Too many small business owners believe they have little of value to a cybercriminal. They overlook their customer information, the money in the bank and the trade secrets they’ve worked years to develop and protect. Therefore, each business owner should be certain to include this risk in their overall risk management process – a process that’s hopefully already in place. If not, cybercrime risks help get that process started. California’s attorney general also tells us:
- Although more than two thirds of business owners say the Internet is critical to the success, only 10% have installed any internet security measures to mitigate this risk.
- Only 29% provide any training on Internet security to their employees.
For too many small businesses, “the door is wide open” to major financial loss by cybercriminals. We’ve read about security breaches at major firms such as Target and Neiman Marcus. Yet, few of us know that California law requires firms of all sizes to report security breaches or where unauthorized access to unencrypted personal data has occurred. There seems to be no end to the multiple challenges of cyber security risks and the governmental regulations.
That’s an overview of a problem. The solution has to be proactive prevention. More specifically, the California attorney general offers these risk mitigation measures:
Assume you’re a target.
Smaller organizations are perceived to be easy targets. Have a plan to respond.
Lead by example.
Owners must not simply delegate this risk to IT people. Leadership must champion this risk management effort– and make resources available to prevent hacking from occurring.
Network security should be top-of-mind for every business owner, organization leader or IT professional. Losing data to theft, disaster or simple human error can be costly. On average, the cost per lost customer record is $188 (that can add up fast). The embarrassment of explaining to customers how their information was stolen is not a conversation you want to have as a business leader.
Use bank security.
Use a secure browser connection – those with https:// with the S added –
and other appropriate measures. Pay attention to bank notifications of account activities. Account access should require two factor authentication– not merely a single passcode. Finally, enforce the traditional “internal controls” among staff so no one individual “does it all” in terms of check writing, check depositing, bank account reconciliation, etc.
Defend your business.
Educate your employees.
All staff members need to know how to control and reduce this risk. These risk are evolving and measures effective a couple of years ago may not be useful today. Continuing education and training is essential.
Protect your organization’s data.
This includes encryption capability, limited access of staff, data backup, secure disposal of stored data, etc.
Use strong passwords.
Include at least eight characters with a random sequence of letters, numbers and other symbols. Most recommend a change of password every three months or so. Don’t use personal data in business passwords. Each employee should have an individual account with its own username and password, and properly trained on the importance of updating and securing login credentials regularly.
Finally, this discussion has focused principally on first-party property risks. There are also very real third-party liability risks. The two principal liability risks are:
- Media liability from websites and participation on social media.
- Privacy liability
Cyber liability risks typically are excluded from conventional business liability insurance policies. However, special cyber liability policies are available – get there is no “standard” form. Every policy has different terms and conditions. You’ll want to work closely with your insurance broker to be certain you have the most appropriate policy language for your needs.
Reduce the risk, backup corporate data.
Regardless of your current vulnerabilities, your biggest threat may simply be a lack of protecting your data. Make sure you investigate and understand how your data is being backed up, how often, where, and who’s in charge of making sure it’s happening.