Business Leadership Business Liability Risk Management
December 27th, 2021
Data Protection Basics, a Checklist for Online Entrepreneurs and Small Businesses
It’s that time of year where, just like in my last post, we get to re-evaluate our various systems, practices and policies in our businesses to determine whether they are serving us well, are helping us meet our goals, or whether they need to be revamped or revised.
If you don’t yet have a “Data Protection Checklist” as an online entrepreneur or small business, these basics are a starting point for you.
There are some simple practices that go a long way towards keeping our digital and data-based businesses safe and running smoothly. Some of these will help you in your efforts at data and privacy law compliance, and others are just good business practices.
1. Map Your Data & Data Flows
What data do you have? Start with where you are right now, and map your core data. What data do you collect in your business? What is the reason for collecting it? Where is it kept? What security measures are in place for that data? Who has access to it? (And more). For a template spreadsheet to assist you, as an online entrepreneur or small business, in mapping your data and data flows, get access to this sample template here.
Mapping your data will help you in maintaining compliance with the GDPR and potentially other regulations that may apply to your business.
If you feel overwhelmed by this activity, don’t worry (for now) about data that is more than a few years old. Start with where you are now, or relatively current data, and move forward from there.
As you have time, you can revisit older data and either secure it or expunge it as necessary (hopefully the latter in order to minimize risk).
2. Create a Data Security Policy or at minimum, Internet & Email Policy
This is a policy that will guide you and any support staff that you hire in your business, whether an employee or an independent contractor (Virtual Assistant, tech team, etc).
The topics you should cover in this policy include:
- Password management, updates & protection
- Reporting phishing attempts (or other similar incidents)
- Log-on procedures for various platforms or apps used by your business
- Internet access rules
- Appropriate online usage
- Controls on mis-use of the internet
- Restrictions on web browsing
- Security protocols for online data
- Download rules
- Social networking rules
- Work email usage rules
- Use of personal devices for work
- Working remotely and use of public internet or networks, VPN requirements, etc.
The goal is to create simple rules that will guide you and your team in regards to accessing and managing the data you use in your business that help to prevent security and data breaches caused by human error or outside malicious actors.
3. Update / Create more Complex Passwords & Sign Up for a Password Manager
If you are not already using a password manager, now is the time to get one in place. One of the biggest mistakes that people make is using (repeatedly) an overly simple password, which puts a large number of their accounts and data in their business at risk.
Never use default passwords that come with electronic devices (like routers, home monitoring systems, and other networked electronic devices, including home appliances).
Instead, create more complex, longer passwords (at least 12 – 15 characters) and store them all inside of a password manager like LastPass or KeyPass. (I use LastPass).
The difference between brute-forcing an 8-character password (4 days), and a 12 or 15 character password is YEARS. You can research all kinds of ways to create complex passwords, and there are methods for for creating complex passwords that you can remember. The key is not to use the same one across all of your accounts, which is why it is much more feasible to store separate, complex 12-15 character passwords in a password manager like LastPass and make sure that you appropriately manage and protect your master password.
Then, when you need to share passwords for any of your online business accounts, you can do so through your password manager and not be passing them through email, which is not a safe method for data transmission.
4. Create or Update your Data Back-Up Policy
Do you have a data back-up policy? Where, and how frequently, are you backing up critical data in your business? How do you ensure continuity if your information or business were to get hacked? Making sure that you have though through various scenarios will help you in crafting a policy that works for your business.
Your policy should identify your data sets, identify your back-up methods (hard drive, in the cloud via Backblaze, Dropbox, etc), and whether those methods are automatic or manual (I recommend automatic whenever possible), your back-up timelines or intervals, as well as data checks to ensure that those systems are all working properly and do not need to be updated or reconnected.
Keep in mind you need to regularly check accounts to make sure billing information is up to date so that you don’t have a simple mistake or failure to update prevent your backups from occurring.
5. Use Encryption
Whenever possible, use encryption, specifically end-to-end encryption (and not the alternative, transport layer encryption).
If you are handling a fair amount of client data, do it through an encrypted client portal.
If you are having clients pass information to you through email, use email encryption applications or software. (It is well known that email is as secure “as a postcard written in pencil”, which is to say, it is not at all secure).
