Don’t fall asleep at the computer.
Today, even with almost every specialty fabrics business involved with some form of Internet connection or data storage (customer lists, employee information, books, records, job estimates, receipts and tax documents, for example), nearly 83 percent of small businesses do not have a contingency plan outlining procedures for responding to and reporting data breach losses. However, according to the National Cyber Security Alliance, a nonprofit cyber security educational organization, one in three small businesses is a victim of cybercrime each year.
Small businesses should make plans to protect their operations from cyber threats and help employees stay safe online.
Problem times ten
So-called “cyber-hacking” is big business, and no one is safe from attack. In the U.S. most states have breach notification laws, and other countries are following suit. Many laws mean written notification must be sent to individuals who have been affected.
It should come as no surprise that social media sites can also expose information at light speed with little control. It’s not only a business site but also an employee’s activity on social media sites that can trigger liability, especially if the business is responsible for maintaining the sites. Defamatory statements, leaked information and copyright infringement are growing concerns.
Losing the trust of customers can be more damaging than the financial loss of repairing the effects of any breach. Even worse, a business can be held liable for the loss of third-party data and face expensive damage claims.
DIY risk management
Security experts agree that the easiest place to start managing risk is strong password protection. Many recently exposed hacking cases have been traced back to weak passwords that were either not encrypted or “salted,” or not changed regularly.
If managing passwords for all of your servers, apps, cloud services, databases and devices seems daunting, there are affordable password management professionals and software that will do it for you.
Other tips to help secure data and reduce liability:
- Install a firewall. There are hardware and software approaches that are inexpensive and easy to use.
- Conduct regular risk assessments to reveal hardware, software and individual site vulnerabilities.
- Computers used for sensitive applications, such as making bank deposits or transfers, should be isolated from the rest of your network.
- Control access to data, which means limiting delivery and exchange of customer, supplier or employee-related documents and information to secure channels.
- Install anti-virus software and use it. Although free updates are usually included, make sure to update the program regularly, or allow the software to do so automatically.
- When an employee or contractor who has had access to the system leaves your employ, make sure their passwords are no longer usable.
- Create and implement a data security plan that includes immediate notification of all affected parties. In many cases, it’s the law.
- Share the liability by demanding similar protocols with suppliers and checking for compliance.
Insurance to the rescue
Little business data is typically covered under today’s insurance policies. Admittedly, some business insurance policies might offer general liability protection. Directors and Officers (D&O) liability may, for instance, provide a measure of coverage in these areas. Unfortunately, as the risk escalates, it is only after a hack attack that many professionals discover what is and what isn’t covered by their insurance policies. By then, it’s too late.
A business interruption insurance policy rarely helps in the event of a system failure because of a malicious employee, computer virus or a hack attack on the business. But, while few so-called “umbrella” policies or blanket liability insurance policies cover these types of losses, a relatively new type of policy, cyber liability insurance, has been available for almost 10 years, although rarely purchased.
Cyber liability insurance covers hacker attacks, viruses and worms that steal or destroy a business’s data. Even email or social networking harassment and discrimination claims can be covered, along with trademark and copyright infringement. This kind of insurance will often cover the loss of profits due to a system outage caused by a non-physical peril such as a virus or attack.
When looking into cyber insurance, common sense dictates that all potential risks should be covered, including laptops and mobile phones. Because portable devices make it much easier to store and to lose information, a missing USB stick, a stolen iPad® or a laptop left in a taxi are all real possibilities for losses, and, for a hacker, can be a gold mine.
A good insurance company will ensure a policy holder has all the protection possible, including helping to make sure a firewall is in place to protect the network and creating social media policies that reduce risk. Even if data is stored in the cloud, a business may still be liable for a breach. Although controlling how a cloud provider handles the business’s data is almost impossible, cyber insurance can protect any operation from those mistakes.
If you transact business online, your company should have a cyber security plan that includes keeping computers “clean,” protecting information, changing passwords frequently and using good anti-virus software.
Hackers are getting more sophisticated every day, sometimes forming syndicates of like-minded criminals to share information and new techniques. If you don’t have an IT department, consider contracting for these services to receive regular security assessments.
[ By Mark E. Battersby, based in Ardmore, Pa. Battersby writes extensively on business, financial and tax-related topics. ]