NEW YORK (TheStreet) -- The data breach last week at email service provider Epsilon affecting large firms including Verizon (VZ) , Capital One (COF) , Best Buy (BBY) , Citigroup (C) , and Target (TGT) should have small-business owners reassessing their own strategies to keep customer information, employee records and other confidential information safe.
TheStreet interviewed Sarah Fender, vice president of marketing and product management at PhoneFactor, the Overland Park, Kan., company providing phone-based authentication solutions to small and large companies. Additional comments came via email from PhoneFactor co-founder and Chief Technology Officer Steve Dispensa. What are some common misconceptions small firms have when it comes to IT security?
PhoneFactor: The first one relates to antivirus and anti-malware software. Antivirus software generally only catches 60% of the current viruses that are out there, so that's 40% of the brand-new viruses
Another common misconception, particularly among small businesses, is that passwords keep the bad guys out. This may be true for workers logging into their PC at the office, where physical security helps ensure that the legitimate user is logging in. A co-worker would likely notice a stranger sitting in the cubicle next to them. Increasingly, we're all working remotely. We're checking email from our smartphone. We've got Apple (AAPL) iPads. We've got all kinds of ways to log into email or networks when we're not in the office. In those scenarios, passwords are not enough.
How can small firms implement a strong data loss prevention security strategy? What is most important in doing that?
PhoneFactor: The basics are important -- keeping servers and user computers patched, with current anti-malware software and an active firewall.
Safeguarding means more than data leakage prevention; it also means having good backups of email and other data, including regular restore testing. Outsourcing email services to a third party can be a good move for small firms, but be careful to take into consideration the kind of security that your email provider is able to provide for you, and go with a reputable firm.
USB drives are increasingly common, but users should understand that they carry serious security concerns with them. Users should understand what kinds of data may be copied onto portable drives and removed from the office. USB drives are also one of the most common ways that viruses and malware spread on networks, so always be cautious about using them with untrusted computers.
For some firms, it may make sense to activate disk-encryption software so that a lost laptop doesn't turn into a major data leak. Most vendors have drive-encryption software, and there is also some excellent free software out there.
Finally, identity management is essential to ensuring only legitimate users have access to your data, and strong authentication, particular for remote access is important.
What is considered strong authentication?
PhoneFactor: Combining a number of factors to strengthen the authentication, generally starting with a username and password and then adding something on top of that, such as a security token ... in our case we use the phone to verify that it is in fact
PhoneFactor: There are a number of reasons. The volume and severity and sophistication of threats are definitely on the rise, so that really requires a second factor of authentication. We now need to secure things that weren't really considered to be sensitive a few years ago, such as email. But I think that has changed as the volume of information that is being sent through email
What industries are best suited for phone-based authentication?
PhoneFactor: PhoneFactor really works for a very wide range of industries. But there are some industries that are more heavily regulated; health care, which is impacted by HIPAA, so small doctor's offices, small clinics, physical therapy offices. Heath care is a big space.
Another one is retail,
Law firms and investment advisers or accountants -- anybody who is dealing with financial information would need additional security.—For the best rates on loans, bank accounts and credit cards, enter your ZIP code at BankingMyWay.com.