Data breaches are a growing threat, yet small business owners don’t always know how to prevent them, or what to do should one occur. Online security breaches are not only disruptive but costly. A breach can be particularly difficult to recover from for small businesses that are not equipped to absorb the expense.
There are several common causes of security breaches, and by learning some basic data breach prevention techniques, businesses can often prevent one from occurring. However, if a business is hacked, cyber liability insurance (a type of data breach insurance) can help it recover.
Data breaches aren’t just a problem for big business
When data breaches make the news, typically it's because they occurred at a major company, such as Google, Target, or Equifax. This may give small business owners a false sense of security, but the reality is that the victim of a cyberattack is more likely to be a small business, not a large corporation.
"The majority of business owners don’t realize how much personal information they are storing about clients, employees, and vendors," says Joseph Jonas, director of wholesale and consulting at Insureon. "They don't think about all the credit card numbers, addresses, driver's license numbers, and other data they have on file."
The average small business possesses a significant amount of data that is valuable to hackers, including:
- Employee birthdates and Social Security numbers
- Client names, email addresses, and phone numbers
- Banking information, including account and routing numbers
- Credit card numbers
While it's true that a security breach of a major corporation may net thieves a bigger payoff, small businesses tend to have fewer security protocols in place – making them much easier to hack.
The average data breach at a small- or midsize business costs $86,500 in recovery expenses, according to a report from internet security firm Kaspersky Lab. Businesses not financially prepared to deal with the aftermath of a cyberbreach could be forced to close.
How do data breaches happen?
Hackers are notoriously clever at devising new ways to steal sensitive data. For example, the 2017 WannaCry virus that impacted more than 200,000 victims worldwide was a result of hackers exploiting a vulnerability in older versions of Microsoft Windows. Microsoft had released a security patch to fix the issue a few months before WannaCry, but many Windows users never installed it – leaving them vulnerable to the virus.
However, not all data breaches are caused by an elaborate virus. In many cases, the source is simple human error.
"Most people think hackers are the cause of data breaches," Jonas says. "In fact, it's typically third-party negligence that leads to a data breach, such as an employee leaving a laptop or briefcase containing sensitive information unattended, and it gets stolen."
How to prevent data breaches
There are several common sources of security breaches, and even though hackers have been using the same tactics for years, people are continuing to fall for them. Small business owners serious about preventing data security breaches can start by reviewing some of the most frequently used hacker tricks and educating employees about the steps they can take to avoid becoming a data breach victim:
Lost or stolen passwords
In many cases, carelessness leads to a password breach. For example, an employee might write down a password and leave it in plain sight or use one that can easily be guessed, such as "123456" or "password." Hackers use other tactics of varying complexity to access passwords. It’s up to you to stay one step ahead.
How to prevent a breach: Emphasize the need for password security with employees. Business owners should require that employees use complex passwords that are changed frequently and never written down where others might see them. If there is an issue with staff remembering passwords, consider investing in a password manager program such as LastPass or OneLogin that can store and remember multiple encrypted passwords online.
In a phishing attempt, the intended victim receives an email that appears to come from a trusted sender. One common phishing scam is a fraudulent email that appears to contain package tracking information from a shipping company, such as FedEx or UPS. If the recipient clicks a link in the email or opens an attachment, a virus is downloaded to the computer, giving the sender full or partial access to sensitive information.
How to prevent a breach: Teach employees to carefully examine any emails containing links and attachments. Many email systems allow the user to hover over a link to see the destination URL.
Ransomware is a form of malware that takes over a computer system and blocks the user's access to data. The attacker then demands a ransom from the victim in exchange for restoring access to the data. It’s commonly spread through phishing emails or by exploiting a security vulnerability.
How to prevent a breach: To thwart a ransomware attack, business owners should keep up with computer operating system updates, install antivirus software, and back up files so if an attack does occur, the data is not lost.
Business owners that aren't being proactive when it comes to protecting data are essentially locking the door at the end of the night but leaving the key in the lock. To avoid becoming a victim of hackers, business owners need to understand how to prevent data breaches.
How a cybersecurity breach can affect your business
When a business is hit by a ransomware attack, the virus blocks access to the computer system – including all data. If customer data is stolen during a cyberattack, the situation can get even worse. Not only can a data breach harm a business's reputation, but the company could be fined if it doesn’t follow state guidelines for notifying impacted parties. Businesses could also face lawsuits if customers’ identities are stolen as a result of the breach.
