Small business owners might see cybersecurity as a back-burner issue since they are just “small business”. After all, the news is filled with stories of some of America’s biggest corporations experiencing large-scale data breaches. Those breaches often involve millions of records that are compromised. Most small business don’t have databases that have millions of records. So, why should small business decision makers worry about small business cybersecurity?
Hackers take on an almost mythical presence since no one really knows any hackers on a personal level. These “black hat” types must be smarter than virtually everyone since these criminals can find ways to break into almost any computer system.
With news outlets reporting that big companies are hit by hackers, it would be easy to mistake the situation that hackers only target big companies. The reality is that news outlets rarely report when small organizations have been breached, much less targeted.
In reality, small businesses provide plenty of high-value targets for hackers. More importantly, since big business already knows that it is in the crosshairs of the cyber underworld, those large corporations have taken substantial steps to protect themselves. Most small businesses haven’t taken full measures to add a prohibitive level of protection to ensure small business cybersecurity is in place. Hackers know that.
Different kinds of attacks absorb different levels of resources for hackers. Some threats can be fully or partially automated, so the marginal cost of each attack is very low. That allows for widespread attacks on smaller companies without concern for a low-value, high-cost situation.
The small business owner may feel that there still isn’t that much value in the data that is managed and stored by the business. Hackers aren’t just aiming for credit cards anymore. If personal information is available, that has great appeal to the attackers. Healthcare records are selling for a premium on the dark web right now.
The clearest target that today’s hackers have is cash. Imagine if the attackers could precipitate a wire transfer to themselves. That may sound far-fetched. It isn’t. It has already happened and it has cost some small to medium-sized companies big money: six figures and higher.
Finally, the cost of cybersecurity failure on a small business when it comes to a breach can be fatal. There are two fronts with which to be concerned.
First, the loss of reputation is just really, really bad for business. Trust is a tremendously huge factor in any relationship and that holds true for business relationships whether it is a business-to-consumer (B2C) or business-to-business (B2B) situation. Rebuilding lost trust is expensive. When combining that cost with the expected loss of revenue from customers who pull back from or end a business relationship altogether, that may be too steep of a climb.
The second concern is compliance-related. In Illinois, the Personal Information Protection Act (PIPA) defines what types of personal information is protected (name combined with social security number, driver’s license of state ID number, account number, credit or debit card number, medical information, health insurance information, or unique biometric data, in combination with a security code, access code or password) as well as what steps are required in the case of a breach of this type of data – for every instance of the breach.
If a small business has records that are covered by PIPA, then they are required by state law to “implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure.” To take that a step further, any disclosure of that personal information to another entity requires that the contract between the two must include that those receiving the information must “implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification, or disclosure.”
Almost every step of PIPA compliance is going to require some help from an attorney. That isn’t going to be cheap.
Purchasing cybersecurity insurance would make sense since there are tremendous costs to data breaches. This is a relatively new insurance market and more established insurance providers will likely be asking critically important questions on the application for coverage. Expect those questions to pertain directly to how well the applicant’s data is protected. In other words, to get real, affordable insurance coverage, implementing real cybersecurity measures will be required.
The bottom line is that small business cybersecurity could determine whether or not the small business owner’s dream survives in today’s digital society.