Could your company be putting customers and employees at risk of identity theft? Most small business owners would answer no. They'd be wrong. "In general, we see a sense of invincibility among small business owners," says Matt Cullina, CEO of Identity Theft 911, which provides identity theft prevention and recovery services. "They know data breaches are happening, but they don't think it's going to happen to them."

Of course, small business owners also face another challenge: With money tight, and simply keeping the doors open a top priority, many feel they can't afford to invest in data security even if they want to. That's a perfectly legitimate concern. But the good news is there are things small businesses can do to up their data security without much expense. Start with these four steps:

1. Don't store more personal data about employees or customers than you need.

Most companies view data as an asset, which it is. But it's also a liability, Cullina says. If your security is breached and an outsider gets access to your customers' or employees' data, every bit of personal information you have--names, addresses, birth dates, place of birth, and so on--makes it easier for a hacker to sneak into their online accounts.

"A lot of times we collect information just because we can," he says. "Don't take in sensitive data unless you absolutely need it to run the business. And have a destruction policy for when you don't need it anymore."

2. Train employees to treat personal data appropriately.

Though the risk of employees stealing or misusing data is something to watch for, the biggest cause of data breaches is simple error by people who meant no harm, Cullina says. "Simple training would have saved those companies a lot of embarrassment," he adds.

The idea is to teach employees to treat customer and employee personal information as a valuable asset and protect it in much the same way they might protect your company's bank account access or trade secrets. "Make your employees stewards of that information," Cullina advises.

3. Talk with vendors and contractors about how they protect your data.

"Any kind of support people--website designers, people who set up payment processing--all those connection points can create vulnerabilities," Cullina says. One small business he worked with suffered a devastating data breach in which all employee data was exposed, including Social Security numbers. When Identity Theft 911 staff analyzed the breach, they discovered that the company had outsourced its IT to a vendor who did not keep it secured by updating passwords and malware protection. Eventually, a hacker got inside the company's network.

"The IT provider said that they didn't know the small business wanted that updating service, which would have cost extra," Cullina says. You need to either let vendors know that you expect them to provide data security--or make sure to provide it yourself. If everyone thinks someone else is minding the store, bad things happen.

4. Consider using encryption.

"Most data breach laws and regulations include best practices for managing data," Cullina says. "The No. 1 item--other than having firewalls in place--is encrypting data any time it leaves your company." In fact, he says, if you suffer a data breach but the data is encrypted, you likely won't have to go through the legally required notification to customers. "It's a key get-out-of-jail-free card," he says.

Getting data encrypted may not be as hard as you think, he adds. In today's market, encryption vendors may be able to provide products that can simply be added to your email applications. "It's not as complicated or expensive as it used to be," he says.