Think Your IT Is Secure? Think Again.

NEW YORK (TheStreet) -- The data breach last week at email service provider Epsilon affecting large firms including Verizon (VZ), Capital One (COF), Best Buy (BBY), Citigroup (C), and Target (TGT) should have small-business owners reassessing their own strategies to keep customer information, employee records and other confidential information safe.

TheStreet interviewed Sarah Fender, vice president of marketing and product management at PhoneFactor, the Overland Park, Kan., company providing phone-based authentication solutions to small and large companies. Additional comments came via email from PhoneFactor co-founder and Chief Technology Officer Steve Dispensa.

Workers checking email and logging onto networks remotely can spread viruses. PhoneFactor is among companies providing security such as phone-based identification systems to limit data breaches.

What are some common misconceptions small firms have when it comes to IT security?

PhoneFactor: The first one relates to antivirus and anti-malware software. Antivirus software generally only catches 60% of the current viruses that are out there, so that's 40% of the brand-new viruses that the software isn't even looking for. No one is going to recommend that you don't use antivirus software; we just want people to be aware it's not enough as kind of a standalone. If that's the only thing you're doing to protect your business, then you're probably not doing enough.

Another common misconception, particularly among small businesses, is that passwords keep the bad guys out. This may be true for workers logging into their PC at the office, where physical security helps ensure that the legitimate user is logging in. A co-worker would likely notice a stranger sitting in the cubicle next to them. Increasingly, we're all working remotely. We're checking email from our smartphone. We've got Apple ( AAPL) iPads. We've got all kinds of ways to log into email or networks when we're not in the office. In those scenarios, passwords are not enough.

How can small firms implement a strong data loss prevention security strategy? What is most important in doing that?

PhoneFactor: The basics are important -- keeping servers and user computers patched, with current anti-malware software and an active firewall. Small businesses should do some basic security training even with a small team helping them to understand social engineering and how to handle confidential information and have more awareness to identify those types of threats.

Safeguarding means more than data leakage prevention; it also means having good backups of email and other data, including regular restore testing. Outsourcing email services to a third party can be a good move for small firms, but be careful to take into consideration the kind of security that your email provider is able to provide for you, and go with a reputable firm.

USB drives are increasingly common, but users should understand that they carry serious security concerns with them. Users should understand what kinds of data may be copied onto portable drives and removed from the office. USB drives are also one of the most common ways that viruses and malware spread on networks, so always be cautious about using them with untrusted computers.

For some firms, it may make sense to activate disk-encryption software so that a lost laptop doesn't turn into a major data leak. Most vendors have drive-encryption software, and there is also some excellent free software out there.

Finally, identity management is essential to ensuring only legitimate users have access to your data, and strong authentication, particular for remote access is important.

What is considered strong authentication?

PhoneFactor: Combining a number of factors to strengthen the authentication, generally starting with a username and password and then adding something on top of that, such as a security token ... in our case we use the phone to verify that it is in fact the right person logging on. The idea is to layer these methods together to create a strong or multifactor authentication. PhoneFactor instantly calls the user; the user answers the call and is prompted to press pound to verify himself. It's easy for the end users. It doesn't matter what device they're using to log in from. And it's cost effective. We do have a free version for up to 25 users. Very small businesses can download and use the free version.

Why is two-factor authentication increasing in popularity?

PhoneFactor: There are a number of reasons. The volume and severity and sophistication of threats are definitely on the rise, so that really requires a second factor of authentication. We now need to secure things that weren't really considered to be sensitive a few years ago, such as email. But I think that has changed as the volume of information that is being sent through email increases. There is a lot more data out there than we realize that needs some special protection. The threats are worse and more prevalent.

Recently Google ( GOOG) has added some phone-based authentication for Google Apps and Gmail, which is something very small businesses might be using. This speaks to the widespread trend towards authentication.

What industries are best suited for phone-based authentication?

PhoneFactor: PhoneFactor really works for a very wide range of industries. But there are some industries that are more heavily regulated; health care, which is impacted by HIPAA, so small doctor's offices, small clinics, physical therapy offices. Heath care is a big space.

Another one is retail, which is regulated by in particular PCI data security standards. PCI requires strong authentication. You have to have two factors.

Law firms and investment advisers or accountants -- anybody who is dealing with financial information would need additional security.

To contact the writer of this article, click here: Laurie Kulikowski.

To follow Laurie Kulikowski on Twitter, go to:!/LKulikowski

>To submit a news tip, email:


Follow on Twitter and become a fan on Facebook.

Disclosure: TheStreet's editorial policy prohibits staff editors, reporters and analysts from holding positions in any individual stocks.

More from Personal Finance

Use This Simple Investing Strategy to Stay Ahead in a Rollercoaster Stock Market

Use This Simple Investing Strategy to Stay Ahead in a Rollercoaster Stock Market

5 Most Ridiculous Royal Wedding Memorabilia Items

5 Most Ridiculous Royal Wedding Memorabilia Items

7 Ways Your Financial Adviser Should Help You Survive Rising Interest Rates

7 Ways Your Financial Adviser Should Help You Survive Rising Interest Rates

Five Signs You're Getting a Raw Deal From Your Financial Adviser

Five Signs You're Getting a Raw Deal From Your Financial Adviser

How Right-to-Work Laws Make Inequality Worse

How Right-to-Work Laws Make Inequality Worse