Full Content It seems about every other week there’s a news story about a major hack at a multi-billion company, exposing all kinds of customer data such as credit card numbers, banking information and social security numbers to illicit use, with significant financial implications to both the company and its customers. A recent breach at Equifax demonstrates that even the companies with the most sensitive information and multi-million-dollar IT budgets aren’t immune to hackers seeking to exploit weakness in business data systems. What then, can a small business owner possibly do to defend against breaches on a lesser-scale?
While it might seem that cyber criminals will favor larger organizations with potentially bigger payoffs, research shows that small businesses fall prey to cyber-attacks in significant numbers. According to a CNBC report based on research conducted by The Ponemon Institute, more than 50% of the 48 million small and medium-sized (SMB) businesses in the U.S. experienced a cyber-attack between 2015-2016, most involving theft of customer and employee information. Further, the cost to address such attacks can be crippling – the research showed small companies spent an average of $850K due to damage or theft of IT assets. Coupled with estimated disruption to normal operations, total costs to recover from cyber-attacks averaged roughly $2mil.
Cyber criminals may wreak havoc in other areas as well. Information essential to running a small business such as sales history, vendor transactions, QuickBooks data files, HR information, taxes, etc. can be jeopardized by hackers, especially if not adequately secured and/or backed-up periodically. Small business owners might be exposed on both a personal and professional level if individual and business accounts are linked or if family assets fall under the corporate umbrella
All of this points to an immediate and pressing need for small business owners to examine their risks and take steps to guard against cyber interference. Risks come in many forms, including computer viruses, malware, phishing, weak passwords, out of date software, insufficient firewall protection, unencrypted data, mobile device security and many other threats.
Things like natural disasters threaten small businesses as well. Events such as flooding, hurricanes and tornados may not be top of mind for business owners but news coverage of places like Houston, TX and areas of Florida demonstrate that complete destruction of business assets and information may only be one storm away.
Internal employees present further risks because, quite-often, security breaches are an ‘inside job’ with individuals unknowingly compromising company safeguards or, worse-yet, deliberately undertaking activities to profit by exploiting company weak points.
So, how can small businesses protect themselves? Here are a few areas to consider:
• Government Resources for Small Businesses: The FCC, FTC and U.S. Department of Commerce have published guidelines specifically aimed at small and medium business. The FCC provides free resources including a Ten Tip Guide on Cybersecurity for Small Businesses and a customizable Cyber Security Planning Guide both of which allows a business owner to assess vulnerabilities and take actions to combat threats. The FTC publishes guidance for SMBs on Small Business Computer Security Basics. Finally, the Department of Commerce put together security information in a document called “Small Business Information Security: The Fundamentals“. These government sites are a good place to start when seeking universal recommendations on small business information security.
• Compliance and Regulatory Considerations: It is advisable to ensure that a small business is in compliance with legal and regulatory requirements which can expose a business to fines, lawsuits or sanctions inflating the costs of data breaches and threatening a company’s ability to do business. A simple Internet search will help identify the main areas of compliance for small businesses. For instance, the FTC has guidelines for businesses and financial institutions that act as creditors to adhere to the Red Flag Rule which seeks to protect business customers from identity theft.
Small businesses having access to Personal Health Information, either for employees or customers, must adhere to the Health Information Portability and Accountability Act (HIPAA) as well as the Health Information Technology for Economic and Clinical Health Act (HITECH Act). Forbes Magazine said that, “According to HIPAA, if you are belong to the category of “covered entities” or “business associates,” and you handle “protected health information (PHI),” you and your business are required to be HIPAA-compliant.” That means that businesses with company health plans or businesses interacting with health care providers, health billing agencies or related entities should investigate whether they need to compliant in this area and to what extent. These regulations require a data breach reporting plan and spell out specific actions if an incident occurs.
Small companies should educate themselves on requirements at the state level as well. Individual states may have security breach notification laws which require companies to contact all involved parties, internal and external to the firm, whenever sensitive information is compromised.
• Undertaking Security Initiatives Within a Small Business: For individually-tailored recommendations about information and asset security, small business owners might be well-served in seeking outside help such as consultants, advisors and lawyers specifically focused on the needs of the SMB market. It may be advisable to undertake cyber-security as part of a larger strategic engagement designed to address overall company improvements for growth, financial security, process efficiencies and/or performance management. Cogent Analytics is a provider in this space, helping many small companies achieve their objectives and position themselves for ongoing success.
No business, large or small, is completely safe from information or asset risks, but there are ways to mitigate these risks and prepare to act if a company suffers a breach. Being aware of public resources, creating action plans for cyber security, engaging with professional advisors and keeping abreast of process or technical developments is a great place to start!
At Cogent Analytics, we never stop looking for ways to improve your business and neither should you. So, check out some of our other posts for helpful business information: