More than half of SMB data breaches are caused by employee negligence
Risk Based Security says there have been over 2,227 publicly disclosed data compromises in just the first half of 2017. These data breaches tapped in to over 6 billion records exposing names, addresses, credit card information, birthdates, shopping habits and – in the case of the recent Equifax hack – valuable social security numbers.
While larger companies are the target for brute force hacking, smaller companies are more likely to shoot themselves in the foot, when it comes to data breaches and their reputation.
According to a new study from Keeper Security, 61% of small businesses said they’d experienced a data breach sometime in the past year. That’s up from 55% in 2016. Doesn’t seem like too bad of a jump until you see that the number of records impacted almost doubled year over year.
Here’s the really maddening part; 54% of breaches were caused by employee or contractor negligence. 7% were caused by a malicious insider. Add that up and it means we need to get our own houses in order before we start worrying about anonymous hackers.
The biggest pain point for small business owners are mobile devices. On average, 49% said that their employees were using mobile devices to access “business critical” applications. Still, the majority of SMB owners said they don’t require employees to password lock their devices because “resetting passwords reduces employee productivity” and they don’t have the manpower to monitor for compliant behavior.
In fact, a lack of man power, followed closely by a lack of funds, was the main reason most small businesses aren’t as secure as they could be. As a result, nearly 70% of those surveyed said they were concerned about their ability to properly secure internet connected devices in the workplace.
The good news is that even a small upgrade in security protocols could prevent an employee triggered data breach. If employees are using a mobile phone, tablet or laptop to access company records, insist that they password protect their devices and that they change the passwords regularly.
Remember, even if an employee doesn’t deal directly with customer data, a good hacker can still use an unprotected company login to access other files on the same server.
If you deal with highly sensitive information, use software that logs the username and path of everyone who accesses that information.
And though it should go without saying, say it anyway: regularly remind your employees to play it safe, keep it private and report any suspicious activity right away.
Finally, don’t fall victim to human nature. Change passwords after an employee leaves the company, even if it’s on good terms. Yes, it’s a pain in the neck, but it’s nothing compared to the pain of telling your customers that their private information is in the hands of a hacker.