Small businesses might be under the impression that they are not a target for cyberattacks, but they should think again. Like any other company, they have a duty to their customers, clients, employees, and other third parties that they do business with to protect information. Information that has been entrusted in places like:
- Law firms, which must ensure that their client case files are held confidentially and their network is not vulnerable to attack.
- Dry cleaners, which must check to make sure they have contracted with trusted third parties to process credit or debit card transactions.
- Business consultant firms, which must ensure that their client’s merger and acquisition due diligence file is not disclosed in an unauthorized manner.
- Health care industry service providers that process medical claims and whose employees are trained in HIPAA compliance.
According to the findings of the NetDiligence 2015 Cyber Claims Study, it is small businesses that account for the most data breach claims activity. For instance, companies with revenues under $50 million (nano-organizations) accounted for 46 out of 160 claims, or 29 percent. Companies with annual revenues between $50 million and $300 million (micro organizations) accounted for 29 of the claims, or 18 percent. Companies with revenues between $300 million and $2 billion (small organizations) took up 40 claims, or 25 percent. That means companies with revenues of $300 million or less accounted for almost half of the claims.
Further, the study makes note that total costs, which include forensics, notification, credit/ID monitoring, legal guidance/breach coaching, public relations, legal defense, legal settlement, regulatory defense, regulatory fines, and PCI fines, were as follows:
- Nano-Revenue (<$50M): $32,500 to $809,788.
- Micro-Revenue ($50M-$300M): $64,781 to $764,225.
- Small-Revenue ($300M-$2B): $153,904 to $4,900,000.
Given the information provided within the NetDiligence 2015 Cyber Claims Study as well as the constant barrage of news reports discussing cyber events, it is important to understand some of the protections and precautions that small businesses can take to help mitigate the resulting effect on their operations, including the financial impact such an event will have. Simply thinking, “It won’t happen to my company,” is not an effective risk mitigation strategy. Understanding where the threats to your organization are coming from, however, will help you manage the event when it does occur.
Believe it or not, your employees are the first line of defense. Ensuring that your employees are trained in basic security practices and policies—such as how to create strong passwords, Internet usage guidelines, and rules of behavior that describe how to handle and protect customer, client, employee, or other third-party data—is critical.
Attacks from inside and outside of your organization are commonplace today. The network, computers, and other devices where you house data, transact business, and manage information must be fortified. This includes doing your due diligence on third parties that you have contracted with to provide your organization’s IT services. Updating security software, Web browsers, and operating systems will assist in protecting against viruses, malware, and other online threats.
Additional protections, such as firewall security for Internet connections, can prevent outsiders from accessing information on private networks. Ensure that the operating system’s firewall is enabled and that employees working from home are aware of the risks and that their systems also are protected by a firewall.
Mobile devices are everywhere and are being used for personal and business use. Almost all devices now come with the latest security measures, including encryption, as evidenced through the most recent spat between Apple and the FBI. Have a Bring Your Own Device policy in place that requires users to password-protect their devices, encrypt data, and install security applications to prevent criminals from stealing information while the phone is on a public Wi-Fi network.
The use of company computers by individuals in an unauthorized manner is something that must be considered, along with controlling physical access to devices. Laptops get lost and stolen, so they should be locked up when not in use. Set up user accounts for each employee and require strong password combinations. Administrative privileges should only be given to trusted employees, IT staff, and key personnel.
Use state-of-the-art Wi-Fi security. Make sure it is secure, encrypted, and hidden to others. Set up your wireless router so that it does not broadcast the network name or service set identifier (SSID), and always password-protect the router.
Also consider implementing an information governance plan. Limit access to data and information to anyone with access to all data systems. Employees and third-party providers should only be given access to the specific data systems that they need to perform their duties for the organization.
Neither passwords like “password” and “123” nor birth dates and children’s’ names are sufficient since they can be socially engineered easily. Consider implementing multifactor authentication that requires additional information beyond a password in order to gain entry to a system.
Taking control of these preventative measures certainly can assist you in creating a barricade around your organization, but none of these are foolproof. As we have learned from recent events, implementing a program that considers all aspects of cybersecurity within your organization must be considered.
Additionally, cyber liability insurance can be an effective way to mitigate the financial consequences of a breach. The costs noted earlier can be incorporated into a risk transfer product that will cover the first- and third-party costs as well as provide you with immediate access to professionals and experts who will guide you through the event with precision, allowing you to get back to managing your business.