Innovation@work: Cybersecurity Risks for Small Businesses – What You Should Know and What Steps You Should Take

By:  Eric Langland and Tony Perkins

Many small businesses may think they are immune from cyber-attacks and data breaches because the payoff for criminals isn’t lucrative enough. On the contrary, small businesses should be more concerned than big businesses when it comes to cyber risks. In 2017, sixty-one percent of data breach victims were businesses with fewer than 1,000 employees. Even more concerning, forty-three percent of all cyber-attacks were targeted at small businesses! The problem isn’t limited to just getting hacked either, as many data breaches result from employee error or negligence.

What Does This Mean for Your Business?

Implementing new measures

Preventing a breach out of the gate is easier and often less costly than repairing the trust and confidence of your customers after a cybersecurity incident.  After a breach, most companies will assess their current security program and enact new measures to prevent future incidents. The implementation of new security policies and technologies on an expedited basis often takes more time and money than upfront preventive measures.

Lawsuits and other penalties

Data privacy and data security laws can vary significantly from state to state, and you may be subject to individual or class action lawsuits as a result of a data breach.  In addition, failure to follow notification provisions in state data breach laws could result in penalties by state enforcement agencies.  Collateral damage to the company can also include loss of business and damage to the company’s reputation.

Government enforcement actions

State attorneys general are empowered to investigate and penalize businesses that violate state unfair and deceptive acts and practices laws (UDAP). Originally designed to protect consumers from predatory and unscrupulous businesses, UDAP laws have been applied to businesses that fail to take reasonable measures to protect customer data.

Outside forensic investigation and legal counsel

To determine the source and scope of a breach, you may have to hire outside forensic investigators. Similarly, you may have to consult with outside legal counsel prior to notifying consumers and state agencies. These steps not only add additional costs but can potentially interrupt day-to-day business while the investigation is ongoing.  Depending on the results of the investigation, significant remediation efforts may be required to fix the problem and stem the breach.

The costs for failing to take cybersecurity seriously can be significant. Of small businesses with 100 to 1,000 employees that have reported an incident, the average spending was $1.43 million in the aftermath of an attack. In addition to attack-related expenses, the disruption to normal operations cost an average of $1.56 million. While larger enterprises skew these expense figures upwards, according to the 2018 Verizon Data Breach Investigations Report, 58% of cyber-attack victims were small businesses with fewer than 250 employees, and these expenditures help frame the discussion when considering what preventative steps to take.

What Can Be Done to Protect Your Business?

Begin with a risk assessment of the company’s information security practices.

• Consider unique aspects of the business that make it vulnerable to a certain type of attack (e.g. what type of information does the company handle?).
• Carry out an audit of any company data assets and consider a full data mapping exercise.
• Assess the business’ use of mobile and personal IT devices, the strength of passwords, and the level of encryption for sensitive data.
• Draft a clear outward-facing data security policy and carefully document all internal procedures.

After assessing potential risks, implement new security controls.

• Malware protection:  make sure to install anti-virus software that is kept up to date.
• Computer network:  should include firewalls, proxies, and access controls.
• User privileges:  should be allocated based on need with controls in place to prevent unauthorized access.
• Consider installing user verification methods, including use of digital signatures, and restrict use for removable media such as USB drives.

Examine the company’s cloud computing practices.

• Inventory the business’ cloud-based platforms.
• Analyze whether it is appropriate to send that information to the cloud (i.e. is the information of a sensitive nature?).
• Review the company’s vendor management agreements and seek to understand how third-party vendors are safeguarding their data during data transfers and while stored in the cloud.
• Remind clients to check the addresses of any emails purportedly sent by the firm, especially if they relate to any financial information or requests for payment.

Take steps to make cybersecurity a part of the business’ regular risk-management procedures.

The end goal is to try and make cybersecurity awareness part of the business’s culture. One way to do this is to review systems and procedures regularly and incorporate tests to improve security. A good practice is to dispose of programs or physical devices that are no longer needed. If the business experiences a cyber-attack, remove any ongoing threats and then conduct a post-breach review, including compliance with any relevant breach notification laws.

Consider cyber insurance coverage.

In general, cyber insurance policies will protect against the loss or damage of electronic data. With the increase in cyber-attacks in recent years, these policies are becoming more popular. Not only do they help to mitigate financial risk, but they also provide an ally who is familiar with the company if a breach does occur. Without a cyber insurance provider already in place before an attack, a business will be left to deal with security companies who must analyze the situation based upon their first impression.