From stolen credit card numbers to intellectual property, far too often we hear about large corporations such as Yahoo, Target and Home Depot that have been hit with cyber security breaches.
News reports about these events can be misleading when they lull small-business owners into believing that cyber security issues apply only to big business. We often hear a small-business owner say something like, “I’m a blip on the radar. Nobody would want to target my company.”
But that logic doesn’t hold true in the context of cyberattacks. Many cyber-attack mechanisms are automatic, meaning the perpetrators aren’t selecting targets. They’re simply seeking vulnerable computer systems — and that means small businesses might be the most susceptible.
Here are three actions every small business should consider now to prepare for a cyber attack:
Create a response plan. With a concrete response plan in place, proper procedures become automatic if — or when — a cyber breach occurs.
Small-business owners and management should consider how they would respond to an attack if it happened. That includes knowing who will be involved in addressing the issues (both inside and outside the business) and planning for contingencies in case the business’ network is inoperable or data is not available for some time period.
Without a response plan, businesses may face liability. Take, as an example, a breach of customers’ health information or intellectual property. Not only might the business be legally liable, but its reputation potentially tarnished. By creating a response plan, small businesses can easily mitigate these issues by sticking to their protocols in moments of crisis.
Consider hiring outside professionals to help evaluate risks and plan ahead. Small businesses often avoid hiring a consulting firm for fear of alerting the world to its supposed vulnerabilities. Instead of testing their luck, small businesses should seek expertise from professionals who consistently deal with cyber issues.
If a small business is concerned about that information being disclosed, it should consider hiring an attorney. In many instances, the preventive discussion of risk evaluation can be handled by an attorney in a confidential and privileged manner. If needed, the attorney can hire technical professionals to assist in the evaluation.
Hiring outside counsel to audit a company’s preparedness and advising on complying with U.S. laws and regulations better prepare companies against the fear of cyber threats and government investigations. Government agencies such as the Consumer Financial Protection Bureau, the Securities and Exchange Commission and the Federal Trade Commission have all begun to regulate businesses’ cyber security policies and procedures through the Dodd-Frank Act and the FTC Act. Specifically, regulators are using the language that service providers cannot engage in any “unfair” or “deceptive” practice.
For example, after three data breaches in 2008 and 2009 at Wyndham hotels that caused consumer names, addresses and credit card information to be hacked and resulted in more than $10 million in fraud loss, the FTC filed a complaint stating that the company’s data-security protections were “unfair” and “deceptive.” The 3rd U.S. Circuit Court of Appeals held that the FTC can regulate cyber security policies and procedures as “unfair” acts or practices. Additionally, the 3rd Circuit stated that the company had fair notice of the act prohibiting unfair practices.
This ruling has opened the door for regulators and is a wakeup call that businesses, big or small, need to be serious about protecting consumer data.
Consider purchasing cyber insurance. Many insurance companies now offer cyber liability and data breach insurance to protect against notifications, public relations, liability and other activities involved in cyber attacks.
Although cyber insurance might seem unnecessary to those who haven’t experienced a breach, those who have understand the value of it. Many cyber insurance policies cover the cost of investigating and responding to attacks — a valuable asset in the critical few days after an attack.
As is common in most general liability policies, these cyber-attack risks are not covered. Further, a commercial general liability policy may not cover a lawsuit brought about by a cyber breach and may not protect against electronic data loss or breach because it is not categorized by the policy as tangible property.
Cyber security is a concern for all businesses today. Small businesses are not immune — and often are more vulnerable to an attack than larger businesses. Evaluation and planning are essential to addressing this universal risk.