- Data breaches are expensive for small businesses – costing not just fees from credit and debit card companies, but your customers' trust.
- By following these five steps to secure your company, you'll avoid the hard and soft costs of a malefaction.
- Cyber insurance could mitigate the damage of a cyber breach by covering these expenses.
- This article is for small business owners who want to protect both their business and patrons from a data breach.
Data breaches regularly affect small businesses and are expensive in various ways. This article gives you five practical steps to protect your customer's data, before mentioning how cyber insurance can help you and how you can restore your reputation following a breach.
The cost of a data breach
While data breaches at giant corporations like Marriott International and Capital One grab the media spotlight, it's just as realistic a scenario for small businesses – and the attacks at that level can prove far more devastating. Cybercrime has become more common for small companies since the coronavirus pandemic when many small businesses were forced to digitize their processes and move to a remote work model. Experts say small business owners who don't make protecting customers' personal information a top priority could soon find themselves out of operation.
Jeff Kosc, a partner with the law firm Benesch, said businesses that compromise customers' personal data, such as credit card and Social Security numbers, face a multitude of costs – not all of which have an exact dollar amount attached.
Hard costs
According to Kosc, one of the largest costs come from the credit and debit card companies that have broad powers and rights in data breach situations, especially if it was discovered that the business wasn't complying with Payment Card Industry (PCI) regulations. PCI regulations govern the specific security measures that must be adhered to by businesses that accept credit cards and debit cards.
"If there is a breach of PCI, they have rights to level fines on merchants," Kosc said of the credit and debit card companies. "They are also entitled under those agreements to charge back any fraudulent charges that take place on anyone's card as a result of the data breach."
In addition to paying back the credit card companies, businesses incur costs associated with alerting consumers of the breach, paying for their credit monitoring services, investigating how the breach occurred, and taking steps to ensure it doesn't happen again.
Depending on the scope of the breach, Kosc said businesses also face potential fines from the Federal Trade Commission. He pointed to the example of TJ Maxx, which was forced to pay out more than $9 million in fines to over 40 attorneys general following its breach in 2007.
According to IBM Security, data breaches now cost victimized companies more than $4 million on average, with incidents becoming more lethal, costly and harder to contain.
Soft costs
Kosc said many companies in these situations also face a loss in productivity because employees are more focused on cleaning up the mess than they are on normal day-to-day responsibilities. "You are pulling everyone away from their regular job duties to deal with a data breach."
In addition to employees' workload increasing, businesses suffer potentially priceless damage to their reputation and trust.
"There is a community of people who have a trusted relationship with you, and that can be jeopardized," said William Pelgrin, former CEO of the Center for Internet Security. "How you recover from all of that can be very difficult."
Protecting your small business from data breaches
One problem is that many small businesses think, because of their size, they aren't targets of cybercriminals.
"We tend to think that it won't happen to us because we are too small and that they are really looking at the larger [companies], and that's not the case," Pelgrin said. "Everyone is under constant attack at this point."
Since cybercriminals have become so effective in recent years, he explained that even with the best security measures in place, there are no guarantees businesses will be safe.
"There isn't a silver bullet out there," Pelgrin added. "The best you can do is to be as diligent and vigilant as possible to ensure you have done everything in your power to be as secure as you can be."
Data protection: 5 steps to protect customer data
To protect consumer data as much as possible, Pelgrin advises businesses to take several steps.
1. Know your environment.
This means taking inventory of all the hardware and software that you have, as well as what version each is running. In order to protect yourself, you need to know exactly what you own.
"What are your assets, what's your infrastructure look like, what's your network look like?" Pelgrin said. "There may be a known vulnerability and you might not even think it is within your infrastructure, and unbeknownst to you, it may be totally enabled throughout your infrastructure and therefore making you very vulnerable to an attack."
2. Secure your environment.
Bring your hardware, software and network up to the highest level of security. Pelgrin said when small businesses buy new hardware and software, they don't always have the latest security measures on them. He added it is critical that businesses check each piece of equipment and download all the latest security patches. In addition, he said all the security settings should be turned up as far as they can be without hindering operations.
