It’s happened again! A big box retailer, healthcare organization or the government have been hacked. Big business cyber attacks have become a common thread in our news feeds. The stories are then followed by news of the investigation, the lawsuits and the public relations spin to restore consumer confidence.
What does this mean for the small business owner who may tend to believe the threat is far away and hackers are not interested in a company below certain revenue? If you base your decision on news reports, small business owners would believe that they are immune to attacks as so much attention is given to the big guys. But we know better. The full story about data breaches and hacks is spelled out in the numerous breaches that affect the local grocery store, dry cleaners or cupcake bakery on the corner.
It’s true. Data confirms that 85% of cyber related claims come from small businesses. These small businesses that have made data breach claims, have endured the pain of getting back on track. The cost of a forensics investigation, customer notification, public relations and legal defense can be crippling, so much so that 60% of small businesses don’t fully recover following a hack.
“The biggest threat to any business following a cyber attack is its credibility,” said John Farley, Vice President cyber risk at Hub International. “For Target or Home Depot who suffered major cyber attacks, the rebound in customer credibility was short, but for the local flower shop or hardware store, getting customers to come back following a hacker stealing their neighbor’s data could be a long journey.”
So why aren’t small business owners worried about being hacked? For all the hats that small business owners wear, the thought of planning for something that they feel won’t likely happen drops to the bottom of the to do list. A cyber threat just doesn’t seem real and by the way, how would they go about putting together a plan that fits their business model, isn’t costly and doesn’t take a lot of time?
While these five measures are not all inclusive they provide an easy path to avoid, prevent, mitigate and transfer the risk of a cyber attack.
- Purchase cyber risk insurance – Unlike your general liability policy that covers physical loss, when a data breach occurs general business insurance does not cover lost or stolen data or provide legal defense. Cyber insurance is affordable and ensures you have a team of experts ready to handle all the necessary actions to quickly get your business up and running again including customer notification, legal defense and regulatory compliance.
- Assess your risk level – Does your small business handle credit card transactions or store any digital client or employee data? Who has access to it? How well is it protected? When do you purge the data? How do you purge data? Do your employees work remotely or travel with company laptops? These are but a few questions to consider when understanding your level of risk for a data breach.
- Train employees on cyber security – People make mistakes including clicking on links in emails from hackers that look like a cute photo their best friend’s new baby. Unbeknownst to them they literally opened a can of computer viruses that embed themselves into your network. It’s happened before and it will happen again. A robust training program that teaches employees about the hazards of clicking on links in emails, connecting company laptops to public Wi-Fi and using basic passwords, like “password” is critical. Your employees are an important line of defense to your cyber security.
- Vet your vendors – Every small business has a network of vendors they coordinate with to get work done. From IT support and wireless services to your web developer and hosting provider, business owners work with a full range of other businesses that connect to your network in one way or another. Do your homework and ask your vendors questions about their data security measures. For example, what network protections are in place? Do they do background checks on their employees? Who will lead the investigation in the event they sustain a compromise of your data? Do they have insurance to reimburse them for costs related to a data breach?
- Take the threat seriously – Being naïve about the possibility of a data breach is not going to last. While you may never be hacked, a data breach is very possible considering that half of data breaches come from human error, including a rogue employee or negligence. A local municipality recently experienced a data breach when the IT department failed to install the latest security patch. Be prepared and have a plan to execute within 24 hours of an identified breach.
*NetDiligence Cyber Report 2014