How should small business leaders think about mitigating information security risk—and with all that’s going on in our pandemic world, why now?
It’s a tough problem. Between reports of hackers breaching the networks of even large multinational corporations with staggering resources, the technical complexity of shoring up your defenses, and the high cost of tools that facilitate the process, it can be tempting to conclude that all you can reasonably do is ask IT to keep the virus protection up-to-date and cross your fingers.
However, I want to make a case here for devoting more executive attention and more organizational resources—both people hours and funding—to information security, even in a small business. Here’s why:
- The financial and reputational cost of even one security incident—particularly a data breach—can be devastating.
When most small business owners think of the consequences of a hack, they may envision a ransomware incident, which are lamentably common, particularly in the small-to-medium sized business space. Those are damaging enough in their own right: a February article in the NYT reported that in the last quarter of 2019, average ransomware payouts spiked to $84,116. This does not include the cost of lost operational capacity, legal or forensic investigation expenses to resolve the incident, or beefing up security after the fact.
However, an even more damaging type of attack involves hackers not encrypting your data for ransom, but rather stealing it and selling it on the dark web. When this exposes the personal information of your customers and others, you then bear the costs of notifying them and, as required by law in many states, paying for credit monitoring services of the affected parties. The average cost of this process is $150 per record, meaning that the immediate financial toll could be in the millions. And that is before accounting for the lost business resulting from the loss of public trust. This is a major hit for even the biggest organizations to absorb. For a small business, it would likely be unrecoverable.
- Your attractiveness as a target might be higher than you think.
You might assume that as a small business, you’re a “little fish in the big pond,” swimming below the notice of the poachers. But in fact, in recent years small to medium businesses are prime targets for hackers, precisely because they are less well protected. According to Nationwide Insurance, 55% of all small businesses experienced data breaches, and 53% having multiple breaches. In 2018, 71% of the victims of ransomware attacks were SMBs, a dramatic increase from 31% in 2012 and 18% in 2011.*
Your risk is even greater if you are in the supply chain of much larger companies, particularly if you have access to their customer and/or employee data. In this circumstance, hackers may perceive your network as a potential weak link in the armor of the deeper-pocketed client. If you are in this situation or likely would be, I encourage you in the strongest terms to pursue an enterprise-level security infrastructure. Not only is it almost certainly the right call for your degree of risk, such clients will increasingly expect and require this of you.
- Information security isn’t just technical, it’s behavioral—and people make mistakes.
Let’s say your IT department and/or the managed service provider (MSP) who remotely manage your IT infrastructure are top-notch, and you have the most airtight network known to man. You are still not safe from a data breach. This is because most methods of gaining access to a network involve luring employees or contractors with legitimate access to your system into providing credentials, running malware, or otherwise compromising the controls your team has put into place. Technical tools can help to identify such attacks, but they will never be enough on their own. Employees must be trained to identify suspicious emails and requests, and a culture of information security must permeate throughout the organization, specifically valuing security over speed and convenience. This takes leadership, and it has to be a priority for every executive.
- Compared to the potential loss, cyber insurance protection is relatively low-cost. With a greater than 50% likelihood that your small business will be hit by cybercrime costing you upwards of $100,000 per incident and an average policy cost of just $1500 per year, cyber insurance may be the single most inexpensive investment you can make to protect your business against this risk.
However, shop carefully: Many companies learn to their dismay after an incident that their policy didn’t cover what they thought it did. For instance, a policy may, by default, require your business to follow certain protocols or system configurations that might not work for your business. Or, if a breach is determined to be caused by employee error resulting from malware or phishing schemes, claims are often denied—which gets back to the vital importance of employee training. And, it’s important to note that insurance policies may or may not cover the costs of the technical help you may need to fix the vulnerability, ending the hackers’ immediate access to your network and to prevent future breaches. Despite that, you still need coverage to limit your exposure. Be sure to talk with your insurance representative about what is and is not covered and how you can best protect your business, and involve your head of IT and ideally your legal team in the policy selection process. Be sure to review your coverage for gaps on a regular basis as well—cybersecurity insurance is a young industry, and new types of risk are continually emerging.
I hope this inspires you to give additional thought to your company’s information security approach. If you already have a plan, it’s worth taking a fresh, critical review to ensure you’ve rated your risk appropriately and are taking advantage of the newer tools on the market today to mitigate it. If you need to get a program started, I recommend taking a look at the FCC’s Cybersecurity for Small Business page, as well as the Security and Technology section here on WorkAnswers for some great resources in designing one.
*As reported by Beazley Breach Response Services and Symantec.
Additional recommended reading: Designing a Remote Worker Policy.