The Privacy Checklist Every Small Business Needs

Fiona Dalton

Data privacy often isn’t a top priority for many small businesses. They think that since they’re just a small organization, their data isn’t worth much and won’t be targeted by scammers and cybercriminals.

However, this is a huge misconception. In fact, according to Verizon, SMBs are four times more likely to be victims of data breaches compared to larger organizations.

Fortunately, protecting data and privacy is totally doable—even for smaller businesses. By breaking cybersecurity down into a checklist with easy steps, small businesses can protect their privacy even with fewer resources.

Why Are Small Businesses at Risk of Cyberattacks?

Firstly, it’s important to understand: why do cyberattacks often target small businesses?

Easier to Attack

Their defenses aren’t as robust as those of larger organizations. This is either because they have less capacity for cybersecurity measures, or mistakenly think they’re not at risk. Often a combination of both.

Hackers can hit dozens, if not hundreds, of small businesses with the same phishing or ransomware campaign.

They Still Have Valuable Data

The amount of money small businesses have in their online accounts is not insignificant.

Data such as customer and employee information, contact lists, and transaction histories can also be sold to data brokers and other cybercriminals.

Even if the profits from each successful attack are small, they can add up if many businesses are breached.

They Can Serve as a Gateway to Larger Companies

Some attackers see small businesses as a stepping stone to make attacking larger organizations easier.

Business identity theft on a small restaurant can, for example, give attackers information on a larger food supplier.

10 Steps for Small Businesses to Protect Their Data

So, how can small businesses start protecting their data better? With the steps below, they can put their privacy at far less risk and have the peace of mind to focus on growing the business.

Know What Data You Have

Start by understanding what kind of data you have. Typically, a small business might have:

Employee login and personal credentials.
Email and social media accounts.
Customer information.
Payment details and transaction histories.
Supplier or business partner contracts and contact information.

Then, where do you store these things? As local files on your computer? On an external drive? In a cloud service like Google Drive? Do you store them in multiple places?

Once you map out your data, you’ll know where the risks are.

Have Strong Passwords and Multi-Factor Authentication

Easy-to-guess passwords are an issue for any organization. Consistent reminders and education about password and authentication policies should be the easiest preventive measure.

Ask employees and clients to change their passwords if the password does not include variation between uppercase and lowercase letters, does not contain special symbols or numbers, or does not have at least 12 characters.

Additionally, enable MFA on all accounts to protect your data even if the passwords get breached.

Limit Who Can Access Data

Speaking of employees, not everyone in your business needs access to all your information.

For example, your waiter needs the Wi-Fi password so they can give it to customers who ask for it. However, they probably don’t need access to the email you use to contact suppliers.

More people having access to a piece of data than necessary means more avenues for a data leak to occur.

Train Your Employees

All employees should receive at least basic cybersecurity training. After all, human error is still one of the leading causes of data breaches.

Even the basics can go a long way:

Do not access work accounts on public Wi-Fi.
Know how to spot phishing emails.
Report unusual activity immediately.

Keep Software Up to Date

Hackers typically go after devices with outdated software. They contain well-known security holes that can be easily exploited.

Because of this, ensure all your devices’ operating systems and apps are always updated to the latest versions. Most updates contain security patches that keep the apps robust.

If possible, turn on automatic updates for all devices.

Set a Data Retention Policy

The more data you have, the greater the risk, so don’t keep data longer than necessary. Decide how long to keep different types of information and when to delete it safely.

You may, for example, keep customer purchase records for up to five years and purge old website cookies every month.

Do Regular Privacy and Data Audits

Check your systems, policies, training, and vendor agreements regularly. This ensures that:

Your apps and devices are up to date.
Your staff still knows how to be safe online.
You’re still dealing with trustworthy business partners.

Consider looking up your business on search engines as well. After all, employees or clients may leave traces of information across marketing lists, directories, and third-party services.

If you find information about your business in spaces where you don’t want it to be, consider using services such as Incogni for data removal.

Be Careful with Third-Party Services

If you use third-party apps and services for, say, online payments, website creation, marketing, or file storage, then choose wisely.

Before committing to using any service, read their security measures and privacy policies. Do they follow legal guidelines? Do they clearly state who’s responsible for what?

Either way, regularly monitor and limit what kind of data you share with them.