If you are storing data, research options that keep your data encrypted and also have 2-factor authentication to protect against log-in attempts that are not your own.
6. Turn on 2-Factor Authentication
Whenever possible, turn on 2-factor authentication.
Two-factor or multi-factor authentication is an extra layer of security that notifies you, usually via text or email, each time a log-in is happening on one of your accounts. So it goes beyond the standard user name and password, and requires each time that you confirm the log-in attempt, usually with an added code or some other confirmation mechanism.
7. Turn off Your Computer, Unplug, & Disconnect External Hard Drives
These are simple steps which are effective. If you are not connected, you cannot be hacked. Disconnect and power down your devices regularly as part of your Data Security plan.
8. Keep Your Systems, Softwares, and Website Plug-ins Up to Date
Letting hardware, systems and softwares that you use in your business get out of date is one of the easiest ways to leave a back door open to attackers.
Instead, make sure that you regularly run updates for any software used on any of your networked devices, and keep your equipment and operating systems up to date.
Make sure this includes regular updates to the plugins related to your website to minimize the risk of malware or other malicious event taking down your online business. I had this happen one time to my website and it cost me several days and thousands of dollars to get restored and properly protected, and impacted several related sites as well.
9. Avoid Obvious No-Nos.
Don’t do things like saving passwords in emails or documents with the subject line or title “passwords.”
Don’t use public internet for work-related activities without using a VPN.
Don’t use social media accounts at the same time you have other applications open on your computer or device.
Don’t “daisy-chain” passwords.
Don’t write passwords down and keep them by your computer at your desk.
Don’t click on suspicious or unexpected links in emails, on social media, or messages.
Don’t hover over QR codes posted in public places.
Don’t plug in “found” thumbdrives to a device you care about!
When in doubt, power down, unplug, and contact a data security or recovery expert.
Don’t wait until after a data breach or cyber security event to develop relationship with a cyber security specialist or data recovery expert. (Build your team before anything happens!)
10. Consider Whether it May be Time for Data Breach or Cyber Liability Insurance
There are a variety of insurance policies available to small businesses.
And if you are building a business that relies on creating a database of contacts, you may consider that a data breach costs on average $200 per client or contact record to respond to in accordance with the law (and correct). This means that with a small database of 500 people, a database breach could be a potentially $100,000 hit to your business.
It may be time to consider getting a data breach or cyber liability policy in place. There are differences in the kinds of policies available for cyber events, so you must be clear on the differences and the extent and limits of your policy. Does it cover ransomware events? Does it cover legal expenses related to following up in accordance with the notice requirements of all 50 states (which vary from state to state)? Does it cover lost business? Or business continuity expenses?
Cyber events are no joke, and are only increasing in frequency and severity. You may consider at what threshold it makes sense for you to obtain insurance coverage to protect your business and plan now for that coverage.
[Finally, if you have not yet tackled legal protection for your website, consider The Website Protection Package to make sure you get your online website, content and intellectual property protected and post required information in regards to your data collection practices.]
Conclusion
Simple measures go a long way to making it hard for bad actors to get in the front door. And yet, all too often, we fail to do what we know we are supposed to do to protect our information, accounts, and most importantly, our client information and databases.
Start with this list of basics and you will minimize some of the biggest risks to your accounts and data that help you run your online business – usually related to human error and poor password management.
Clean up your digital and online practices, including those of any employees or support staff, add basic levels of security and encryption, and make sure you have and follow written policies for data protection, and you will be well on your way to better data and business management.
Happy trails!
_________
© 2021 Heather Pearce Campbell, The Legal Website Warrior®
DISCLAIMER: THE INFORMATION PROVIDED IN THIS ARTICLE MAY CONTAIN LEGAL INFORMATION, BUT DOES NOT CONSTITUTE LEGAL ADVICE. NO RELATIONSHIP, INCLUDING ATTORNEY-CLIENT RELATIONSHIP, HAS BEEN FORMED AS A RESULT OF THIS POST. YOU ARE ADVISED TO SEEK THE ADVICE OF AN ATTORNEY LICENSED IN YOUR STATE IF YOU HAVE ANY QUESTIONS.
If you are interested in more information on business planning then visit these other posts…..