By Rich Blumberg
We’re all familiar with the big breaches—Target, Home Depot, Anthem Insurance. The headlines are great at emphasizing exposures that hit mega businesses, but statistics show those only account for about 10 percent of data breaches. What about the other 90 percent? The fact is that the bulk of data exposures impact small firms, and the financial devastation that ensues is sometimes bad enough to spell the end. Avoiding that fate requires some solid knowledge of the breach landscape and the use of a few tools designed to shore up those areas where small businesses are often most vulnerable.
Recognize the Pitfalls
Financial impacts and reputational damage often go hand in hand after an exposure, and they represent the primary areas where businesses are likely to feel the pain. The expenses that result from even a small breach can cause big devastation. Affected customers need to be notified and often provided with credit monitoring or similar support services. Breached businesses must pay for the investigation into what happened and address the cause. Lawsuits sometimes follow. The costs—technical consultants, victim remediation, lawyers, security hardware, fines and penalties—can add up fast.
Dropping revenues may pile on additional financial troubles. Existing customers wonder whether they should continue to trust you. Prospective customers might hear of your recent exposure and decide to shop elsewhere. Together, the monetary losses have the potential to ruin a small business.
Look for Proactive Tools to Help Mitigate Risks
Avoiding a breach is the preferred route. For entrepreneurs that operate with lean budgets, the good news is that the best proactive strategies are simple and typically inexpensive. A thorough evaluation will show where data and privacy breach risks exist in the organization. Those weak areas can be prioritized so the most valuable data assets are given the highest levels of protection.
The security protocols of third-party partners should also be reviewed as part of your due diligence process. Appropriate protections must be in place around any data that is handled or stored by a vendor, with destruction protocols included to ensure the right safeguards are used from start to finish.
Develop the Right Response
A business’s reaction to a breach will greatly influence how well the firm recovers from the event. You may not be able to avoid the financial impacts entirely—fines and remediation costs are standard fare in many instances—but other hits to the bottom line can often be lessened if your business deploys an effective reactive strategy immediately upon learning that a compromise is suspected.
Internal protocols should be implemented that focus on quickly spotting and stopping an exposure. Be sure employees know who to contact if they believe a breach has occurred. Identify those people—IT, HR, legal, risk management, etc.—who would be responsible for the next steps. These may be in-house employees or outside contractors, but either way they need to be on board with a plan to respond swiftly to any reported exposure.
Insurance Is Available to Fill the Gaps
Cyber insurance can provide small businesses with access to critical expertise, support and other resources for preventing a data breach as well as responding to an exposure if one occurs. Data security and privacy experts will be able to help evaluate the firm’s security posture against the latest threat vectors. They can also determine where technology tools are available to improve security and where employee training might reduce the risk of human error. Cyber policies may also cover post-breach support, including customer notification, guidance from legal counsel, forensic investigation services and access to additional technical expertise.
Pick the Right Policy
It’s crucial that the cyber policy be closely matched to each firm’s unique profile as risk factors differ from one sector to another. Researching a local, knowledgeable insurance broker who specializes in cyber risks is a good way to review coverages and get your questions answered. A small business in the healthcare industry, for example, will have vastly different needs than an e-retailer. Some companies may benefit from additional technology support while others would be more interested in a policy that includes access to significant legal expertise. An entrepreneur selecting cyber coverage will also want to carefully review their obligations under any potential policy, as they may be required to implement specific security measures before coverage can commence.
Rich Blumberg is director of breach response for IDT911™.