It Won’t Happen To Me
If you think the size of your business keeps it safe from being a target of cybercrime, think again. Twenty percent of small businesses were victims of cybercrime in the last year with that number only including reported cases, according to The National Cyber Security Alliance. Because most small business owners are afraid to report security breaches, it’s safe to assume that the number is much, much higher. Why do cybercriminals target small businesses? Precisely because believing that cybercrime won’t happen to you makes you easy prey with zero protections in place or grossly inadequate ones.
There are 82,000 new malware threats released every single day, with half of the cyber-attacks aimed at small businesses. You don’t hear about it because the news wants to report on more massive breaches. Plus, many violations are kept quiet by the company for fear of attracting bad publicity, fines, lawsuits, and even for fear of embarrassment.
Adding to this, “it won’t happen to me” mindset is the fact that owners of small businesses also think that because their businesses are indeed small, the consequences of a security breach will also be minor.
Here are five significant ways cybercrime can damage your business during and after a security breach, regardless of the size of your business.
A Damaged Reputation
When your clients discover that cybercriminals hacked your data, do you think they will rally around you, or have sympathy for your situation? What if your clients are patients worried about their very personal data? What if you manage their financial information? Will they understand that you could have been more responsible, but instead, you didn’t believe it could happen to you or you didn’t want to spend the money? Will they understand that you could have done better, but you decided to take the risk instead?
News of cybercrime will travel fast on social media, and your clients will demand answers. Will your explanations pacify them? Even though there aren’t protection measures with a 100% guarantee, your clients expect you to put in place as many as are adequate for your type of business. If they find out you don’t, their trust in you will start to erode, damaging your reputation and leading to loss of business over the long-term.
Government Fines, Legal Fees, and Lawsuits
Did you know that breach-notification statutes remain one of the most active areas of the law? Data breaches and data privacy are areas of legislation where many senators continue to lobby for “massive and mandatory” rules and fines. If you expose client data to cybercriminals, the courts will not be in your favor. This situation does not only apply only to big corporations: any small business that collects customer information also has the essential obligation to its customers to tell them if they experience a breach. The District of Columbia and forty-seven states have their data breach laws – and they are getting tighter as we speak.
If you’re in financial services or health care, you have additional notification requirements under the Securities and Exchange Commission (SEC), the Financial Industry Regulatory Authority (FINRA), and the Health Insurance Portability and Accountability Act (HIPAA). Among other things, HIPAA stipulates that if a health care business experiences a breach involving more than 500 customers, it must notify a prominent media outlet about the incident. SEC and FINRA also require financial services businesses to contact them about breaches, as well as any state regulatory bodies.
You must ensure you are compliant, and that you remain so.
One breach, one ransomware attack, one rogue employee you didn’t protect yourself against, can create hours of extra work for your already maxed-out staff. Add the cost of downtime due to business interruption and the cost of backlogged work. Then you have the loss of sales plus forensics costs to determine what kind of hack attack occurred and what part of your network and data got compromised. And don’t forget the emergency IT costs to restore you to normal if that’s even possible.
In some cases, you will even pay the ransom with zero guarantees you will get back your data. Add legal fees and the cost of legal counsel to help you respond to your clients and the media. You will disrupt cash flow and blow budgets. You will even be required to provide one year of credit-monitoring services to consumers affected by a data breach in some states.
Research conducted by the Ponemon Institute states that the average cost of a data breach is $225 per record compromised. This figure factors in downtime, lost revenue, recovery costs, fines, legal fees, etc. Do the math for your company. How many client records? How many employees? Multiply that number by $225, and you’ll start to get a sense of how much cybercrime can cost your business.
If cybercriminals access your bank account and steal funds, your bank will not be held responsible for replacing such funds. Verne Harnish, CEO of Gazelles, Inc., and author of the best-selling book The Rockefeller Habits, found out the hard way.
Hackers accessed his computer and intercepted e-mails between him and his assistant. They used this access to instruct the assistant to wire $400,000 worth of funds to three different accounts. Because Harnish was at the time funding several real estate and investment ventures, this kind of instruction was not unusual to the assistant. With assurances from the hackers posing as Harnish, the assistant made the transfers. And, Harnish didn’t notice because the hackers deleted his daily bank alerts. Harnish never recovered that money, and the bank was not responsible for his loss.
Do you think that no one in your staff is capable of making a single mistake or have a single lapse in judgment?
Infecting Your Clients Through You
Locking your data or stealing money from you are not the only motivations for hackers. Some want to use your server, website, or profile to spread viruses and compromise other computers. They can use you to relay spam, run malware, build web pages, or promote their religious or political ideals.
Which Protections Should You Have In Place Now?
Now that you understand the possible damages to your business from cybercrime, we recommend you have protections in place to significantly reduce the chances of these types of security breaches happening and to minimize the severity and impact if they do occur.
You should also know there is no way we, or anyone else, can 100% guarantee you won’t get compromised. You can only put smart protections in place to reduce the chances, to protect data, and to demonstrate to your employees, clients, and the lawyers that you were responsible and not careless.
We recommend all small businesses have the following protections in place ASAP.
- QBRs Or Quarterly Business Reviews And Security Risk Assessments
- Proactive Monitoring, Patching, and Security Updates
- Relevant Insurance Policies Review
- Data Breach And Cyber-Attack Response Plan
- Ransomware Backup And Disaster Recovery Plan
- Mobile And Remote Device Security Policy
- More Aggressive Password Protocols
- Advanced Endpoint Security
- Multi-Factor Authentication
- Web-Filtering Protection
- Cyber Security Awareness Training
- Protections For Sending/Receiving Confidential Information Via E-mail
- Secure Remote Access Protocols
- Dark Web/Deep Web ID Monitoring
Our preemptive Cyber Security Risk Assessment will give you the answers you want, and the certainty you need.