How valuable is your data—that confidential customer information, those internal sales reports, the demographic details you use for marketing? Actually, that’s a trick question, because your data is downright expensive if it’s compromised.
A study of data breaches by the Ponemon Institute (a Michigan-based research center dedicated to privacy, data protection and information security policy) reports that the average consolidated total cost of a data breach grew from $3.8 million to $4 million in 2016—and the average cost incurred for each lost or stolen record containing sensitive and confidential information increased from $154 to $158.
With the U.S. average cost per square foot of a 5x5 climate-controlled storage unit at $2.92/psf in 2016 ($1.62/psf for a 10x10), and annualized asking rent growth projected to trend downward for the next five years, a data breach could take a big bite out of a facility’s profits.
Before you say, “Yeah, but that kind of thing would never really happen to us,” don’t be so sure: The FBI Internet Crime Complaint Center reports that it received an average of almost 300,000 complaints per year over the last five years.
Take this quick quiz to see how vulnerable your self storage business might be to a data breach:
- Do you have a formal written Internet security policy for employees?
- Do you have policies regarding how your employees use social media?
- Do you have a customer information privacy policy your employees must follow?
- How about a plan for keeping your business cyber secure?
- Do you provide Internet safety training to employees?
- Do you allow the use of USB devices in your facility’s office?
- Do you require any multi-factor authentication for access to any of your networks?
- Are all of your machines completely wiped of data before disposing of them?
We won’t ask you to answer these questions publicly. And if you said ‘no’ to some of them, you’re in good company: most small businesses don’t, according to the National Cyber Security Alliance.
The Alliance (a collaboration between private industry and the U.S. Department of Homeland Security) recommends small businesses consider these questions when evaluating their data-related risks:
- What information do you collect?
- How do you store the information?
- Who has access to the information?
- How do you protect your data?
- What steps are you taking to secure your computers, network, email and other tools?
“If a self storage operator collects tenant social security numbers or credit card information, the operator must keep this data secure,” says SSA General Counsel Carlos Kaslow. “If it is maintained on a computer it should be stored in an encrypted format and be accessible by only to those persons that may need to access this information. It is also a good idea not to print out social security numbers on documents, or to print only the last 4 digits.”
Kaslow adds that a storage operator has certain obligations to affected customers if the facility has a data breach or tenant files with sensitive information are stolen. “For example, businesses have a duty to notify tenants whose data has been a breached,” he says. “In some instances, a business is also required to provide customers with credit monitoring service for 12 months. The big advantage to encrypting tenant data stored on a computer is that the business is relieved of the reporting requirement in most instances.”
While we’ve all seen the headlines about big organizations having their systems hacked or their data otherwise compromised—Target and the Democratic National Committee come to mind as famous examples—the problem isn’t limited to the big guys. And the consequences for a small business can be enormous.
“A bigger company can weather a breach better than a small one,” observes Kathy Stershic, principal consultant at Dialog Research & Communications in Alexandria, Virginia. “It could put a small firm out of business—think lawsuits, regulatory actions, and damage to its reputation.”
The bottom-line message is simple: Every business of any size must take data privacy and security seriously. What can you do? Here are four steps to consider:
- Identify and inventory your data
- Protect your data
- Manage your risk
- Review your vulnerabilities regularly
“Data is not always digital,” notes Stershic. “You need to know what you have, where it comes from, and where it goes—in other words, how it’s shared and protected. Paper files need to be well guarded if they’re in file cabinets. You need safeguards on physical documents and access to them. The janitor has no need to access rental contracts, for example, and the bookkeeper doesn’t need social security numbers or gate codes.”
David Freeman, account executive at RDA Corporation, a Maryland-based marketing technology company, agrees: “Data can easily walk out the door unless it’s secure and encrypted,” he says. “A small business needs to worry about physical security, application security, data security, and IT operations security. You have to have policies in place—and you need to enforce those policies.”
For example, suggests Freeman, always know where your computers are, who’s using them and what they’re using them for. Secure them when not in use, and limit access to authorized people. Who can access your servers and your databases and your cloud accounts? Can anyone access your system or files remotely via your VPN (virtual private network) or directly from a website from their personal computer at home or from their mobile devices when on the road? Do you or your employees ever catch up on work while at, say, a local Starbucks using a public wireless connection?
Have good password security practices (and never use something obvious, like 12345). Maintain logs showing who accesses what and when. Don’t store personally identifiable information like social security numbers, because there are ways crooks can scan and identify computers where such details are kept. Have a procedure in place to prevent people from using a thumb drive to download files or information from your systems. Use available technology to prevent employees from accidentally downloading viruses or malware, and train them how to avoid phishing scams.
To help manage your risk, SSA’s Kaslow suggests asking your insurance agent about data breach coverage. “It is not cheap but should be considered,” he says. “A data breach can be costly and insurance can help. Many insurers even provide a help desk that will walk the business owner through the process.”
Review your vulnerabilities regularly. How often is up to you. The larger and more complex your operation, the more often you’ll probably want to revisit your practices to make sure everything is working as you intended. At the very least, conduct a thorough review annually.
Finally, keep yourself up to date on small business data security practices. The Council of Better Business Bureaus offers a list of resources for small businesses concerned with data privacy and cyber security. And the Federal Trade Commission provides a robust collection of publications and links in its Business Center.
So, are you paranoid now? Excellent. As Freeman observes: “Being paranoid about data is a good thing, because you don’t want an incident.”