Could Your Business Survive a Data Breach?
Business owners and executives listen up! 58% of small and mid-size businesses have suffered from a cyber attack or data breach, and even a small data breach can be devastating. Could your business survive the potentially catastrophic damages? Many don’t. Here’s a quick summary of the most important things you need to know about surviving a data breach.
Small and Medium-sized Businesses are at Risk
While larger organizations are certainly targeted by cybercriminals, the 2019 Verizon Data Breach Investigations Report shows that 43% of data breaches last year involved small businesses with under 500 employees. Small and medium-sized businesses are victims of cyber attacks and breach incidents at an alarming rate.
What qualifies as a data breach?
Every business and organization collects some form of confidential and sensitive information about their customers and employees, including all types of personal, financial, medical and business data. The exposure, loss or theft of this private information is considered a data breach incident, no matter how large or small. It also does not matter if the breach was accidental or criminal. Employee mistakes and negligence is a leading cause of data breaches, second only to cyberattacks and outside cybercriminal mischief.
Data Security and Privacy Laws
Multiple federal regulations mandate the protection of private data including HIPAA, GLBA, FACTA, FFIEC and more. All 50 states also have separate data breach and cybersecurity laws requiring businesses and organizations to protect the personal information of citizens in their state. Among the most recent and toughest state laws is the California Consumer Privacy Act (CCPA) that goes live January 1, 2020.
All these regulations are enforced with potentially steep fines and penalties for non-compliance. In September 2019, a small financial services brokerage based in Chicago was fined $500,000 for not following U.S. regulatory requirements for responding to a data breach incident they had in back in 2018.
If you are in business today, be aware that your organization likely must be compliant with one or more regulations mandating the protection of customer and employee data including the proper response to breach incidents.
The Financial Cost of Recovery
The financial damages from a data breach incident can be catastrophic. In the last 12 months, the average cost of a data breach to a small business in the U.S. rose to $2.74 million. Breaking the bad news down further, the 2019 Ponemon Cost of Data Breach Report revealed a cost of $242 per customer record exposed or stolen. Doing some quick math, even a very small breach with just 500 people affected will cost a business close to $125,000 in direct and indirect costs. Businesses that are compliant with data security regulations actually reduce their cost of recovery by $350,000 on average, according to the Ponemon study.
What’s the reputation of a business worth? Can you put a value on customer trust and loyalty? Perhaps the most detrimental consequences of a data breach incident are the negative effect on an organization’s reputation and loss of customer trust. Between the enormous financial and reputational damages, its imperative businesses and organizations of all sizes consider the consequences and take steps now to prevent breaches and prepare to survive an incident.
5 Things You Can Do Now to Survive
- Get a Risk Assessment Done. Identify your weaknesses and security gaps that could compromise your business. Larger organizations may require a more involved and lengthy assessment process. But for small and medium-sized businesses, there are comprehensive self-assessment tools available that won’t cost you much and can give you the important roadmap to improvement. To meet cybersecurity regulations, risk assessments should be done regularly (at least annually) to identify new risks and areas of improvement.
- Implement an Information Security Plan. Don’t assume your business is secure enough. Like business and marketing plans, you need an Information Security Plan. Your plan should outline in clear and simple terms how you protect confidential data in all parts of the business, including how to make it a part of your everyday business operations. This includes security policies and procedures for IT, HR, and even management.
- Train your Employees. Your employees are your first line of defense and are vital in detecting security problems and data breach incidents. The sooner you detect and respond to a breach, the fewer people will be affected, and the less the damages will be to the business. Be sure all personnel, including you, gets regular cybersecurity awareness training and know how to spot email phishing scams, social engineering attacks and other threats.
- Have a Breach Response Plan. Fast and proper response to a breach incident is essential to survival. Get a plan put into place and know in advance how your business will proactively handle the incident. This includes; containment, reporting to authorities, victim notification and remediation, and PR and communications. Federal and state laws, including California, have specific requirements for reporting incidents to authorities and timelines for notifying affected persons or entities.
- Get Compliant. To survive a data breach, it’s imperative that you are legally defensible. This means being compliant with federal, state and international security and privacy laws as applicable to your business. To prevent potential regulatory fines and penalties in the wake of a breach, or to defend against civil lawsuits against your business, get and stay compliant. Your approach to compliance should be reasonable to the size and scope of your business. You may want to enlist the help of compliance experts to ensure your Information Security Plan and your efforts meet minimum standards.