With security breaches continuing to dominate the news, I’d like to take this opportunity to share my response to a recent Q&A addressing the steps small businesses should take to protect their data against security breaches. 

1.  What steps should small businesses take to protect their data and e-commerce sites?

One of the most important steps is to tightly control access to any sensitive data, and that includes administrators. Nobody should have access without oversight and logging. Make sure that every user has the least privileges necessary to perform their job and that every user has his own unique login credentials so that actions can be traced. If you have computers on-site, make sure they are only used for business (e.g., don’t allow anything to be downloaded or for people to browse the Internet), that you have constantly updated anti-virus software always running and make sure those computers are isolated/segregated from any other networks or computers you may have.

2.  Do small-business owners take the threat of data breaches and online security seriously enough?

I believe that the vast majority of small-business owners are very concerned about breaches and security but they are even more concerned about running their business and making money to keep their businesses afloat.  Most small business have either little, or part-time or no technical staff dedicated to focusing on these issues.

3.  What are some best practices, data-wise, for small businesses to follow?

Make sure you exactly know where any of the sensitive information is whether it’s in the form of a backup, or during a transaction, or when the data is at rest. Have a specific list of policies that dictate how that data must be treated and monitored for all of these circumstance. Lastly, whatever data you have onsite, you need to encrypt it.

4.  What kind of affordable services are out there that small-business owners can take advantage of to back up and protect their data?

In all likelihood, it would be best to use a service that has been specifically developed for a for-profit business environment that meets the requirements of the PCI DSS standard.