It’s nearly a month now since the Sony hack. While other global events now dominate headlines, the Sony breach should serve as a constant reminder to remain ever vigilant when it comes to protecting your company data. Research suggests that protecting data begins right within your own organization by ensuring that small business employees follow best security practices.

Employees doing something they shouldn’t do is the cause of a significant number of data breaches, says Jeffrey Bernstein, managing director of information security at T&M Protection Resources. Recently interviewed by Angela Stringfellow for an American Express Open Forum article, “The Sony Hack: Security Lessons for Small-Business Owners,” Bernstein noted that security industry data over the past 12 months indicates that well over 80 percent of data theft began with users doing things they shouldn’t have. Activities that open the door to hacks include clicking on a malicious link in an email, opening an email attachment, using weak passwords or being tricked through phishing scams or other social engineering attacks to provide a password.

While cyberattacks are on the rise in general – the Ponemon Institute reported last September that 43 percent of US firms experienced a data breach in the past year – hackers have increasingly turned their attention to small businesses, many of whom lack sufficient security safeguards

A 2013 survey conducted by the National Small Business Association found that 44 percent of small business had been attacked costing the company an average of $8,700. Even more alarming is how many small businesses go out of business after a breach. Credit information company Experian estimates that figure is as high as 60 percent.

Assess your cyber security risk

The National Cyber Security Alliance (NCSA), whose mission is to educate and empower the safe and secure use of the Internet, recommends small business owners assess their risks online, since as many as 66 percent indicate they depend on the Internet for day-to-day operations. From that, you need to develop a formal written Internet security policy.

NCSA recommends that the questions to consider when assessing online risks include:

  • What information do you collect?
  • How do you store the information?
  • Who has access to the information?
  • How do you protect your data?
  • What steps are you taking to secure your computers, network, email and other tools?

In developing your plan, focus on three key areas: prevention, resolution and restitution. The Federal Communications Commission provides a Small Biz Cyber Planner to help evaluate your risk and create a plan.

Train employees

Even the best policy won’t help if you don’t provide your team with training about accessing information whether it’s resident on company computers or in the cloud. Policy also should include best practices for the use of personal mobile devices in the office, from remote locations or on the go.

Among best practices, NCSA recommends:

Keep machines clean: Policy should include what employees can install and keep on devices they use for work.

Create strong passwords: They should be long and strong, with a mix of uppercase and lowercase letters, numbers and symbols, says NCSA. Employees also should be advised to  change passwords routinely and keep them private.

When in doubt, throw it out: Instruct your team not to open suspicious links in email, tweets, posts, online ads, messages or attachments – even if they know the source

Back up work: Backup can be automatically set or instruct your team how to do it themselves.

When it comes to protecting your small business data, make it a company-wide effort to keep it out of the reach of the bad guys.