How to secure a database of 83 regular customers from leakage
Most small companies in Częstochowa think that hacker attacks only concern big banks in Warsaw. This is a mistake that costs real money. Recently, we helped a local construction wholesaler that kept the data of 83 key customers in a regular Excel file on the desktop of a shared computer.
Excel on the desktop is a trap
The owner of the wholesaler, Mr. Andrzej, has been running the business for 7 years. During this time, he collected contacts for 83 regular recipients who generate 74% of his monthly turnover. Each of these contacts contained not only phone numbers but also negotiated discounts, payment terms, and private addresses of subcontracting company owners. All this knowledge lay in a single file named 'CUSTOMERS_2024.xlsx'. The file had no password, and anyone who sat at the computer in the office had access to it – from sales representatives to an intern who came for two weeks.
The problem was that anyone could copy this file to a pendrive in less than 12 seconds. If such a document reached the competition from the street next door, Mr. Andrzej's wholesaler could lose contracts worth about 42,000 PLN in a single quarter. Honestly, it was a ticking time bomb that no one spoke loudly about until one of the former employees started their own business. Then Mr. Andrzej realized that technology should serve him, not facilitate the theft of his intellectual property by third parties.
We did a quick review of what had happened in the company over the last 3 months. It turned out that the database file was opened an average of 14 times a day, but no one knew exactly who was making changes. Lack of control is the first step to chaos. At Innovation Embassy, we don't play with difficult words – we simply showed the owner that his most valuable asset was exposed on a platter. We operate stably and predictably, so instead of expensive programs with a subscription, we proposed simple, physical data security.
Any employee could copy the database of 83 customers to a pendrive in less than 12 seconds. It was a ticking time bomb.
A permission system that doesn't hinder work
The first step was to take away everyone's access to the main file. It sounds radical, but it's the only way. Together with Mr. Andrzej, we determined that a salesperson must see the customer's phone and their purchase history, but doesn't need to know the exact margin the company earns on them. In turn, the accountant needs the NIP and payment terms, but doesn't need insight into sales notes about which customer likes deliveries in the morning and which in the afternoon. We divided access into 3 clear permission groups.
Implementation took us exactly 4 business days. We didn't want to paralyze the work of the office at NMP Avenue, so we introduced changes in stages. First, we secured the local server itself, which we placed in a small rack cabinet in the corner of the office. Thanks to this, the data stays with you – it's not in the cloud in the USA or Ireland. If the internet goes out, the wholesaler can still issue documents and check prices for its 83 customers. This is technological sovereignty, which we fight for on behalf of our clients.
Every employee got their own password. Now, when someone opens the file, the system records it in the logs. We know that on November 12 at 14:10, a salesperson was browsing the database. This is not surveillance, it's responsibility. If something disappears or is accidentally deleted, we know who to approach and ask what happened. Facts instead of promises – Mr. Andrzej now sees in black and white who is working on his data and who is just browsing it aimlessly.
Two-factor login for the resistant
The biggest challenge wasn't technology, but people's habits. Employees had been logging into Windows without a password for 7 years. We had to teach them that security requires those extra 5 seconds in the morning. We introduced simple USB security keys for two key people in the company. Without inserting the key into the slot, the computer simply won't show sensitive data. This solution is almost impossible for an outsider to break, even if they know the user's password.
Heads-up: In the beginning, there was some complaining that it makes life difficult. However, after a short training that lasted 1 hour and 15 minutes, the team understood that they are also protecting their own jobs. If the database leaked and the company failed, they would lose their employment. We showed them, using an example from another company in the Częstochowa region, how a data leak led to a fine from the office of 18,000 PLN. Such an amount for a small entrepreneur is often to be or not to be.
Today, the database of 83 customers is safe. We also applied an automatic backup mechanism that runs every day at 18:05, right after the office closes. One copy stays on the server, and the second lands on an encrypted drive that the owner takes with him. These are simple methods that work. Your property, your data, your control – these are not empty slogans for us, but daily practice at Innovation Embassy.
Security requires an extra 5 seconds in the morning. It's a low price for protecting the company from collapse.
How to check your security in 10 minutes
If you run a business and have at least 30 regular customers, do a simple test. Approach an employee's computer when they go for coffee. If you can freely open your list of recipients and email it to yourself, it means you have no protection. In the 67 companies we served, as many as 47 failed this test during the first visit. This shows the scale of the problem in our region. People trust each other, but technology does not forgive naivety.
Securing the database is not an expense of several thousand zlotys. In the case of Mr. Andrzej's construction wholesaler, the entire process cost less than the purchase of one new medium-class laptop. It's an investment in peace. Now, even if an employee leaves for the competition, they won't carry away the fruits of the owner's 7-year work in a pocket on a small pendrive. We operate stably and make it so IT stops being black magic for the boss.
Finally, it's worth adding that data protection is also a legal requirement. Since 2018, fines for lack of due diligence in storing personal data have been real. However, we don't scare with offices; we focus on business. We want your company to grow without fear that someone will steal your idea for success. If you want to check your customer database situation, we invite you for a short talk over coffee at our office at Najświętsza Maryi Panny Avenue 24.
