According to The Wall Street Journal, TurboTax has seen an influx of fraudulent tax return claims and account hijacks this year, prompting the company to temporarily suspend e-filing state returns while it sorts out the issue. Some security experts opine that the data breach was partially enabled by missed security opportunities. (For a detailed analysis, see this Krebs on Security article.)
While you may not have the same security concerns as a high-profile online tax prep site, the news does beg the question: are you doing enough to protect your business's sensitive information? Let's review some of the most common missed security opportunities for small businesses.
Small Business Security: 5 Oversights that Lead to Breaches
You can hardly skim through the headlines without seeing at least a footnote about the most recent hack or data breach to befall the nation's leading companies. After a while, the real-world impact of data breaches starts to feel like a product of sensationalism.
But data breaches aren't just the latest fear-mongering tactic to rack up viewership or clicks. The fact remains that breaches are a stark reality for small businesses, and the costs can be staggering. To jog your memory, 44 percent of surveyed small-business owners were victims of a cyber attack in 2013, and the average cost was about $8,699 a pop. (More on that here: "Top 8 Data Breach Misconceptions.") Those that can take that $8k hit are the lucky ones – according to a report by Experian, 60 percent of hacked small businesses close up shop within six months.
All this is to say that data breaches may seem like yesterday's (and tomorrow's) news, but that shouldn't diminish your resolve to make sure they don't happen to you. On that note, here are some common security mistakes that are easy to fix:
- Using weak passwords. Breaking: if you use a password found on SplashData's 2014 Worst Passwords List, it's time for a change. The best passwords may not be the easiest to remember, but they are the hardest to crack. Use complex passwords that are a mix of capitalized letters, symbols, and numbers.
- Ignoring software updates or patches. Software updates and patches usually serve a very good purpose: they aim to fix security holes and improve usability. Make sure your employees install the patches by sending out an email notice with a deadline for the update.
- Keeping security lax on business premises. If all employees have access to all information, you have a problem. After all, the Verizon 2014 Data Breach Investigations Report shows that insider misuse is one of the leading causes of data breaches. Combat the risk by only allowing authorized employees to access sensitive and encrypted information. You may want to designate particular computers to use for accessing certain records.
- Having no security officer. The 2014 Cost of a Data Breach report from the Ponemon Institute found that data breach costs can be cut by about 15 percent when a business has a data security plan and a chief information security officer (CISO). The CISO should oversee the business's data security measures and implement policies for bolstering privacy.
- Having a BYOD workplace without regulation in place. The rise of bring-your-own-device (BYOD) workplaces has coincided with a surge in data breaches. (Read more about that here: "Use Mobile for Business? Your Cyber Liability Is Probably Through the Roof.") Maybe that's because it's difficult to regulate what your employees do with their personal mobile devices. Still, you should implement policies that regulate how employees access work information. Your BYOD policy may stipulate that they use encryption software to transmit business data, use two-factor authentication for work accounts, and only use secure Wi-Fi networks while using devices for business. Training your employees on common security threats can help them avoid clicking malicious links or falling prey to phishing schemes.
Remember, even the most robust security plan won't be enough if your employees don't follow it. So lead by example. Make data security a priority and enforce the rules, or appoint a CISO to do that work for you.