Statistics show that cyber criminals increasingly are targeting small businesses to steal personal information because those businesses lack the cyber defenses in which large enterprises have, by contrast, invested significant time and resources. Small businesses will increasingly find themselves the target of cyber crime and need to ensure they protect their customer information.
When cyber crime makes the headlines, it usually involves a large business, such as TJ Maxx http://www.msnbc.msn.com/id/17871485/, which is thought to have suffered the largest data breach to date. A company of this size manages large volumes of customer information, allowing a single security breach to expose the privacy of millions. It was only a matter of time before cyber criminals targeted small businesses to steal credit card numbers, social security numbers and other important personal information.
If you think about it, small businesses are an easy and attractive target for cyber criminals. Simply put, they lack many of the high-priced cyber defenses in large enterprises can implement.
According to an April, 2009 Verizon study, 33 percent of all data breaches in 2008 were directed at businesses with 100 employees or fewer. http://www.verizonbusiness.com/resources/security/reports/2009_databreach_rp.pdf. By comparison, large businesses with more than 10,000 employees sustained fewer data breaches in 2008, totaling 25 percent.
As small businesses increasingly find themselves the victim of cyber crime, they have a duty to ensure they implement the programs to protect their information. Using appropriate safeguards is critical to inspire consumer confidence in at least two respects:
1) Ensuring Customer Confidence. Acquiring and maintaining the trust of employees, customers, vendors and suppliers is indispensable for a successful business. Cyber crime can ruin a company’s reputation and impact sales, which only reduces confidence and trust among those who do business with the company. Having a quality cyber-security framework and compliance program firmly in place can help companies prevent cyber crimes and, in the event they do occur, help the company minimize damage and restore services quickly.
2) Managing Liability Risk. Failing to develop and implement an effective cyber-security framework could lead to serious civil penalties for a business and even personal criminal liability for officers and company directors. When determining a company’s accountability, courts assess whether the company had an adequate compliance plan in place and if it was followed.
Information Security Program – The Fundamentals
As cyber criminals shift their focus to “Main street” companies, small businesses need to play catch-up with their larger counterparts to maximize protection of sensitive information.
To help small businesses develop a more reliable data security plan, I offer the following ideas that help to comprise an optimal security and liability prevention program. These ideas made use of several sources, including current legislation, standards, guidelines and regulations. Because no cyber-security program provides 100 percent protection against a data breach, businesses must work to minimize their risk. If properly implemented performed and followed, these suggestions provide protection from most legal claims for negligence.
1. Management must be involved
Under the law, the company’s managers have a duty of care to ensure that the company safeguards legally protected information. Management must develop and follow adequate security procedures and systems.
2. Identify and Manage Threats
The use of information technology creates a high level of communication with vendors and others. As a result, vendors and others may assess your existing security and confidence in these systems is critical to a small business. Three major steps in assessing your risk often involve:
Step 1: Identify and analyze threats
A threat assessment focuses on common threats that include hackers, possible inside-employee illegal/improper activity, and error or neglect from within that exposes cyber networks.
Step 2: Identify and analyze your vulnerabilities
Assessing your technological weaknesses in the company’s network and security infrastructure examines the ability of your system to deter or prevent breached under the existing security procedures and controls. Vulnerability assessments are used to (1) identify weaknesses that could be exploited and (2) predict the effectiveness of additional security measures in protecting information.
Step 3: Assess your risks
Assessing your risks is the final step for the business to perform and is based on the analysis of threats, vulnerabilities, services, and other tangible factors. The analysis informs management about possible risks to the company’s data and what is (or is not) being done about it.
3. Test Your Own Security
Penetration testing should take place to find gaps and holes in your system so you can fix any areas that are found to be unprotected.
4. Demand that Employees Understand Cybersecurity Policies
Employees and independent contractors must be made aware the importance of improving the company’s security. Training should include employees’ legal and policy duties for reporting intrusions and suspicious activities to management. Company policy should also address appropriate use of e-mail, use of bandwidth, and downloading activity and systems protection against virus attacks via e-mail attachments;
5. Use Encryption Technology
Encryption is an important tool in improving cybersecurity and reducing liability. You should consider encrypting electronic customer information while it is in transit or in storage on networks.
6. Transfer Risk Where Possible: Insurance
As cybersecurity risks continue to grow, insurance has become a critical measure in protecting companies against the costs of cyber incidents such as malware, phishing, insider thieves and hackers. Insurance can protect against losses resulting from theft of money or assets due to a data breach. Insurance can also mitigate other costs, including incident management, notification of affected parties, and legal defense. The more appropriate measures a company takes, the better position it will be in to negotiate coverage.
As cyber criminals set their eyes on smaller targets, small businesses owners and managers must be prepared to protect themselves, their employees and their customers. Many small businesses overlook the importance of a reliable data security plan in ensuring three core aspects of their business: 1) the ability to maintain the confidence of a solid customer base, 2) prevention of liability for failing to protect customer data, and 3) the potential for growth as the economy and consumers adapt to increasingly-advanced technologies that require increasing levels of security. To protect these elements, small business owners must take concerted steps to assess the security of their cyber assets and educate their employees about company security policies.