As an advisor at a privacy software company, I constantly see the damage that a hacker can have on a small business. Peter, a freelance translator, was one of those cautionary tales.
Don’t be Peter
Peter had called me up, saying his computer had frozen and he couldn’t open the files he was working on. A hacker had got into his computer and wiped out his translation and other business files.
Peter had made a backup of those files, but unfortunately the backup copies were stored in unencrypted, plaintext on a hard drive connected to his infected PC. When we checked the connected hard drive, we discovered that all the files on it were corrupted and unusable.
Losing those files wasn’t Peter’s only problem. He had kept his Internet banking login details in an unencrypted Excel file on his PC, which allowed the hacker to transfer $1700 dollars from Peter’s bank account to a scam account. This had all happened within minutes after the attack.
Peter was never able recover his lost data, nor the money. Because of the lost data, he had to redo work and ask for extensions from clients. It took him a few weeks before he was able to get his business back on track.
The good news for Peter is that the hacker was only interested in his money and damaging his files, but did not compromise his customer database. If he had, the damage to Peter’s business could have been much worse. He could have found himself fighting legal battles and struggling to win back the trust of his customers.
One of the big lessons from Peter’s story is that if you run a small business, hackers are out to get you. But there are things you can do to avoid the trouble Peter and other small business owners have faced from being hacked. In this post, I’ll run through five key data security issues tips that will help protect your business.
It’s the law
First, you should know that as a small business owner you are legally bound to protect your customers’ confidential details, and that compliance with governmental regulations requires a secure data management system. Even if much of your business data is stored and handled by secure cloud services, as long as sensitive data regularly travels between your devices and the cloud, it’s your responsibility to safeguard it on your end.
The good news is that setting up, or updating your data security system won’t cost you a fortune, neither do you need to be an expert to do it.
Encrypting your own and your customers’ sensitive files is a must. Even if a hacker, or laptop thief manages to access your encrypted files, modern encryption software offers government-grade protection for your data by using algorithms that create virtually uncrackable ciphers. Instead of finding your confidential data as plain text files, cybercriminals will only be able to access streams of unintelligible, encoded characters on your PC.
Encrypting confidential business data is also crucial for complying with the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada and various federal and state laws in the US. (Note: since data privacy laws passed in Canada, the US, the UK, Europe, Australia, South-Africa or Japan are essentially identical, the tips I share can be applied globally.)
Recognizing the great need for encryption protection, Microsoft offers users built-in disk encryption on certain Windows editions and there are many other great products out there to solve your encryption needs.
What features should you look for when choosing an encryption software?
The software should ideally offer you:
For productivity, security and legal reasons you need to have backup copies of your own and your customers’ confidential files. First of all, according to relevant data privacy laws, your customers have the right to view the information you store about them: “Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information.”
However, without having a backup copy of your customer data, you can’t comply with this principle if the original data gets compromised. Secondly, if the computer that stores the data gets hacked, lost, or stolen, you can only rely on the backup copies for uninterrupted business.
Instead of creating backup copies exclusively on external drives, which can easily get compromised, lost, or stolen, I recommend you backup data in the cloud, which is a much safer alternative. If you backup your encrypted safes in the cloud, your data will not only be extremely secure, but also accessible anywhere.
When selecting a cloud service, make sure that you thoroughly check the background and legitimacy of the provider you are going to entrust your data with. If a site doesn’t offer you essential information, such as contact info with physical address and phone number, testimonials, list of important customers, info on how long they have been in the business, info about the founders, background and security level of the service, you should give them a miss. (See FreshBooks’s “Security and Reliability Safeguards”).
Here is a link to trustworthy cloud storage sites.
I also strongly recommend you use a Password Manager (often included in encryption software) for three major reasons:
Remember: If your sensitive passwords get stolen or cracked, your entire security chain collapses.
The last item on our list, secure file deletion, is a little known privacy practice although it has a crucially important role in data security.
Secure deletion is necessary because the default Windows deletion (hitting “Delete” and emptying the trash) doesn’t shred the content of the deleted files. When you delete a file the normal way, only the file’s reference gets deleted, but the file content remains on the free space of your hard drive. If hackers, data thieves, or laptop thieves manage to access your PC, they can recover confidential deleted files by using specific software tools.
When do you need to do secure deletion?
Basically anytime you want to make sure that deleted confidential data can’t be recovered by third parties. For example, deleting emails, passwords, personal details, customer details and any financial or tax-related data you have on your computer the usual way poses huge privacy risks.
Furthermore, since small businesses and freelancers qualify as data controllers, you are legally required to securely delete your customers’ confidential files in certain scenarios. Principle 5 of the Act states:
“Personal information shall be retained only as long as necessary for the fulfillment of those purposes.”
What does it mean for you? For instance, if some of your customers update their email addresses, financial details, account login details, or close their accounts, you don’t have the right to store the obsolete data any longer and need to securely delete it.
Secure HDD sanitizing
Secure data deletion is also crucial if you are about to retire, donate, or sell computers that you used to handle confidential customer data with. Data thieves buy up second hand PCs to recover previously deleted confidential information from the devices’ hard disk drives (HDD). You should securely wipe the HDD of your PCs with a HDD sanitizer software, in order to comply with Principle 7 of the Act, which reads:
“Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.”
Deep clean your Internet and PC tracks
Secure deletion can also help you protect your business privacy by removing all your Internet and PC tracks that Windows secretly logs about you. Many of these tracks are hard to reach and normal clearing doesn’t remove them. Your online transactions, emailing, chats, document editing, third party apps and so forth, all leave hidden traces behind that can lead third parties to your confidential files.
Let me give you a couple examples:
1. OpenOffice: Let’s say you store your confidential financial reports in Excel files created by OpenOffice. If you leave a file open and shut your PC down without closing the file first, the next time you fire your PC, OpenOffice will ask you if you want it to repair the corrupted file. The fact that OpenOffice can recover your file means that the app has saved a backup copy of the file on your hard drive. That sensitive backup copy can be easily recovered by unauthorized parties.
2. Skype: The service saves hidden copies of your undeleted chats on your hard drive so hackers can go directly to the location below and read all your conversations without having to crack your Skype account first.
C:UserApp DataRoamingSkypeSkypnameChatSync (Open “ChatSync” files with Notepad)
How to securely delete confidential data?
When you need to make sure that confidential files and activity traces are destroyed for good, I recommend you use a data erasure software. The way it securely deletes the data is as follows:
It grabs your files and traces and overwrites every single bit of info in them with random characters. This way, the original info contained in the files are truly gone.
Modern data erasure software offers you simple steps for secure file deletion and employs government-grade wiping algorithms. They make sure that unauthorized parties can’t recover the original, deleted confidential data even with forensic methods.
Maintaining and improving your business’s data privacy and security is a great challenge so I hope that I’ve managed to offer you some useful tips and best practices for doing so. I’m sure if you start implementing them either step by step, or all at once, they will serve to protect the reputation of your business in the long run.
What other best practices would you recommend? Please share in the comments.
Find out if your website needs a terms and conditions page.