Small business and cyber security: how to protect your business from data theft

Businesses face an ongoing battle against fraud and data theft. A recent Government report[1] found that last year almost three quarters (74 per cent) of small businesses suffered a security breach, up from six in ten (60 per cent) in 2014. Customers place a huge amount of trust in businesses to look after their data and breaches can cost small businesses between £75k and £311k on average, so the implications of not properly protecting sensitive information can be huge – for both their reputation and the bottom line.

Recent changes to the way in which companies are fined for data breaches make cyber security more important than ever, as penalties are now calculated to reflect the true cost of losing data – including card replacement and operational costs, such as conducting a forensic investigation of the breach. This means the associated charges could be significantly higher than before, putting businesses at a greater financial risk.

Fortunately, there are simple measures that can be put in place to help businesses protect the data they hold. Following these basic steps will go a long way to help keep data safe from cyber criminals, and minimise the reputational and financial risk businesses could face.

Make sure you are compliant

The best way to reduce the risk of card data loss is to meet the Payment Card Industry Data Security Standards (PCI DSS). If you’re already compliant, make sure you renew every year and if you’re running network scans, ensure that they pass every quarter. Failing to comply with PCI DSS not only leaves your data at risk, but will also leave you open to significant fines should a breach occur.

Destroy data when it’s no longer needed

Ensure cardholder data is securely destroyed when it’s no longer required. For example, once a transaction has been authorised, delete any sensitive data such as CVV codes from your servers. This will minimise the risk of such details being accessed by fraudsters.

Avoid storing the PAN (Primary Account Number) if you don’t have to

If you have to store the PAN – the 14, 15 or 16 digit number that appears on the primary account holder’s credit card – make sure it is protected by encryption or tokenisation. This process involves substituting sensitive data with a non-sensitive equivalent that has no extrinsic or exploitable meaning or value to an outsider.

Be careful of taking payments by any means other than on a secure site

If you accept payments over the phone, use card number masking software. These programmes use various techniques, such as omitting the card number from recorded calls, to protect the cardholder information that is given during conversations. Never take card details by email or fax.

Keep your software up to date

Make sure you are aware of and run all the most recent software updates, as this will help to protect you from the latest threats.

Make sure your passwords are strong

It may sound obvious, but make sure all the default passwords on your computer systems are changed to something unique and strong which cannot easily be guessed by potential hackers.

Customers expect businesses to look after their data and prevent it from getting into the wrong hands, so having the right measures in place to protect that information is vital. By following these simple steps, businesses can ensure their customers’ data is kept as safe as possible, mitigating against potential financial and reputational losses.