A lack of resources and a false sense of security can make small businesses enticing targets for hackers. Lisa Traina, CPA/CITP, CGMA, president and owner of information technology security firm Traina & Associates in Louisiana, suggests ways for organizations with limited IT budgets to keep their data secure:
Don’t think it can’t happen to you. Breaches at large companies such as Home Depot, Sony, and Target make the headlines, but small companies are at risk, too. While it’s true that larger companies have greater quantities of valuable information for hackers to steal, smaller companies are at risk because fraudsters presume—often correctly—that their controls are not as strong.
Install proper network and work station controls. An IT specialist needs to make sure the company has a properly configured firewall. Anti-virus software and current patches need to be applied to all hardware and software. Companies also should make sure access to data and systems is limited to individuals for whom access has been approved.
Establish a culture of security. Training is a key element in creating an environment where the importance of data security is appreciated and treated with the appropriate serious attitude. Employees need to understand the dangers of visiting unsafe websites while at work. They need to know what phishing emails look like, and that one click on a nefarious link can result in a major breach. Many companies block access to certain sites in the name of security.
Use strong passwords. Having one employee use a weak password such as “Password1” can put the whole organization at risk. Systems should encourage or even require passwords that use a combination of numbers and letters and are more difficult for hackers to crack. Employees should not use the same password for all sites and systems, and should be sure to use separate passwords for business and personal systems. Unique, complex passwords are essential.
Monitor vendors. Companies need to ask whether vendors have access to company data and whether data are secure after being accessed or obtained by the vendor. The data breach at Target in late 2013, which compromised the personal information of as many as 70 million people, was connected to a breach of a Target heating, ventilation, and air conditioning vendor. The consequences for small businesses are clear. They should be aware that their vendors can unwittingly provide an entry point into their systems for fraudsters, and they should know that hackers might target them to gain access to their clients’ systems.
Conduct periodic testing. Test systems at least yearly to identify vulnerabilities. Depending on the size and industry, some companies undergo more frequent testing.
Make mobile devices part of the plan. Many smartphone users don’t think of their devices as computers, but they also are powerful mini-computers that can hold a treasure-trove of valuable data for hackers who can get access to them. Mobile devices should be fitted with anti-virus software and receive patches and updates—just as desktop computers or laptops do.
Get finance involved. CFOs and finance professionals are used to dealing with risk and tend to be technologically savvy. A company’s IT professionals possess the technical proficiency to address the threat of data breaches, but they may be so busy trying to keep the machinery working that they don’t have adequate time or resources to thoroughly consider data security. Finance may have a more complete view of the overall enterprise that can help companies determine their risks.
—By Ken Tysiac, a JofA editorial director.