Data Security 101 - How to protect your business
It might not seem like it, but your business holds a lot of data. This data can be extremely useful in decision making, but it can also - in the wrong hands - be used against you in devastating ways. Here's how to protect yourself.
Your business, every day, produces a data footprint. And that data footprint says a lot about your business and how it operates. Each Instagram post and like, each bank transaction, each receipt - forms a picture. Increasingly business owners are leveraging the data they produce to inform their next moves, and the democratization of data as a whole has gone a long way to making running a successful business more accessible. For example, e-commerce retailers use their social media to gain customers and pour over those likes and comments to work out what products will sell best. They can then use their sales data from their POS or online store, combined with their wholesale inventory costs to work out their margins. Margins combined with customer demand mean predicted profits. This kind of insight, until even a few years ago, just wasn't readily available - and it's made running a business more predictable, more stable and less of a dark-art.
The danger with data is - what if someone else gets hold of it? What if they manipulate it? What if they steal it and sell it? What if they grab it and withhold access? The platforms and services we use as small businesses, universally, spend the majority of their time trying to protect customer data on some level. And while this is positive, and we can gain some comfort knowing that the systems we use (banking, social media, payment platforms, POS) are designed to prevent data or identity theft, typically the weakest point in any security scenario is...you. So, beyond the basics of 'don't loose your credit card or give your banking details to someone' - let's do a quick digital security audit to prevent simple mistakes becoming bigger problems.
Your password is not secure.
Most people think their password is secure. It is not. If you reuse your password in different places with minor variations, only update your password when prompted, and largely ignore using long, complex password combinations 'because you'll forget them' - you are definitely in the majority of business owners. Passwords frequently get stolen, and while this doesn't seem like a concern, it is. If you use the same password to sign up for a random internet account - then reuse that email for something critical, like your email or social media - you're running the risk of that password being stolen and being used to cripple a service you depend on daily. Apple iCloud allows you to store and generate complex passwords, and can even allow you to use your fingerprint to access them. One Password can generate impossible-to-guess passwords on demand, and store them on your phone or laptop. There are numerous password management solutions out there, and they're only getting better and more convenient to use. Now is the time to adopt one.
Two factor is better than one factor.
A one factor password is...your password. A two factor password (often referred to as 2FA) is your password PLUS an identity check, and it's now the new normal. The basic advice is - 2FA everything you can. Login to the systems you use, search for 2FA and turn it on. 2FA means that even if someone guesses your password, they'd also have to have access to you email inbox or cell number and physical location to login. And while getting access to those things - or faking them - isn't impossible, it's usually enough trouble for a bad actor to stop messing with you. After all, there's enough people out there with one factor passwords like '1234' or their 'first name, last name and year of birth' who are easier pickings. 2FA is getting easier to use now, and the more you use it on different accounts the more secure it is. If you 2FA your Instagram but don't 2FA your email - and your email password is the same as your Instagram password, then it's easy for someone to login to your email, approve the Instagram 2FA identity themselves - then walk off with your Instagram account. So 2FA everything you can! Do it now!
Don't trust anything.
The old adage of 'if it looks too good to be true, it usually is' still rings true. Don't click on that link in that random email. Don't open that weird email attachment. No, you haven't randomly won $1,000 and need to claim it. Unless you know you ordered something, FedEx is likely not sending you emails asking for immediate customs payments. The CRA is not calling you using an automated voice saying you're due a massive rebate. So use your judgement. That's pretty straightforward. What's not straightforward is using services you trust and not knowing how they use your data. Recently it's come to light that TaxAct, TaxSlayer and HR Block have been sending sensitive business information from their customers tax submissions to both Google and Meta (Facebook), who then use that sensitive data to target advertising back at them. This of course is inexcusable, and those companies are now under a lot of pressure to explain their data and security processes. And while it's hard to work out who to trust sometimes, if your passwords and 2FA are secure, do some due diligence before you sign up to even 'well known' services. Your data is important and trusting someone else with that data should be something you consider very carefully. At huumans, for example, we're transparent about how we use customer data - and we're very explicit about the level of confidentiality we operate around business data. We don't allow Google or Meta tracking on any of our customer information forms, and we monitor tracking on our products constantly, to ensure we're not collecting any information we don't need. We also guarantee that we won't sell sensitive data to third parties, and whenever a third party is involved, that we ask for consent before proceeding. Make sure whoever is providing services to your business is equally as transparent and can provide guarantees that any confidential data stays that way - for your eyes only. Be suspicious, ask questions, be annoying.
Build your own processes.
In your company, who has access to confidential information? How careful are they with that information? What happens if that person leaves the company? Who manages the data access in your company? You wouldn't give bank account access to just anyone, and likewise you shouldn't give critical data access to just anyone either. Do your staff use 2FA? Do they use secure passwords? Who controls your website access? Who has access to your critical infrastructure? What passwords do they use? Yes, it's a long list of questions to consider, but they're important questions. You're only as secure as your weakest point. For example at huumans we enforce 2FA on all staff logins, store all paperwork and data in environments that align to ISO, SOC 1,2 and 3 and HIPAA, and regularly check that our staff only have customer approved, read-only access to important things like bank statements - and that that access is only available through specific, secure computers which have biometric identity controls. That might be overkill in your organization, but it's usually better to overdo things than risk possible data issues. In Canada all commercial entities have to conform to the Privacy Act, known as PIPEDA. PIPEDA tells you how on a federal and provincial level you can interact with other peoples data, and if that's news to you, consider spending some time researching how PIPEDA applies to you and your company.
Found this useful? You could get a free weekly insights report delivered to your inbox each week full of relevant insights - if you'd like to receive a copy, you can sign up here.
What is huumans?
A 'Modern', cost-effective bookkeeping service designed specifically for small business owners, huumans provides same or next business day support, guaranteed weekly reconciliation and fixed, transparent monthly pricing. Your business numbers, directly calculated from your constantly reconciled accounts, are presented in a free, easy-to-understand, on-demand, shareable dashboard - and like your billing, it can be managed online whenever you find it convenient. Offering the most cost effective small business managed payroll services in Canada, we also provide specialized discounts for startups and new businesses, along with dedicated solutions for franchises.