As business owners, one of the biggest responsibilities you have is keeping your customers’ personal and credit card information protected. In 2014, more than 1 billion personal records were leaked or stolen—indicating that cyber crime isn’t going anywhere, and protecting your customers’ data should be a top priority. While you may think small businesses aren’t the target of cyber threats, it’s better to be safe than sorry. Because in addition to earning and keeping your clients trust, your reputation as a business is also on the line.

We talked to Todd Jones, vice president of strategy and products at Identity Guard, a company that has protected more than 37 million American consumers identities and is considered the  leader in the identity and privacy sector. Jones advised that, first and foremost, it’s important to have a privacy policy in place. “They are not required by law for most businesses, but I would strongly recommend that any business that collects personal data from consumers have one,” said Jones. “The privacy policy is your business’ pledge to the customer about how you will use and protect their personal data. Most people will never ask, but when someone does it shows that you’ve put some thought into customer’s security and projects your business in a positive and professional light.”

Next you’ll want to make sure your staff is aware of the privacy policy and that they are thoroughly trained on how to handle sensitive client material. Jones says the rule of thumb is that access to personal information should be limited to only those with a specific business need to see it. “While everyone is responsible for security, one person must be accountable for ensuring that policies are followed,” he added.

Laptops, desktops, tablets, PDAs, servers—all store information that could be stolen, and therefore all need to be password protected. As mentioned above, only a small circle of employees should have access to passwords, and be sure to change all passwords once an employee resigns or is let go.

According to Jones, there are three common mistakes when it comes to passwords:

  1. Using the same password multiple times
  2. Writing passwords down where others can find them
  3. Using weak passwords that can be easily guessed

“A strong password will be at least 10 characters long and include special characters, number and letters,” advises Jones. “Passwords should also be updated every 90 days.”

If you search “identity theft protection” online, dozens and dozens of products are going to surface. But beyond specific brands, what types of software do you actually need? According to Jones, there are four types every business should have.

  1. Anti-virus

“While most anti-virus solutions can’t keep up with the pace of new viruses being introduced, a business should use some form of anti-virus software to serve as a baseline protection against threats that have been detected in the wild,” said Jones.

  1. Firewall

“If your computer is connected to the Internet, your business should employ some type of firewall to protect it from unauthorized inbound and outbound network traffic,” explained Jones. “Firewalls can help prevent your computer from sending personal data out into the Internet and prevent you from downloading malicious programs.”

(Note: There are both software and hardware versions of firewall; the hardware options tending to be more expensive.)

  1. Encryption

“Even if your firewall prevents your machine from getting hacked, it’s still possible for someone to steal the physical machine,” said Jones. “Encryption software will encrypt the data to prevent it from being read even if the device is stolen.”

  1. Data Backup

“Fires, floods, system failures, or worse will sometimes happen,” explains Jones. “Backing up your data on a regular basis is needed to ensure that you have the information you need to keep your business going, even after a disaster strikes.”

BONUS: Video Surveillance

“There are threats to your customers and their data not only in the digital world, but also in the physical world,” said Jones. “An inexpensive video surveillance system can help a business owner protect their physical assets including their computing devices.”

Yes, all these may represent a doomsday scenario, but as a business owner you owe it to your clients to have a breach plan in place. “It’s impossible to get your response right in the midst of a crisis,” said Jones. “Planning ahead can ensure that your business comes through with the least amount of damage to your finances and your reputation.”

Check in with these sites regularly to stay on top of the latest statistics, criminal tactics, legal updates and software options available to you.

The National Institute of Standards and Technology

The Federal Trade Commission offers guidance on a number of security-related issues:

The Small Business Administration: