Cyber breaches of mega-retailers like Home Depot and Target, health care insurers like Anthem, Premera and Excellus and federal agencies -- most prominently, the Office of Personnel Management -- dominate the headlines, but it's only a fraction of the story. What most people don’t realize is that a staggering 90 percent of breaches impact small businesses. Those figures, released by payment technology solutions powerhouse First Data, highlight the seriousness of the cyber security issue for small businesses.
Unlike larger organizations with revenues in the billions, small businesses might easily experience a near extinction-level event from a data breach. The recovery expenses mount quickly -- credit monitoring for affected customers, lost revenue, crisis management, customer notification and investigation of the breach, just to name a few -- and can create a financial loss so staggering it has the potential to crush a small business. With 2016 already on pace to see a 4.7 percent rise in the number database compromises over last year, according to data released by the Identity Theft Resource Center, members of the business community have a right to wonder if or when this seemingly never-ending assault will plateau.
Small businesses need to follow the 3Ms in order to navigate a most dangerous digital world. Minimize the risk of exposure; monitor networks; and have comprehensive incident response and resolution programs in place in order to manage the damage. In other words, respond urgently, transparently and empathetically to customers and employees in the event of a compromise.
Here are four strategies that can help small businesses better defend against malicious insider and hacker attacks and more effectively deal with them if a breach does occur.
1. Know your risks.
It’s imperative that small businesses acknowledge the value of their data and do what they can to protect it. Companies of every size can reduce the chance of an exposure if they scour their network and data assets with an eye toward where vulnerabilities might be lurking.
First, review the type of data that you are collecting and storing. Businesses handling medical or financial information, for example, may need to comply with industry regulations or state and federal laws that require specific security measures. Also, understand where sensitive information currently resides. A server with remote access could present an easy target for hackers. Consider keeping top-level data somewhere that’s more difficult to reach.
Related: 5 Ways to Avoid Data Disasters
Get a handle on how data moves across your network. How are mobile devices authorized to connect? Which data is shared with third parties? See if security gaps exist at those connection points and fix them.
2. Make employees your first line of defense.
Employees typically have wide access to stored information -- from customers’ financial data to personnel records. A better strategy is to match network access permissions to the requirements of specific job duties. If an employee doesn’t need access to sensitive data, don’t give it to them. When you change an employee’s role, update his or her login credentials to maintain a strong security posture. Equally important, immediately deactivate the network access of any employee who leaves the company, regardless of the circumstances of their departure.
Employees represent a delicious target. Hackers view them as the weakest link, making the small business workforce a crucial link in the security chain. Raising employee awareness is essential. Educate them about the dangers of phishing and falling for other common scams. Be sure they know what to do if they think they might have clicked on a malware-laden link or mistakenly provided information on a clone website.
3. Focus resources in the right areas.
Like their larger counterparts, small businesses often hold enormous amounts of data. Trying to deploy an impenetrable fortress around all of it would be prohibitively expensive. Instead, identify the information that is most sensitive -- and most valuable -- and focus security resources in those areas. Consumer data (payment data and personally identifiable information such as Social Security numbers, names, addresses, birth dates, etc.) and employee data should be among the files afforded the highest level of protection.
Strong security doesn't have to be prohibitively expensive. Encryption technology is often free or very low cost, so look for opportunities to use it. By encrypting sensitive datasets, a stolen laptop or lost thumb drive will still be an annoyance but it may not result in a breach.
4. Invest in cyber insurance with coverage that matches your business risk profile.
Because the financial implications associated with even a minor breach are significant, small businesses must consider mitigating their risks by adding a cyber insurance policy. Coverage is available that helps pay costs related to forensic investigations, customer notification, reputation management and even legal counsel. Some policies also provide access to experts who can help the business evaluate its risks and address potential vulnerabilities.
Adam Levin is a consumer advocate with more than 30 years of experience in security, privacy, personal finance, real estate and government service. A former director of the New Jersey Division of Consumer Affairs, Levin is chairman and founder of IDT911 and co-founder of Credit.com. He is also the author of "Swiped: How to Protect Yourself in a World Full of Scammers, Phishers, and Identity Thieves."