Data Breaches are a daily occurrence in today’s business climate. They are now so common most large corporations have caught on to the fact they need to take this threat seriously. This was not the case even 5 or 10 years ago.
Because of the fact that big business has upped their attention in the realm of cyber security, individuals and small businesses are becoming more of a target for cyber criminals looking for access to sensitive financial information. For this reason, small businesses should be concerned about cyber security now more than ever.
Many small businesses have vendor partnerships with large corporations. Through these partnerships, small businesses need access to the computer databases of much larger corporations. When a small business is compromised, this can allow the cyber criminals access to the much larger computer data base of the partner corporation.
Two of the largest data breaches in history, Target and Home Depot, started just this way. In the case of Target, it was an HVAC Company that worked on a few of their locations in the Pittsburgh Area. For Home Depot, the partner company was a company that provided the hardware for credit and debit card transactions at their self-checkout registers.
In both cases, the small business had been compromised for several months without knowing it. The criminals waited until they found access to the much bigger databases before they did their damage.
According to the National Cybersecurity Institute, nearly 87% of people from their survey said they would be unlikely to do business with a company that has suffered a data breach involving credit or debit card information. A similar Experian Survey showed that depending on the type of breach, the value of your company’s brand will decrease between 17-31%. These are damaging effects most businesses would have a difficult time recovering from.
There are several things small businesses can do to prevent and limit the damage of a data breach. Some of those things include properly training your employees, requiring adequate passwords, shredding all sensitive paper documents, and securing adequate commercial insurance for a data breach.
Preventing Data Breaches starts with every new hire a business makes. Any employee who uses a computer needs to be properly trained on how to prevent cyber-attacks. This should apply to all employees regardless if they are a receptionist or the CEO. It is important to never assume anything about employees and their previous training. There are many people who may be more than capable of doing their job, but are not properly prepared to combat data breaches.
Many employees may be very capable of doing their job, this does not mean they are computer savvy. This does not mean they are properly trained to protect the business from hackers. Just a little bit of time and effort can properly prepare employees to defend the business against hackers.
When developing cyber security training for employees, the training should include protecting a work space, what an adequate password looks like, and examples of phishing emails. Many businesses send out fake phishing emails once a month to see which employees click on the fake email. If an employee clicks on the fake phishing scam there needs to be a conversation with that employee. If they continue to fall for the scams they need to go through additional training.
Require Long Passwords
A small business should have strict guidelines for what a password should and should not look like. There needs to be a bare minimum of length with a combination of lower case, upper case, numbers and special characters. Give employees concrete examples of what a good password looks like and what it does not look like. Here are some examples of good and bad passwords.
This would be an example of a password that is extremely secure.
This would be an example of a password that is a little less secure, but easier to remember.
JoeSmith or password
These are examples of terrible passwords that should never be used.
The first example is the most secure, but might be difficult to remember. It may not be advisable for employees to use this type of a password because it is difficult to memorize. When employees use this type of a password they may be tempted to write it down and leave it out on a post it note on their desk.
The second example might be best for most employees. The first eight characters are a take on the word baseball. Employees can change this to some take on football in the Fall or hockey in the Winter. The next four numbers after a special character can be the numbers an employee wore when they played high school athletics.
When required to reset their password they can simply change the middle special character. In this case it is a !. This is also on the keyboard by pushing shift one. When they need to reset the password they can change just this special character to @ which is shift two. The final two examples of passwords are much too simple and must never be used by any employee.
At this point in time there is no reason for small businesses not to be shredding every piece of sensitive information that is ever disposed of by the business. In many cases, there is no need to print any type of sensitive information. Some industries like banking or healthcare have state or federal laws that require printing and storage of some documents. If this is the case for your business then adequate measures need to be taken to secure that information and to properly dispose of the information when it is no longer required to record. There are many types of machines that can aid in this process and there are even businesses that specialize in the removal of sensitive records. Taking this aspect of the business seriously is an important part of cyber security strategy.
Purchase Adequate Data Breach Insurance
The longer a business exists, the likelihood of an accident taking place goes up continually. It is not a matter of if, but when the business will face an insurance claim. This fact is especially true in relation to data breaches.
Data breaches are no longer only a problem for major corporations and now is the time for most small businesses to speak long and honestly with their independent insurance agent about cyber insurance. There are three main types of small business insurance that deal with data breaches.
The two main types of insurance are called Cyber Liability and Data Breach Insurance. The third type of policy is called Technology Errors and Omissions. The first two types of coverage are usually sold in tandem.
Data Breach Coverage deals with the first party damage a business faces. This damage can include hiring a forensic expert to determine the source of the breach and fix it. It also can include the costs to notify all people who had their information compromised and offer credit monitoring services for up to one year.
The regulations in response to a data breach are dealt with at the state level. Each state has different laws, but most of these immediate response costs are required by law for businesses after a data breach.
Cyber Liability Coverage deals with the liability a business faces to third parties damaged by a data breach. This policy covers the insured’s liability for damages resulting from a data breach. These costs are typically legal fees and lost time spent defending the reputation of the business.
Technology Errors and Omissions Insurance is the final type of insurance that deals with cyber security. This coverage is a form of liability policy that protects businesses that provide or sell technology services and products. It prevents businesses from bearing the full cost of defending against a negligence claim made by a client, and damages awarded in a civil lawsuit.