Facebook and such other heavyweights as Equifax and Saks Fifth Avenue are among the many high-profile companies that have suffered recent data breaches, capturing public attention. The courts are holding businesses financially accountable for the cost of data loss that harms their customers, noting that businesses are responsible for protecting a customer’s information as carefully as they safeguard their own trade secrets.
With the focus on big firms, smaller companies may think they will get a pass.
But that’s a costly mistake. Cybercrime is increasing, and small businesses are likely to be hit harder than larger firms, given a lack of preparation and smaller pocketbooks. Because small companies often lack the resources and expertise to secure their networks, criminals can target them with simple attacks that steal or even delete all their internal data.
The risks are high.
- Nearly two-thirds (61%) of data breaches target small businesses, according to a 2018 Verizon report.
- A Ponemon Institute study found that the percentage of small businesses experiencing a cyberattack in the past 12 months rose from 55% in 2016 to 61% in 2017.
- U.S. businesses overall lose more than $525 million per year from cybercrime.
The impact can be devastating. Small businesses responding to the Ponemon Institute survey spent an average of $1,027,053 due to damage or theft of IT assets. On top of those losses, disruption of normal operations cost them an average of $1,207,965. And that’s not counting reputation damage, customer turnover, and employee time spent on recovery.
Survival is at stake. Nearly 60% of small and medium-sized businesses go out of business within six months of a cyberattack, according to UPS Capital. Among contributing factors, 90% of small companies don’t use any data protection for company and customer information, and fewer than half secure their email processes to prevent phishing scams
Fortunately, a few easy steps can go a long way toward protecting small businesses.
What do you need to consider to keep data safe and secure from a breach?
Answering these four questions will get you started:
1. What data does your company keep – and why?
If you run a small online store, you may want to let customers store their credit card numbers to facilitate their next purchases. But once you collect and store that data, you are responsible for keeping it safe. One way to avoid liability is to outsource data storage to a third party like PayPal.
You also need to protect data that is relevant to business operations, such as business plans and human resources databases. It’s a good idea to begin with an audit. Determine which information is necessary to keep. Then decide what information is confidential – and how to protect it.
2. Who can access your data?
It’s important to limit access to data. For example, no one but HR should be able to access personnel information, no one outside billing should access payment information, and only customer support and management teams should be able to review client data.
Particularly in a small business, which may have only a few employees and no full-time IT staff, it may seem simplest to just tell employees not to access anything that isn’t relevant to their job. However, this is very risky; employees may steal information when they leave a job with the intention of selling it to a competitor, for example.
3. Can an outside company protect your data better?
A key question is whether you have adequate resources to protect the information you collect. Small businesses that have just a handful of computers on a LAN may not need a full-time IT person to keep things up and running, but they may need someone with special internet security training to protect important data from would-be thieves.
With the growing availability of online services, more and more companies will protect your data in the cloud. Most of these companies will charge a monthly or yearly fee with scaling costs depending on your needs. This may be much more cost-effective than maintaining an IT team.
4. Do employees understand the importance of data protection?
We often think of hacking the way it’s shown on TV, with nerdy characters clacking away at keyboards, trying desperately to thwart an attempted intrusion. But this picture is far from reality.
A cyberattack is rarely sophisticated. To breach Facebook data, Cambridge Analytica created entertaining quizzes and games and enticed people to grant permission to access their data. Most consumers were willing to participate to discover what type of sandwich they resembled.
Phishing emails and fake email attachments have been hackers’ best friends for nearly a decade, and they continue to work. Banner ads and other popups online can also contain embedded malicious code. Companies can make huge strides in preventing data breaches by simply stressing the importance of avoiding these vulnerabilities.
Advise your employees: Don’t open an attachment you don’t recognize, don’t reset your password because an email tells you to, and don’t visit non-business-related websites when you’re at work. Explain that these are the primary tools hackers use to breach data, and when this happens, the entire company can be exposed to risk.
These steps, plus keeping antivirus software updated, are significant preventive actions. You also may wish to consider adding another layer of protection by obtaining cybercrime insurance, which can pay for some of the costs your business might incur after a cyberattack.