laws might require your business to do so. For instance, in the U.S., the Fair and Accurate Credit Transaction Act (FACTA) Disposal Rule provides that companies possessing customer information for business purposes maintain the responsibility of properly disposing of the information. You cannot simply discard sensitive documents into the trash; rather, you must shred, burn, or otherwise destroy all sensitive information, and demonstrate this as a matter of company policy.

Pulling it all together

It’s important to consider how you might rate your business’s security efforts when it comes to protecting your customer data. If you are like many businesses, you likely consider data security important, but in practice, you haven’t quite mastered implementing safety protocols and using the most robust technologies to safeguard confidential information.

Protecting your customer data is not an easy task but it is necessary in our current cyber landscape — and do-able.

That leaves you with two primary questions as your business moves forward: What are you doing to protect your customers’ data? And: Is it enough?

Dattaca Labs is a living lab initiative that is leading the personal data economy from Iceland. The business works with public institutions, local and multinational companies, and entrepreneurs to develop innovative solutions and services across a wide range of sectors, including health tech, fin tech, telecommunications, and IoT.