How to prevent a data breach

A data breach is unauthorized access to your IT infrastructure, computers, and data storage devices that exposes confidential information. This could include credit card numbers, Social Security numbers, information about your customers, employees, or general business activities.

A data breach could result in identity theft against yourself, your employees, or customers. It can involve costly IT forensics to find the cause of a breach and stop it, the time and expense of notifying those afflicted, as well as changing bank and credit card accounts. It could also result in expensive lawsuits and fines.

Data breaches cost American companies an average of $3.86 million, according to a 2020 IBM report. The report also notes that it took an average of 207 days for companies to identify a breach, then an additional 73 days to contain it.

One of the reasons for the high cost of a data breach is that the personally identifiable information (PII) of customers and employees was the most frequent data stolen, reportedly being compromised in 80 percent of breaches and costing $150 for each record stolen.

Human error is the number one cause of data breaches. It's responsible for 70 percent of all successful attacks.

A failure to adequately maintain a company’s cybersecurity through software patches and upgrades was behind 14 percent of cyberattacks. These security measures for data protection can help keep cybercriminals from compromising your network.

The right security policies begin with your employees. They might click on a link in a phishing email, plug in a virus-containing thumb drive that they found lying around somewhere, or accidentally publicize confidential information.

Make sure you hold regular training sessions so your employees are fully aware of your information security plan, the risks of opening emails from unknown senders, clicking on email links, and downloading unexpected files. Teach your employees about the financial and legal consequences of a data leak that exposes someone’s personal information.

You should also have a designated email address that employees can use to report suspicious emails, potential security breaks, and lost or stolen equipment. Work with your employees and customers to establish procedures for verifying any request for sensitive information.

Identify the types of personal data your company stores on all devices, such as computers, laptops, mobile devices, and flash drives. This can also include copiers that store information.

Meet with employees to identify the kinds of information they store and what their procedures are for keeping it secure. Also identify which records you need to keep, and which ones can be deleted to prevent their misuse.

Establish procedures for backing up your data, using both automatic and manual systems. Whether you use an in-network system, cloud storage, or both, it’s worth using encryption for highly sensitive data.

Every data connection could be misused by hackers. This includes your company’s email system, mobile devices, cash registers, and copiers. Even thermostats have been used by hackers as a backdoor to a network.

Install anti-malware, antivirus and other security programs throughout your business and make sure they update automatically.

These programs should be set to conduct regular scans of your network and computers, perhaps at night during periods of low activity. Use a data wiping program before disposing of any storage device, such as computers, hard drives, and flash drives.

Examine your information hardware on a regular basis and have routine checks for software updates and patches. This is especially important for servers, routers, and backup systems.

Consider using a password generator and manager. Inform your employees that strong passwords should have a combination of letters, numbers, and characters. Require all passwords to be changed on a regular basis.

Multifactor authentication for email and network access can also help keep your systems secure, with passcodes sent via text or a cell phone app. Do not keep passwords written down where they could be stolen.

Have all employees use passwords to log onto their computers, with automatic log offs for periods of inactivity. Make sure every workstation has a lock for each laptop and keep computers in a secure location. Use wiping programs to remove sensitive data, instead of deleting, to prevent risk of a data leak.

A virtual private network (VPN) uses encryption and hides your IP addresses to help protect your network from hacking. Use a VPN and firewalls for all connected devices, including for those working offsite.

You should also require encryption for all data transmissions, especially if they contain sensitive information.

Use Wi-Fi routers and connected devices with Protected Access 2 (WPA2) which uses encryption keys for each device that connects to your wireless Internet.

Install email filtering, antivirus, anti-malware, and anti-spyware software on every device that connects to your company’s network.

Install programs that can watch out for signs of a data breach by detecting suspicious activities. These include:

• Several logon attempts from unknown users or devices
• High amounts of traffic during an unusual time of day
• Large data transfers, especially if they involve new or unknown users

Regular security audits can alert you to system vulnerabilities and signs of noncompliance among your employees. Consider having an outside party perform a vulnerability assessment and look for any weak spots in your security systems.

Even with the best prevention plan in place, data breaches can still occur when you least expect them. Having coverage in the event of a breach can often help guide you in your response. Should a data leak force your business to temporarily close, a cyber liability insurance policy could help cover any business interruption expenses

If you are also responsible for a client's network, many contracts often require errors and omissions insurance, also known as professional liability insurance. This policy protects you when a client sues over professional negligence, such as an error or oversight in their cybersecurity. Cyber liability insurance will also pay for your legal costs if that client sues you for failing to prevent a data breach or cyberattack at their business.

Because the risk of a data breach is so high these days, someone on your team should be a point of contact for responding to security breaches.

Your response plan may include internal and external experts who can secure your systems, stop the breach, identify the extent of the data loss, and notify those affected. Your response plan can also include an attorney who specializes in data privacy and cybercrime.

The Federal Communications Commission's Cyberplanner is a tool designed for small businesses to create customized cybersecurity plans.

The Cybersecurity and Infrastructure Security Agency provides information on software vulnerabilities, patches, and malware.

The Federal Trade Commission supplies information on how to reduce your cybersecurity risks, plus videos that could be used for employee training.

The Small Business Administration is a trusted source of information on cyberthreats, malware, viruses, ransomware, and phishing.

The Better Business Bureau provides cybersecurity resources for businesses and consumers.

Have I been pwned? lets you find out if your phone or email has been hacked.