Cisco Blogs

5 Steps for Avoiding Data Breaches

September 29, 2011 - 1 Comment

These tips can protect your business and customers from financial loss and identity theft

So far this year, 369 data breaches have been reported to the Open Security Foundation Data Loss Database, affecting 126,749,634 records. A breach in your business data can come from loss, theft, or exposure of information, which opens you and your customers up to such risks as financial loss and identity theft. Most reported breaches involve stealing private information, like customers’ email addresses and credit card numbers.

A small business can suffer data loss through a variety of data breaches, not all of which can be pinned on a malicious hacker. Data can be lost when a mobile device goes missing, gets accidentally deleted from a server or computer, or when an employee inadvertently makes private data public or steals it outright. And sometimes data is lost not by human error or interference but by an unfortunate accident such as a natural disaster or computer failure. In some way and at some time, a data breach can—and eventually will—happen to everyone.

These five steps can help you secure your critical data against breaches and mitigate the risk of losing customers, intellectual property, and regulatory compliance.

Step 1: Document where your data is stored and how it is accessed. Small businesses have data stored in different places, from computers in the office to employees’ personal smartphones to third-party servers in the cloud. You need to know what kinds of files are being kept in each location and how employees are accessing the data. For example, does your salesperson keep confidential customer data on his smartphone? Are employees remotely accessing sensitive information on your server? Both of these scenarios can make your business data more vulnerable to exposure to the outside world.

Step 2: Identify the level of protection your data needs. Not all data is critical to your company’s business and so doesn’t need to be protected with the same levels of security. All of your data should be behind a firewall, of course, and employees should connect to your network remotely through a secure virtual private network (VPN). And more sensitive data should be encrypted.

The best way to determine which types of data need the strongest security measures is to consider the impact its loss would have on your company. For example, what would happen if your customer database was wiped out or an employee’s email account was compromised? Losing certain types of data—and having to report that loss to customers and partners—can be devastating to your small business.

Also, determine the likelihood of an attack on certain types of data, how a breach might happen, and how you can protect against it. For instance, laptops and smartphones are more likely to be lost or stolen than desktop PCs, so they must be protected with strong passwords or, for even tighter security, random pass phrases and stored data on the device should be encrypted.

Step 3: Secure your company’s data. Once you’ve determined the levels of protection your data requires, you can implement specific security measures. No matter where your data is located, you can safely secure it with both hardware, such as a security appliance, and software like antivirus ,antimalware, and encryption applications. Start by protecting the data that keeps your company in business, such as a customer database. Then, make sure all servers, PCs, and laptops are locked down. Finally, check that security features within your operating systems are enabled and configured.

Step 4: Create a disaster recovery plan. Even if you take every possible step to secure your network, you need a disaster recovery plan. Your disaster recovery plan should include making regular backups of all your data. You can then use those backups to bring your business back online should a server go down or a laptop get lost. The disaster recovery plan should also clearly state who in your company is responsible for making the backups, the processes required to restore data and systems, and which data should be restored first.

Step 5: Know what to do if you experience a data breach. No one likes admitting to a mistake, but taking action and owning up in the case of a data breach or an attack may be the smartest way your company can handle an incident. Depending on where your small business is located and what industry you’re in, you may be required by local and federal laws to publicly report even a suspected data breach. The bottom line: You need to know what your response must be before you actually need to act on it.

Protecting your data from a security breach boils down to best network security practices, which starts with the hardware on your LAN. A security appliance, such as the Cisco SA 500 Series Appliances or the Cisco ASA 5500 Series Adaptive Security Appliances, combine a firewall, VPN, and an intrusion prevention system (IPS) to ease administration. Your router can also provide some security features. The Cisco Small Business RV Series Routers, for instance, provide a firewall along with data encryption and user authentication. You can further protect your network from web-based threats with Cisco ProtectLink.

Determining the security measures your small business needs can be a daunting undertaking, especially if you don’t have a dedicated in-house IT person. Don’t risk your business on best guesses. When in doubt, consult a security professional, such as a local Cisco reseller or Certified Information Security Systems Professional (CISSP) who can help you determine your risk and suggest solutions for securing your company’s data.

How are you protecting your data against a security breach?

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. Hey Michael i liked your tips for securing critical business data. I agree small business organisation should document the location of their data and how it is accessed. Well i think with the passage of time the business data is most prone to theft so companies should allocate sufficient funds to secure their important data