Data Security Guidelines for Small Businesses

Kamala Harris, California’s Attorney General, recently issued a set of recommendations called “Cybersecurity in the Golden State, which provides guidance for small to medium-sized business for preventing and responding to cyber attacks and security breaches.  Small businesses often lack the resources of a corporation with a large IT department, and often find themselves targeted by cybercriminals. According to the Attorney General’s office, 50 percent of all cyber attacks in 2012 were aimed at businesses with fewer than 2,500 employees, and 31 percent were aimed at those with fewer than 250 employees.

Noting that cybercrime is largely opportunistic, the Attorney General encouraged all California businesses to take the following steps:

  1. Assume You’re a Target:  Any company, whether big or small, can be the victim of cybercrime, so assume you are a potential target and take basic precautions to protect yourself and your company.
  1. Lead by Example:  Cybersecurity is not simply the domain of the “IT person”; executive management has to get involved. Small business owners should dedicate the time and resources necessary to ensure the safety and security of their information assets.
  1. Map Your Data:  To protect your data effectively, you first need to know the types of data you have and the location of that data. Next, comprehensively review the data you have stored on your IT systems, both on-site and off, and with third parties (include backup storage and cloud computing solutions in your data mapping project). Once you know what data you have and where it is, get rid of what you don’t really need.
  1. Encrypt Your Data:  Encrypt the data you need to keep. Machines that handle sensitive information, such as payroll or point of sale (POS) functions, ideally should be on networks or systems that are separate from machines involved with routine services like updating Facebook and checking email.
  1. Bank Securely:  It is essential that small business owners put security first when they engage in online banking. This means that online banking should be performed using only a secure browser connection, and you should erase your web browser cache, temporary Internet files, cookies, and history afterward, so that if your system is compromised, that information will not be accessible by cybercriminals. In addition, take advantage of the security options offered by your financial institution, and set limits on the amounts that can be wired from your accounts.
  1. Defend Yourself:  Guard against single points of failure in any specific technology or protection method. This should include the deployment of regularly updated firewalls, antivirus software, and other Internet security solutions that span all digital devices, from desktop computers to smartphones to tablets. Useful capabilities include the ability to remotely locate or wipe a device that’s gone missing and the ability to identify and block never-seen-before attacks using technologies that analyze behavior and/or employ virtualization tools.
  1. Educate Employees:  Raise employees’ awareness about the risks of cyber threats, mechanisms for mitigating the risk, and the value of your business’s intellectual property and data. Your employees are the first line of defense, and good security training and procedures can reduce the risk of accidental data loss and other insider risks.
  1. Be Password Wise:  Change any default usernames or passwords for computers, printers, routers, smartphones, or other devices. Use strong passwords, and don’t let your Internet browser remember your passwords.
  1. Operate Securely:  Keep your systems secure by using layered security defenses and keeping all operating systems and software up to date. Don’t install software you did not specifically seek out, and don’t download software from untrusted or unknown sources. Also remember to remove or uninstall software you are no longer using.
  1. Plan for the Worst:  Every small business should put together a disaster recovery plan so that when a cyber incident happens, your resources are used wisely and efficiently. Pick an incident response team and assign a leader. Make sure the team includes a member of executive management. Outline the basic steps of your incident response plan by establishing checklists and clear action items.

The Attorney General’s recommendations also describe the four categories of cyber threats – social engineering scams, network breaches, physical breaches, and mobile breaches – and detailed guidance for responding to cybersecurity incidents.  Although directed to California businesses, all small companies would be well advised to review and follow these guidelines.



Author: Seth Heyman
Seth D. Heyman is a California attorney with extensive experience in advertising and marketing law, corporate law, contracts, governmental regulations, international business, and Internet law. He has counseled numerous successful companies, both public and private, and was responsible for regulatory compliance, contract management, corporate governance, and HR best practices for multiple organizations in many diverse industries, including marketing, telecommunications, energy, and technology development. He offers insight and guidance on federal and state direct mail, TV, radio, telemarketing, and Internet marketing laws, as well as online promotions, Internet privacy, data protection regulations, and similar matters.
Skip to content