How to Protect Your Business From a Data Breach
Cyber insurance may help with loss recovery, but how do small businesses prevent damage from happening in the first place? Read this article to find out.
We previously discussed The Benefits of Getting Cyber Insurance for Your Business. However, insurance is only a strategy for recovery. This article continues the discussion by identifying how you can prevent and limit the extent of data breaches to avoid losses altogether.
Our previous article, 4 Ways To Protect Your Online Business From Phishing, has covered this issue in detail. We’ll consider how the limitations of cyber security in small businesses and focus on the essential eight mitigation strategies.
Current Context of Cyber Security
The ASBFEO states that:
- 87% of small businesses believe that their business is safe from cyber attacks because of antivirus software alone; and
- 33% of businesses with fewer than 100 employees don’t take proactive measures against cyber security breaches.
Small businesses typically don’t have effective security measures because they lack awareness and, especially, they lack the necessary finance or time. This creates a dangerous cycle: small businesses don’t have the resources to protect themselves, which makes them common targets for cyber crime.
However, baseline cyber security measures can prevent the overwhelming majority of data breaches and be relatively inexpensive in the long-term. As a result, it’s useful to consider such measures. Here’s how you can implement them.
How to Protect Your Business
According to the ACSC, the eight mitigation strategies that are so effective they form the baseline for cyber security are:
1. Application Whitelisting (High Upfront Cost, Medium Maintenance Cost)
This involves preventing unapproved programs from running.
A basic way to do this is to blacklist directories that commonly house malware, such as the AppData and TEMP directories.
2. Patch Applications (High Cost)
You should make sure any applications you use are up to date.
Depending on how many applications you use, this task can become increasingly complex and costly. Though, in combination with strategy four, the cost can be reduced.
3. Configure Microsoft Office Macro Settings (Medium Cost)
All this measure requires is blocking macros from the Internet that have not been vetted.
Macros automate tasks in Microsoft applications, but they can be modified to install malware. An example of how they can infiltrate a business is by emailing a fake Microsoft Word job application which runs a malicious macro if your settings are enabled.
4. User Application Hardening (Medium Cost)
This measure has two components:
- Set Internet browsers to block Flash, advertisements and untrusted Java code; and
- Disable unessential applications, such as PDF viewers, which are commonly used to spread malware.
Note: The above four strategies would protect you from over 85% of cyber attack techniques. They are the methods of data breach prevention, whereas the following are to limit the extent of a breach.
5. Restrict Administrative Privileges (High Upfront Cost, Medium Maintenance Cost)
Only privileged users should have access to sensitive data. If an account without any administrative privilege is infected, this measure gives you time to detect the malware before it causes damage.
6. Patch Operating Systems (Medium Cost)
Similarly to the second essential strategy, high-risk computers need to be patched as soon as a vulnerability is discovered.
The phishing attack that forced 22% of Australian small businesses to close exploited a vulnerability in the Microsoft Windows operating system. Updating your software can prevent similar attacks.
7. Multi-Factor Authentication (High Upfront Cost, Medium Maintenance Cost)
Any time important information is accessed, multi-factor authentication verifies the user’s identity. The added security prevents unauthorised access.
8. Daily Backups (High Cost)
This measure is the most expensive of the essentials but it’s the only one that helps you recover following a data breach or an accident. Otherwise, you could lose any important information you’ve worked hard to acquire.
In Other Words
The principles embody measures you’d take to protect confidential files. For example, you might:
- store files in a secure location that only specific people have access to;
- use a passcode or key to enter a building; or
- make copies of the files.
The care we take with confidential documents should translate to our sensitive data as well.
The eight essential strategies provide a baseline that can protect your business from most forms of data breaches. Awareness of cyber crime trends enhances protection even further. For instance, you should be aware of how IoT devices, network capabilities and the security of third-party providers can create vulnerabilities.
Ultimately, data breaches are preventable. But small businesses shouldn’t bear the burden of preventing crimes that affect all of us. We need to implement change. Otherwise, cyber crime will continue to cause irreparable damage to those who are helpless to stop it.
Unsure where to start? Contact a LawPath consultant on 1800 529 728 to learn more about customising legal documents and obtaining a fixed-fee quote from Australia’s largest legal marketplace.
Shaheen is a Legal Tech Intern at Lawpath as part of the Content Team. He is in his final year of a Bachelor of Laws with the degree of Bachelor of Information Technology (Major in Information Systems and Business Analysis) at Macquarie University. He is interested in IT Law and Access to Justice.