Back Up Your Data

Data loss can completely cripple a small business. Always back up crucial information in multiple places so you still have access to it in case it gets lost.

For example, store critical files on a local computer, upload them to cloud services, and keep a physical backup.

Stay Compliant with Laws

Ensure that all your practices comply with all the regulations that apply to you. After all, breaking these laws can be incredibly costly due to fines. These laws also evolve regularly, so stay updated.

Conclusion

Many of these steps are easy to implement, even for small businesses with limited budgets. Many of these can be done within a day or two and will protect the business for years to come.

Categories: Security
Tags: access control, backups, compliance, cybersecurity, data protection, password security, privacy, risk management, security checklist, small business

Cookie	Duration	Description
akavpau_ppsd	session	This cookie is provided by Paypal. The cookie is used in context with transactions on the website.
nsid	session	This cookie is set by the provider PayPal. This cookie is used to enable the PayPal payment service in the website.
tsrce	3 days	This cookie is set by the provider PayPal. This cookie is used to enable the PayPal payment service in the website.
x-pp-s	session	This cookie is set by the provider PayPal. This cookie is used to process payments from the site.

Cookie	Duration	Description
ac_enable_tracking	1 month	This cookie is set by the Active Campaign. This cookie is used to keep track of the site usage.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gcl_au	3 months	This cookie is used by Google Analytics to understand user interaction with the website.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
_hjFirstSeen	30 minutes	This is set by Hotjar to identify a new user’s first session. It stores a true/false value, indicating whether this was the first time Hotjar saw this user. It is used by Recording filters to identify new user sessions.
_omappvp	11 years	The cookie is set to identify new vs returning users. The cookie is used in conjunction with _omappvs cookie to determine whether a user is new or returning.
_omappvs	20 minutes	The cookie is used to in conjunction with the _omappvp cookies. If the cookies are set, the user is a returning user. If neither of the cookies are set, the user is a new user.
_uetsid	1 day	This cookies are used to collect analytical information about how visitors use the website. This information is used to compile report and improve site.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to deliver advertisement when they are on Facebook or a digital platform powered by Facebook advertising after visiting this website.
fr	3 months	The cookie is set by Facebook to show relevant advertisments to the users and measure and improve the advertisements. The cookie also tracks the behavior of the user across the web on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
MUID	1 year 24 days	Used by Microsoft as a unique identifier. The cookie is set by embedded Microsoft scripts. The purpose of this cookie is to synchronize the ID across many different Microsoft domains to enable user tracking.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
uid		This cookie is used to measure the number and behavior of the visitors to the website anonymously. The data includes the number of visits, average duration of the visit on the website, pages visited, etc. for the purpose of better understanding user preferences for targeted advertisments.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.

Cookie	Duration	Description
_fw_crm_v	1 year	No description
_gat_UA-124464104-1	1 minute	No description
_gat_UA-182261587-1	1 minute	No description
_hjAbsoluteSessionInProgress	30 minutes	No description
_hjid	1 year	This cookie is set by Hotjar. This cookie is set when the customer first lands on a page with the Hotjar script. It is used to persist the random user ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID.
_hjIncludedInPageviewSample	2 minutes	No description
_hjIncludedInSessionSample	2 minutes	No description
_hjTLDTest	session	No description
_lfa	2 years	This cookie is set by the provider Leadfeeder. This cookie is used for identifying the IP address of devices visiting the website. The cookie collects information such as IP addresses, time spent on website and page requests for the visits.This collected information is used for retargeting of multiple users routing from the same IP address.
_seg_uid	1 year	No description
_seg_uid_3536	1 year	No description
_seg_visitor_3536	1 year	No description
_uetvid	16 days 6 hours	No description
CONSENT	16 years 8 months 2 days 6 hours	No description
cookielawinfo-checkbox-functional	1 year	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-others	1 year	No description
DO-LB		No description
enforce_policy	1 year	No description
hyperise_session	2 hours	No description
l7_az	30 minutes	No description
LANG	9 hours	No description
prism_799560831	1 month	No description
RUL	1 year	No description
whr_nov	1 year	No description
x-cdn		No description

The Privacy Checklist Every Small Business Needs

Fiona Dalton

Why Are Small Businesses at Risk of Cyberattacks?

10 Steps for Small Businesses to Protect Their Data

Conclusion

Leave a Reply Cancel reply

RESOURCES

LEGAL