There are a few ways business owners can avoid paying thousands of dollars in recovery fees and legal costs. This includes learning how to prevent data security breaches in the first place and purchasing data breach insurance, known as cyber liability insurance, to pay for legal expenses should an incident occur.
However, according to a poll conducted by Insureon in partnership with online small business directory Manta, only 33 percent of small business owners have this cyber liability coverage. Given how expensive a breach can be, these businesses are exposing themselves to a significant potential risk.
Cyber liability insurance can help businesses recover from a breach
When a company experiences a data breach, expenses can add up quickly. Cyber liability insurance can help businesses survive the financial repercussions of a cyberattack by paying for recovery costs, such as customer notification, credit monitoring, legal fees, and fines.
There are two types of cyber liability insurance: first party and third party. First party covers businesses that are hacked and have had data stolen. It’s typically available either as a standalone policy or as an add-on to a business owner's policy.
First-party cyber liability insurance can pay for expenses related to a breach, including:
• Legal and forensic services
• Notifying those impacted by the breach
• Customer credit and fraud monitoring services
• Crisis management services to help rebuild the breached company's reputation
• Cyber extortion / ransomware costs
Third-party coverage can protect businesses that are responsible for another business's data, such as an IT consulting firm. If a customer sues an IT business claiming the firm’s actions (or inaction) allowed a data breach to happen, third-party cyber liability insurance can pay for legal expenses.
So, how much does cyber liability insurance cost? That depends on many factors, including the type of work your business does and how many employees you have. Talk to your insurance agent to learn more about cyber liability insurance and whether your business may benefit from one or both types of coverage.
What to do if your business experiences a security breach
If a business is hacked, it's important to take action immediately. Every state has specific reporting requirements regarding how quickly customers need to be notified of a data breach, with some giving as little as seven days to inform consumers.
Businesses that are breached should take the following steps:
• Report the breach to law enforcement, as well as consumer protection agencies if required by state law.
• Notify individual customers about the breach in accordance with your state's regulations, which may include contacting them via email, phone, or mail.
• Post an announcement on your website about the data breach and how customers can reach you with any questions.
• Conduct an investigation of the breach, including compiling information on where and when it occurred and what data was lost. Business owners may want to consider hiring a professional security consultant to perform the investigation.
• Fix any security issues that led to the breach, while also maintaining records and evidence of the attack as they may be needed by law enforcement agencies.
• Hire a credit monitoring company to provide fraud and ID theft prevention services to your customers.
There are many moving pieces to keep track of when a security breach occurs. Business owners will want to be ready to take immediate action to protect the company, its customers, and to ensure compliance with state regulations.
One way to prepare for the potential fallout of a cyberattack is by creating a data breach response plan in advance. It should include the contact information for anyone that will need to be reached in the event of a breach, such as local regulatory organizations, credit monitoring firms, and the insurance company.
Create a cybersecurity plan
While it’s crucial to be prepared for a potential data breach, business owners who create a cybersecurity plan could potentially prevent an attack from ever occurring. Some common cybersecurity tactics business owners may want to use include:
Employee education. Teaching employees cybersecurity best practices is one of the most effective methods for preventing a cyberattack. Business owners can significantly reduce risk for a breach by training employees to use complex passwords, avoid opening attachments on emails from unfamiliar senders, and safely dispose of sensitive information.
Limit what sites employees can visit. Tightening restrictions on which websites employees are allowed to access reduces the chances of someone accidentally visiting a site with malicious links.
Use security programs. Installing firewalls, anti-malware, and anti-virus software can prevent hackers from gaining access to data.
Update systems and software. Making updates as soon as they are released can keep computer systems protected. In most cases, updates can be set to take place automatically.
Require secure passwords. Everyone at the business should be using complex, unique passwords that are changed every few months and utilizing multi-factor authentication.
Create a BYOD (bring your own device) policy. If employees are using personal devices like cell phones for work, create a policy outlining how business information should be transmitted and stored on them.
Limit data exposure. Reduce the chance for a breach by consolidating the number of places where data is stored, encrypting data when it is being transmitted, and deleting old, irrelevant data. Employers may also want to limit what data employees can access.
Hire an IT consultant. Business owners that aren't tech-savvy may want to consider hiring an IT professional to assess the business’s cybersecurity threats and help secure the network.
Hackers aren’t going anywhere, and they’re only getting better at coming up with new ways to break into computer systems and harvest data. By being proactive when it comes to cybersecurity, business owners can protect their company, employees, and customers from having sensitive information stolen by cyberthieves – and shelter the business from the costs and bad public relations that often accompany a data breach.