As a small business owner, it can be easy to view the headlines about recent data breaches involving large companies like Equifax, Panera, Orbitz or Sears and think a data breach could never happen (or that a data loss incident would not have an impact on your business.) Unfortunately, nothing could be further from the truth: according to Verizon’s 2018 Data Breach Investigations Report, of the 2,216 confirmed data breaches, more than 58 percent were categorized as attacks on small businesses.
The cost of a breach or incident includes far more than downtime. Failure to take basic, protective steps can result in regulatory penalties, fines, lawsuits and reputation damage. While hackers are certainly working overtime, the rise in data breaches is also due to the lack of cybersecurity awareness among end users. The Online Trust Alliance’s analysis of security breaches reported through 2017 found that 93 percent of data loss incidents were avoidable. Key causes for avoidable incidents include:
- Employee errors and accidental disclosures
- Lack of a risk assessment
- Failure to block malicious emails
- Users succumbing to social exploits and business email compromise
- Unencrypted data or poor encryption safeguarding
- Failure to patch known vulnerabilities
- Use of end-of-life devices, operating systems and applications
As cyber incidents increase and evolve, the cost and damage to business grows. Unfortunately, a single, perfect security solution does not exist. While all business must be prepared to face a data breach or data loss, proactive measures are especially important for small businesses. The financial losses and reputation damage of a breach can be even more devastating than it is for larger organizations. Past and current data breaches (and how they were handled) provide important lessons:
Data is your most valuable asset – Identify what data you collect, why you collect it, how you use it, how it is stored and where it is stored. What are your potential risks should this data be held hostage, released, erased or inappropriately accessed.
Responsibility for data protection and readiness is organization wide – Data security and privacy practices are the responsibility of all departments and all employees.
Only collect and retain the data you need – For some business, this is a regulatory requirement. Protect data while it is held and securely delete it when it is no longer needed.
Apply the appropriate measure of security for the type of data you hold – Your data security strategy needs to reflect the risk of damage to consumers and your company should a data breach occur. Develop a data minimization strategy including a guide for the types of data that should be protected, stored and safely discarded.
Have a plan to reduce the impact of a breach and data loss – Your incident response plan needs to include end user training to help prevent, detect, mitigate and respond to data incidents. Employees must be regularly trained and equipped to recognize threats and deal with data loss incidents.
By fully understanding risks, planning ahead and instilling an organization-wide culture of cybersecurity, losses (and their impact) can be minimized.