The implications of storing customers’ personal information are so worrisome to some business owners that they fail to collect much data at all. But it really is an essential part of doing business, so companies need to learn to overcome their fears.
Someone accesses your stored data, including customers’ information, and threatens to release it publicly, as has happened recently with the Waikato DHB. However, these types of attacks are normally targeted at large corporate or government bodies.
Far more likely is a situation whereby a businesses operating systems are disabled and information made unavailable due to a cyber-attack.
This is a frightening prospect, but there are ways to safeguard your data.
Cloud hosting providers offer all sorts of services to businesses, including security.
“It is reasonable to assume that they are better at security than the average SME. So using these cloud services will provide better protection from data breaches than doing your own IT,”
says Z Energy’s Head of Information Security, Marek Jawurek.
However, in using these providers businesses should also institute good password hygiene and multi-factor authentication.
What does that mean? Firstly, don’t re-use passwords; make sure they are both unique and long enough to be hard to work out. Secondly, make use of a password manager which lets you store all your passwords in one safe place. The password manager encrypts your passwords so no-one else can access them.
Multi-factor authentication (MFA) provides another level of security. Most accounts ask you to enter your user-name and password before admitting you, MFA is a step beyond that. A multi-factor authentication system might ask you to answer a pre-set question or send a code number to your smartphone, in addition to asking for a password.
Some cloud services have a “turn on two-factor authentication” option in their settings.
Good system hygiene includes keeping your systems up to date. Most computer operating systems will provide a notification advising when an update is available. Action updates as soon as they are available to avoid vulnerabilities.
Most systems will allow you to wield more power than you need. It is often better to have limited power on the system - to simply be a “user” as opposed to a super user or administrator. If your accounts are compromised by an attack, they will also inherit your system privileges, so stick to the minimum you need to minimise the damage they can do. And, be conservative about how much access you grant other people within your business, too.
You need to figure out how (and for how long) you can operate your business if the cloud service or the data stored within it becomes unavailable.
Ask yourself: “Do I have the necessary data in a local backup so that I can continue to operate my business?” says Marek. “Ideally this is tested, the professionals call it a business continuity plan or BCP. A BCP is not only useful for information security but also for other risks that a business has.”