editione1.0.0
Updated October 9, 2023The previous part on individual security talks about protecting access to your personal email, other accounts, and devices. As a small business, you protect not just your own data, but the hold the data of others—your customers, clients, employees, and partners.
When you yourself sign up to a new service or website, you agree to a long, waffle-y terms of services that uses legal jargon to explain a simple agreement: by signing up, you are giving your data in exchange for a service. You are trusting the creator to be ethical with that data.
Well, the same applies here in reverse. If you are providing a service or a product to someone, they are trusting you to protect the data that they share with you. If your website banner said, “Give us your credit card data at your own risk,” I can’t imagine you would have many sales. There is an inherent trust relationship you are creating when you collect data from others.
If you lose this data, you break that trust. Not every country right now requires you to fess up when this happens, but these updated privacy laws will come soon. The General Data Protection Regulation (GDPR) in the European Union requires you to notify those impacted within 72 hours, and is likely to set precedent globally. The California Consumer Privacy Act of 2018 allows consumers to sue companies that have a breach. In New Zealand, the Privacy Act requires organizations to disclose breaches that might cause serious harm. Even without these laws and regulations, sometimes people can put two and two together to find out it was you and then publicly expose you online and on social media.
It only takes a few public incidents before the negative reviews, videos, and posts start to affect your profits and resilience.
In your small business, you operate with the support of others. Sometimes the tasks that you delegate to others carry security risk, and others might not have the same security mindset or risk-focused thinking as you. Now that your business is more than just you, it is time to start bringing your team into the fold and having a conversation about security. They need to be encouraged and enabled to make risk and security calls themselves to avoid making a mistake later.
You will need to give others, either your employees or a third party, access to the systems you have to run your website, application, or store. A large number of security incidents happen by taking advantage of human nature. Social engineering attacks are a fast-growing risk in almost all organizations. In a 2022 study by Verizon, 82% of the incidents investigated included a human element.
A social engineering attack may ask your employee or outside provider to “urgently download this file onto the work kiosk computer,” and next thing you know you are locked out of your files and can’t get back in. Making your systems and approaches “secure by default” and setting up those safety nets will be important.