3. Control your environment.
Pelgrin said it's imperative that companies don't give all their employees total access to their network and data. He said employees shouldn't have access to higher levels of administration than they need, and shouldn't be allowed to download anything they want from anywhere they want.
"Most of your employees should not have complete administrative access to their machines," Pelgrin added. "That administrative access should be limited to very few trusted individuals."
4. Assess your vendor's cybersecurity posture.
Businesses want to ensure the vendors they are working with also have stringent levels of security. Pelgrin said it is critical to have documentation from the organizations you outsource parts of your business to on exactly what security measures they have in place. "It needs to meet the standards of what you would employ internally."
5. Monitor your environment.
This involves constantly self-diagnosing the systems and network to ensure they are acting and performing as they should be.
"You don't have to be a cyber expert to know something is wrong," Pelgrin said. "Your gut is a great first sign that something may be wrong, and then you need to reach out to those that have the expertise to help diagnose whether, in fact, you have been a victim of a cyber incident."
Pelgrin also encourages dedicating time each month to train employees on the importance of cybersecurity and how they can avoid contributing to leaks. "You want to make it real for employees, and the only way to do that is to talk about it and practice it."
Kosc believes a key step in keeping your business data safe is hiring personnel whose main responsibility is security. "It needs to be something that is on someone's mind every day because that's their job."
Mitigating the damage of a data breach
Businesses should have a clear strategy on how to deal with a breach, since many experts believe it's not a matter of if but when one will occur, including Kosc.
"You want to have a plan in place before something like this happens, so when an event does happen, you know what to do and how to limit liability as much as possible," he said.
Part of that plan is knowing whom to call for help. In times of crisis, Pelgrin said, you don't want to waste time figuring out who can assist you. "You want to have those relationships upfront and in place."
How cyber insurance can help
Insurance providers are a relatively new source of help for businesses. Within the last several years, many have started offering data breach insurance.
Lynn LaGram, assistant vice president of small commercial underwriting at The Hartford, said her company has been offering data breach insurance since 2011, and its coverage comes in two parts:
- Response coverage covers the response expenses, such as notifying customers after a breach occurs, setting up credit monitoring for affected customers, hiring a public relations firm to help repair reputational damage, and hiring legal and forensic experts to assess whether a breach did occur and where it came from. The Hartford specifies that the amount businesses receive depends on how much and what type of information they stored, their claims history, how many clients they have and their revenue.
- Expense coverage covers expenses small businesses may face should any lawsuits be brought against them by consumers whose information was stolen.
"[Expense coverage] covers civil awards, settlements or judgments that the small business owner would become legally obligated to pay as a result of a data breach," LaGram said.
Kosc said most civil lawsuits brought against organizations that lost data have been ineffective at this point because in many of these situations consumers can't prove that the thieves have used their stolen information in any way.
"There haven't been many so far that have been successful, because they have to be able to show an actual harm," Kosc said. "Until you can prove an actual injury has been suffered, [a court] can't award you damages."
While small businesses were originally slow to adopt data breach insurance, LaGram said more of them – especially in light of last year's high profile cases – have been adding it to their protection arsenal. "Data breach is one of our highest-selling optional coverages."
Restoring reputation and customer trust
For businesses to begin repairing their brand reputation and rebuilding trust after a data breach, Pelgrin said, they must be upfront with customers when it happens.
"I am a big believer in [the saying that] it's not if bad things happen, but how you react when bad things happen," he said. "That shows the quality of the company and … the individuals that work for that company."
Pelgrin said the last thing your business wants to have happen is for word of the breach to get out six months after it occurred and have customers think you did nothing about it because you didn't have to. "Then you are in a position of trying to justify why you held on to that information."
The key is to alert customers as soon as you have concrete information on the breach.
"You don't want to put fear into people," Pelgrin said. "You really need to know what happened so when you give the information, it is very clear – 'this is what we know, this is what happened, and this is what we recommend to mitigate it.'"
LaGram said small businesses must understand that this absolutely could happen to them.
"Small business owners are targeted at a much higher pace than larger operations because they are easier to penetrate," she said. "It is very easy for it to happen in a small business setting."
Leah Zitter contributed to the writing and reporting in this article. Source interviews were conducted for a previous version of this article.