If you have sensitive or protected data in your care, custody or control, you have obligations to safeguard it and can be held liable for its disclosure. Data that is crucial to a company’s success is also highly valuable and easily monetized. Calculating criminals are looking for personally identifiable information, protected healthcare information, payment card information, intellectual property, authentication credentials, insider information and more.
Disclosure of sensitive data can put a small business in serious jeopardy. In fact, the International Data Corporation found that 71% of security breaches target small businesses, and Symantec research reveals that staggering 60% of small businesses will shut their doors within six months of a cyberattack.
The single biggest oversight of most small businesses is the belief that they will not be the target of a cyberattack because of their size. Hackers enjoy a big payout, but they are also opportunistic – they prey on the weak and are in business to make money. Hackers do not discriminate; data from a small business is just as valuable and fetches the same black-market price as the data found at large companies.
Sensational news stories covering mega-sized data breaches lead us to believe that only the largest of companies that been breached. This is simply not true. According to a 2015 NetDiligence report, nano-organizations experienced the most data breach incidents (29%), followed closely by small organizations (25%). Further, extremely large breaches occurred in nano, small and large organizations.
Do your clients still think their small business is unnoticeable and not a target? Ask them these questions: Does the business have an online presence? Does it connect to the Internet? Does it transact credit cards? Does it email or provide an e-portal for clients or vendors? Does the business have a ‘bring your own device’ policy? If the answer to any one of these questions is yes, trust that malicious actors can identify the business as a potential target.
In addition, small business owners often delegate responsibilities to a third party, whether that be a cloud service provider, an Internet service provider, a payroll processor, a POS vendor or any number of professionals who assist with the day-to-day functionality of the business. In doing so, the small business owner needs to understand the liability of the contracted services.
The first thing to know before entering into any contract is that privacy laws hold the ‘storefront’ (not the contracted service provider) responsible for a data breach. If a business allows a third-party provider access to any protected data in its care, custody or control, and the third-party provider discloses this data, it’s the business that will be subject to privacy laws, compliance with data breach requirements and resulting regulatory investigations, fines and penalties.
Employees are a hacker’s best friend, and they may not be aware of this ongoing relationship. Hackers will take advantage of any opportunity, and even the best cybersecurity in the world can be breached by human negligence. Lost or stolen laptops and mobile devices, clicking on dubious links embedded with malware, replying to a phishing email with password information, transferring money based on a compromised email address, and more have all led to large data breaches and significant costs that have had a major impact on a company’s bottom line.
A recent IBM study found that in 2015, a large proportion (25%) of all data breaches were caused by human error. Not addressing this vulnerability with employee awareness, education and training will leave a business susceptible to a breach.
Small business exposures are really no different than those of their larger business counterparts, except that small businesses often do not have the resources to allocate and adequately address these exposures.
Identifying a business’s data assets and correlating them to its exposures and liability is a necessary first step in assessing vulnerabilities and proactively creating steps to prevent or mitigate potential harm.
Michelle Lopilato is a senior vice-president and the director of cyber and technology solutions at HUB International. She is a licensed P&C producer and member of the Professional Liability Underwriting Society.