Truth 36 Does your small business have a bull’s-eye on it?
Have you ever thought about who holds your confidential information? Obviously, banks and other financial institutions come to mind, but who else? To be honest, I can’t even come close to answering this question, because no one really knows. Hospitals, schools, law firms, insurance companies, accountants, and more keep your confidential information on file. The scary thing is that while banks and health care have strong government mandated regulations that are designed to pro-tect this information, many organizations have no guidelines at all.
I love my accountant. Recently, I visited her new office, which is located in a residential part of town that is slowly turning commercial. The office itself is a converted home and, while nice, I have to admit as I sat there that I couldn’t help but think about security. In her computer sits my full name, social security number, job history, bank account number, as well as a slew of other random pieces of personal information. Is my data truly safe? I have no clue. I would like to think so, but then I have to assume that she is probably backing up her computer from time to time.
Where are those backup tapes being stored? At the office? At her home? And what about her computer? Does it have all the latest security patches? Is she aware of the types of email attacks that I have spoken about throughout this book? The question that I hate to think about even more is this: Will she even know if there has been a computer breach?
Obviously, if the front door of the building has been kicked in and the computer is gone, that should be a good indication. But what happens if an identity thief is able to hack into my accountant’s computer and simply copy the data? My guess is that she may never have any idea. Why? Because she is an accountant, not an IT security professional. More importantly, she does not have a dedicated staff in place to monitor these types of attacks.
All that said, will I stop using my accountant? Of course not! She is great, and the fact is that her situation is not the exception, but the norm. There are thousands of accountants throughout the United States who are working in small offices—often home offices—where they are not only responsible for their own security, but the confidentiality of personal data for millions of people. In addition, while that insurance salesman who you work with to insure your home may work for a nationally recognized organization, odds are he is working out of his home or a small office. He, too, is responsible for maintaining the confidentially of your personal information. Again, you are left to wonder just how secure that data really is.
While there have been a large number of published cases involving accounting firms and insurance companies having confidential information stolen, these cases most often revolve around large organizations where the data was stolen from a laptop or directly from someone at a high level. It’s rare that you hear anything about data stolen from a small mom-and-pop type accountant or insurance agent. Since it’s unlikely that small businesses are more secure than the larger organizations, my fear is that these breaches may happen but go undetected or unreported. While most states now require that confidential breaches be reported to the people affected, smaller incidents may still slip through the cracks.
Since it’s unlikely that small businesses are more secure than the larger organizations, my fear is that these breaches may happen but go undetected or unreported.
If you own a business that maintains confidential information, which might include SSNs, credit card numbers, banking information, or other sensitive information, here are some precautions you should take to help ensure the integrity of your customers’ private data.
Only ask for data you absolutely need. I still find organizations asking for information such as SSNs when they have absolutely no need for them. In fact, they are often illegally asking for this number.
Use software that encrypts the data on your computer. Most new software stores all data in a format that cannot be read without a password.
Make certain that your passwords are at least 10 characters, with mixed numbers and letters, and using at least one unique character, such as %, $, #, @, and so on. You can test the strength of any password at www.microsoft.com/protect/yourself/password/checker.mspx.
Use encrypted backup software if you make a backup of the data to digital archive tape (DAT). If you are not able to do this, store those backup tapes in a secure place, such as a safe or a safety deposit box at your bank. Taking them home and putting them in the closet is not secure. Treat these tapes like you would treat large amounts of cash.
Make sure your computer has the latest patches available. Most operating systems allow you to automatically update them online. If you are not certain that your system is set up for this, contact someone who can help you. This is one of the most important security measures you can take.
Ensure that you have a personal firewall installed on your computer. If you have Windows XP with Service Pack 2, make sure you have enabled the personal firewall that is available to you or that you have installed a third-party firewall. If you don’t have Service Pack 2, get it. It’s free and available on the Microsoft Web site. If you have Microsoft Vista, be certain your personal firewall is activated or that you have installed a third-party firewall.
Beware of any new files or directories on your computer or copies of files that you did not make. This may be the only indication that you have had a breach. Contact someone who can investigate immediately. The sooner you respond to a potential issue, the greater chance you have of stopping it.
Let your customers know if you have had a data breach. Doing nothing is often illegal and is putting the identity of every one of your customers at risk.
No matter how big or small your business, if you maintain confidential information, you have to take responsibility for ensuring it remains confidential.
While the majority of the attacks that happen today are focused on financial institutions, as those larger companies continue to tighten their security, identity thieves will continue to look elsewhere to acquire the data they need to commit their crimes.