If you believe that hackers target only large companies, think again. Small businesses represent a fertile feeding ground for cyber criminals. According to the 2014 Internet Security Threat Report from security giant Symantec, 30 percent of small businesses received a spear-phishing email—a legitimate looking but fraudulent message seeking confidential information—in 2013. Experts say that it's only a matter of time before a small business is breached. Being fully engaged in the protection of your business now can help reduce your risk and liability later.
Take sensible precautions
"There is no such thing as true security. Security is a journey, not a destination," says Ted Claypoole, a senior partner at the Charlotte, North Carolina-based law firm Womble Carlyle Sandridge & Rice, and co-author of Privacy in the Age of Big Data. "If you get breached but you were reasonable and rational in the way you protect your data, you are likely to recover from it."
Some hackers will try to infiltrate your business in a roundabout way by attacking your vendors directly. Claypoole says to work with only reputable outside service firms and question them about their data protection plans, the way they treat their information, and, in some cases, whether they are certified by a recognized monitoring agency. "Build into your contract an indemnity so that the vendor or vendor's insurance company covers you if there's a problem that's caused by them," Claypoole explains.
Another way to minimize risk is to put your sensitive information on separate unconnected computers. "There is no reason that everything you have in your business needs to be connected to the Internet and certainly no reason to be connected to the Internet when your business is not operating," Claypoole says.
Claypoole favors having a data security specialist on call—either someone on staff or an experienced outside contractor—who can review your security plans and procedures and deal with any weaknesses in your preparations before they can be exploited by hackers. "From a legal standpoint, it proves that you were doing what you should have been doing, because you had an expert come in and tell you how to set things up," Claypoole explains.
Focus on critical assets
Hackers target small businesses and steal information for a variety of purposes: to commit identity theft of your customers and employees, to infiltrate businesses that you work with, to generate unauthorized bank transfers of company funds, or to create phony employees and collect salaries.
"One of the keys to cyber security is to never look at it as being static," says Michael Kaiser, executive director of the National Cyber Security Alliance, a non-profit public-private partnership specializing in safe online behaviors. "The leadership of the company needs to put cyber security on their regular review process and ask questions of the employees tasked with it."
Kaiser says that every Internet-enabled device at a business—PCs, laptops, tablets, mobile devices—should be updated regularly with the latest anti-virus software as a necessary first step. Next, employees should be educated in responsible ways to handle data, process email, and not assume that the IT department will handle everything. "A lot of companies don't even have policies about Internet use in the workplace: what websites you are and are not allowed to go to, changing passwords periodically, and making sure that workers are being thoughtful about what they do online," Kaiser adds.
Kaiser admits that the threat landscape is constantly evolving and that small businesses can easily get overwhelmed trying to keep up. He suggests focusing "on the critical assets that would be harmful if they were somehow lost or breached, such as personal information or intellectual property. You really need to protect the things that are vital and critical to you and your business. Not every threat out there is necessarily going to impact you."
Act in good faith
Being aware of security requirements in your state should be a key part of your risk protection strategy, as they may vary across the country. Certain industry standards might also apply, depending on your type of business. For example, a medical company or clinic that processes insurance claims may be subject to HIPAA requirements.
"Businesses that take credit cards are required to be compliant with the Payment Card Industry Data Security Standard (PCI DSS)," says Heather Engel, vice president of Sera-Brynn, a Suffolk, Virginia-based cyber security firm. "If they do few transactions, a small business can do a PCI DSS self-assessment. But if they do a lot of transactions, they're required to have an external auditor."
The consequences of a security breach can be staggering. "The average cumulative cost a business could expect to pay for each record lost in a data breach is about $220," Engel says. "That includes forensic investigation, notification and credit monitoring for victims, legal fees, downtime, and the cost for new equipment or upgrades to existing equipment. Depending on the industry, the extent of the breach, and whether the company is judged negligent, this average cost will escalate quickly. Sixty percent of small businesses close within six months of a data breach just because they simply can't afford the cleanup cost and the cost to bring their system back online."
Engel's team was brought in to do a forensic investigation for a company when its credit card data was breached. The investigation revealed that key parts of the business's computer network—their point-of-sale system, and the hardware and software on their servers—were outdated, leaving them vulnerable to attack.
"We counsel clients to remain alert for anything suspicious and to understand who is responsible for maintaining the security of systems that process credit cards," Engel says. "In some cases, it may be the vendor who sold the system. In some cases, it is the system owner."
Making a good faith effort to comply with regulations and staying vigilant can help limit your liability—and possibly save your business.