Guide aims to plug security holes for small business

Several groups have come together to help vulnerable small businesses protect against data breaches with a package of guidelines unveiled Monday.

Although data breaches at large companies dominate headlines, an estimated 56 percent of U.S. small businesses had data breaches in 2005. Most of the nation's 23 million small firms hold personal consumer information, said Steve Cole, president and chief executive officer of the Council of Better Business Bureaus Inc. (CBBB). The CBBB, along with think tank Privacy & American Business and sponsors such as IBM Corp. and eBay Inc., Monday launched the Security and Privacy -- Made Simpler program aimed at businesses with fewer than 500 employees.

Many of the targeted companies don't have the money or expertise to implement comprehensive security programs, CBBB officials said. "Small businesses are as valuable -- perhaps more -- than their larger counterparts," Cole said at a Washington, D.C., press conference. "The goal is to make the issues less intimidating and point small businesses in the right direction."

The customer data security toolkit released Monday is available for free at BBB.org/securityandprivacy. The kit offers guidance on how to create security and privacy policies, control employee access to sensitive data, and dispose of old computers and electronic files. It also has checklists for everyday security practices, such as training new employees on security and privacy policies, and advice such as, "If you don't absolutely need a piece of customer information, the best policy is, don't collect it."

The CBBB, the umbrella organization for 116 Better Business Bureaus across the U.S., also plans to release an employee data protection toolkit later this year, and is planning a Web-based security seminar and ongoing updates about new security and privacy developments affecting small businesses, Cole said.

A survey conducted by the Small Business Technology Institute found that about 20 percent of small businesses do not use virus-scanning software for e-mail, and more than 60 percent do not protect their wireless networks with encryption.

Small businesses can face several problems when they're not using reasonable security practices, including a loss of customer confidence, said Lydia Parnes, director of the Bureau of Consumer Protection at the U.S. Federal Trade Commission (FTC). "If you don't protect consumer information, you're not only putting consumer data at risk, you're also putting your business at risk for enforcement actions," she said.

The FTC has punished several large businesses that failed to protect consumer data, and Parnes said the commission could also take action against small businesses that have "woefully inadequate security measures in place." The FTC looks for reasonable security measures, and not every data breach is subject to FTC action, she added.

But the CBBB's primary goal in starting the security program wasn't to threaten small businesses with FTC action, Cole said. "It's about securing your customers," he said.