Finance Blog

Data Breach Red Flags Every Small Business Owner Should Know

Written by Equifax Experts on December 12, 2013 in Small Business  |   No comments

As more customer information is stored online, data breaches pose an increased risk to business owners and consumers alike. A data breach often involves the loss of personally identifiable information. “Think about any information that is unique to you as an individual, or when combined…

small business data breach As more customer information is stored online, data breaches pose an increased risk to business owners and consumers alike.

A data breach often involves the loss of personally identifiable information. “Think about any information that is unique to you as an individual, or when combined becomes unique,” says Scott Mitic, senior vice president of Equifax Personal Solutions.

For example, information compromised in a data breach can include customers’ and employees’ names, addresses, Social Security numbers, dates of birth or medical insurance information.

A data breach—especially one that includes the loss of personally identifiable information—poses obvious threats to your customers, including the threat of identity theft. According to the “2013 Identity Fraud Report” by Javelin Strategy & Research, which looks at 2012 data, 1 in 4 consumers who received data breach notifications became victims of identity theft.

But it’s not just consumers who are impacted—small retailers also lose out. The Javelin study found that victims are more selective about where they shop after a fraud event, with 15 percent of victims choosing to avoid smaller online merchants.

How do data breaches happen?

According to Mitic, two common ways that companies become data breach victims are through physical access to confidential information and online computer vulnerabilities.

“In general, data breaches are most frequently perpetrated by someone the business owner knows,” Mitic notes. “It can be a vendor, an employee with access to a customer database, or an outsourced IT team who comes in to do desktop support or update software.”

In less common cases, data breaches occur when online hackers are able to gain access to your company database that holds confidential information, such as the personal information of your employees and customers.

“There are vulnerabilities that can be created through a company’s website or interface—where data is being moved electronically,” Mitic says.

What are a few signs that your business has fallen victim to a data breach?

A data breach can be incredibly damaging to your small business. In fact, in a March survey of small business owners conducted by the Ponemon Institute, 70 percent of respondents agreed that the loss of employees’ and customers’ sensitive personal information would do more harm to their businesses than the loss of confidential company data.

As a victim of a data breach, you could lose customers, business partners or employees, so it’s important you catch a data breach early. That way, you can help retain as many of your current customers, business partners and employees as possible.

Mitic says there are some red flags that may indicate your company has been victimized. A few examples include:

Missing inventory. This can include items such as a company laptop, phone or tablet that contains sensitive personal information.

Suspicious phone calls. Scammers may take advantage of social media to target your company. For example, if an employee posts that she is sick on Facebook and a scammer targeting your company sees it, that scammer may call your office pretending to be a friend or family member of that employee.

“I might call you and say that I’m the husband of the employee who is out sick,” explains Mitic.

“I might say that my wife is trying to get access to her email and can’t remember her password, and ask that you give it to me. Through this ‘social engineering’ activity, I now have access to any personal identifying information associated with that email account.”

Strange solicitations. Abnormal emails (such as those which ask you to reset your account password by clicking on the link in the email) and phone calls (people calling asking for remote access to your computer system, for example) are often indicators that you’re being targeted.

Be sure to also monitor your website and computer system for clues. “You should have in place monitoring systems which are able to detect unauthorized access to your computer infrastructure,” Mitic says.

“For online unauthorized data access, it’s incredibly helpful to be able to see these types of attacks when or shortly after they happen. [These monitoring systems] are how many tech-savvy companies learn of data breaches.”

What are some tips for avoiding a data breach?

No matter the size of your business, if you accept credit cards, typically you must be in compliance with the security standards of the Payment Card Industry (PCI). These standards dictate how data is processed and secured after a customer swipes their credit card.

While the regulations specifically outline how businesses should protect credit card data, “these guidelines can be used to protect other data, like birth dates and Social Security numbers,” says Mitic.

Additionally, the Federal Communications Commission offers these 10 cyber security tips for small businesses:

  1. Establish security practices that all employees must follow, including password and Internet usage policies.
  2. Regularly update your computers and software.
  3. Secure your Internet connection and private network with a firewall. If you have employees who work from home, ensure their home computer systems are protected as well.
  4. Create guidelines for accessing the company network via mobile device, including password protecting these devices and installing security applications.
  5. Back up your important business data, or store copies offsite or on the cloud.
  6. Manage user accounts on each computer to limit who has access to sensitive data, and lock up laptops when unattended.
  7. Secure your wireless networks—password protect routers and ensure networks are encrypted.
  8. Follow best practices when accepting credit and debit cards.
  9. Do not allow employees to install software without permission, and limit the data to which they have access.
  10. Require employees to use unique passwords and change those passwords every three months.

If your company does fall victim to unauthorized data access, check into applicable laws regarding unauthorized data access, including your state’s laws surrounding data breach notification. “Like any illness,” says Mitic, “the prescription will be dictated by the malady.”

No comments yet

Leave a Comment

Name :

Commenting guidelines

We welcome your interest and participation on this forum, but be aware that comments will be published at Equifax's sole discretion. Please don't use this blog to submit questions or concerns about your Equifax credit report or raise customer service issues. Instead, you should contact Equifax directly for all such matters and any attempts to do so in this forum will be promptly re-directed.

Some other factors to consider when commenting:
  1. Registration and privacy. While no registration is required to visit our forum, participants wishing to post a message must register by creating an account. All personal information provided by forum members incident to registration is governed by our Terms of Use and Privacy Policy.
  2. All comments are anonymous. We'll delete your name, e-mail address, and any other identifying information, including details about your investments.
  3. We can't post or respond to every comment - As much as we'd like to, we can't post every comment, nor can we guarantee that we will respond to each individual message. All questions or comments about your Equifax credit report or similar customer service issues should be handled by contacting Equifax directly.
  4. Don't offer specific legal, tax or financial advice. All of the materials on this Site are for information, education, and noncommercial purposes only and this forum is not intended as a means of expressing views or ideas regarding any specific legal, tax, or investment advice. While offering general rules of thumb is both permitted and encouraged, recommending specific ideas or strategies regarding investments, taxes, and related matters is prohibited.
  5. Credit Repair. This blog is not intended as a venue for the discussion or exchange of ideas regarding credit repair or other strategies intended to assist visitors and community members improve or otherwise modify their credit histories, ratings or scores.
  6. Stay on topic. Your comment should be concise and pertain to the specific post in question.
  7. Be respectful of the community. The use of profanity, offensive language, spam, and personal attacks will not be tolerated and egregious or repeat offenders will be banned from future participation. We encourage disagreement and healthy debate, but please refrain from personal attacks on our WordPresss and contributors.
  8. Finally: Participation in this forum may be terminated by Equifax immediately and without notice for failure to comply with any guidelines or Terms of Use. As such, you should familiarize yourself with all pertinent requirements prior to submitting any response through the blog or otherwise. All opinions expressed in this forum are solely those of the individual submitting the comment, and don't necessarily represent the views of Equifax or its management.

Equifax maintains this interactive forum for education and information purposes in order to allow individuals to share their relevant knowledge and opinions with other members and visitors. We encourage you to participate in discussions about personal finance issues and other topics of interest to this community, but please read our commenting guidelines first. Equifax reserves the right to monitor postings to the forum and comments will be published at our discretion. Do you have questions or comments about your Equifax credit report or customer-service issues regarding an Equifax product? If so, please contact Equifax directly. All opinions and information expressed or shared in blog comments are solely those of the person submitting the comments, and don't necessarily represent the views of Equifax or its management.

Stay Informed Sign up for our FREE Equifax email Newsletter