A data security breach can cripple a small business. Find out what you can do to combat small-business data security threats in 2019.
It's 2019, and if you're a small-business owner you know that a data security breach can cripple—or kill—your business.
You're not alone in knowing that you need to invest in securing your customer's data.
According to research we conducted in 2018 with nearly 700 small- and midsize-business (SMB) respondents, 71% of U.S. SMBs are currently using data and information security technology, and small-businesses data security is one of the top three priorities for tech spending over the next two years (read more on our survey methodology here).
Unfortunately, there is still a pervasive sentiment among some business owners that they don't have enough data to warrant a security solution or that their data is unimportant to criminals. Of those respondents who aren't planning to evaluate or use data and information security technology in the next two years, 16.5% have fewer than 11 employees.
These small businesses are significantly more at risk of experiencing a data breach than midsize businesses.
If even large enterprise companies including Equifax and Maersk lost their shirt during data breaches, what can a startup or SMB do to protect their intellectual property and private customer data?
Don't worry, we're here to help with this 10,000-foot guide to getting your business data protected and prepared for a breach.
The real cost of small-business data security
Business death by data breach is a slow and painful process.
Nearly 60% of small businesses close their doors within six months of a data breach, and that's after they've spent those long months losing money, suffering through lengthy litigation, enduring brand and reputation dismemberment, and dealing with angry customers.
In 2017, Verizon's Data Breach Investigations Report found that more than 75% of the data breach victims they studied were small businesses. Hackers see small businesses as easy targets because of a lack of processes, security breach technology safeguards, and IT teams.
According to an annual study conducted by The Ponemon Institute for IBM, the cost of one record with confidential or sensitive information being compromised in 2019 is $148 (for more on how IBM calculated this number, download their report here). This cost is attached to each individual whose personal information was stolen, and represents what the business will have to spend to try to recover from the breach.
Kaspersky Labs releases an annual report on the cost of data breaches, and quoted the total cost for one data breach incident within an SMB to be around $120,000 in 2018. This includes things like losing money from litigation, trying to fix their reputation, incident resolution, and more. That's an increase of nearly $32,000 from 2017.
To put that into perspective, the latest U.S. census data said that the average small business made around $400,000/year. That means one data breach incident takes out over 25% of a small business's revenue (on average).
That's death to many—if not most—SMBs.
Small businesses must invest both human and monetary resources in securing, insuring, and maintaining their data immediately or risk losing $120,000 (or more) from a data security breach, not to mention the significant and lasting decrease in customer trust.
3 Crucial steps to decrease the risk of a life-changing small-business data security breach
1. Invest in data security technology
Cybersecurity software, data loss prevention, network security … there are a lot of technology types to discuss when a small business chooses to secure their data. How do you know which option is right for your business?
Consider data security holistically. Businesses will benefit the most if they have software that has both proactive and reactive incident response features. Here are a few types of software your SMB should consider:
Network security software has proactive monitoring features like vulnerability scanning, email attachment protection, or an intrusion detection option. You can use this technology to identify vulnerabilities before a data breach occurs.
Data loss prevention software can reduce employees' mishandling or nefarious actions with your data. These systems identify sensitive data (such as customer credit card information) and help you manage who has access to it among your employees. Why worry about your employees? The Verizon study cited above reported that approximately 25% of data breaches involved internal actors, or someone involved with the business.
Computer security software—probably the most robust option on this list—not only provides audit features and file access control, but can also provide maintenance scheduling features and vulnerability reports to some degree.
Pro tip
Don't plan to only react to a data breach with your technology purchase, put proactive safeguards in place as well.
2. Buy data breach and cyber liability insurance
Imagine you own a priceless, heirloom necklace. You put your necklace in your family safe to protect it, and you can rest assured that no one is ever going to get your property, right?
Not exactly. While theft/loss are more difficult due to your layer of security, it can still happen. And if it does, what do you do next? You contact your insurance company to file a claim for stolen goods.
You can, and should, do the same thing for your business's data. Your best defense is to put the right technology in place to keep customer data safe, and also have a backup plan like insurance.
In case of a breach that you can't avoid, it's best to protect your business from the inevitable lawsuits and cost of brand-cleanup that will occur.
Data breach and cyber liability insurance can be reasonably priced for small businesses and are usually quoted by the number of private documents you have stored. There are insurance companies that offer credit monitoring and communication for affected customers, reputation management, and even help with investigations into attacks.
Pro tip
Look for an insurance provider that offers more than coverage of lost revenue.
3. Put a plan in place before a data breach occurs
At this point in technology development and adoption the world over, data breaches are nearly inevitable. Small businesses must start planning for a breach. After all, the best defense is a good offense. Your plan should consist of, at minimum, these three steps:
Create a response and recovery plan
When the U.S. government prepares for cybersecurity attacks, each designated unit writes an action plan for what they'll do if the event occurs. Then, they get together and practice the plan. Even though small businesses can't act on the same scale as the government, there are some good lessons here.
Have each interested party within your business write up their plan in case of a data breach, then spend a day practicing what you'll do. You'll be better prepared for an event that requires a quick response.
Enlist your employees
Your employees can be the biggest offenders of letting data security get lax. Establish rules requiring two-factor authentication and mandatory password resets every month. Since most malware is downloaded when employees open email attachments, provide some best practices training around online safety as well.
Audit, update, and enact
Create a security hygiene regimen where you keep your server software up to date. Make sure you execute on your plan; don't put off your patches until tomorrow. Once each month, audit your website and customer data platforms to ensure everything has the latest security updates.
Pro tip
Data security is not a one-and-done deal. Inject data security best practices into your employee education throughout their lifetime at your business.
What should you plan to spend on data security?
Ultimately, there are many more things that businesses can and should do to protect their data than can be highlighted in a single article.
What we do know is that the potential cost of a data breach is far more than the time and money you'll spend trying to avoid it. The average planned investment for 314 SMBs who have a budget planned for data and information security is $34,000.
Reported actual or estimated planned spend on data and information technology in the next 1-2 years. Amount reported in $1,000s of USD.
That's a lot of money for any business, let alone small businesses.
Don't worry, businesses with fewer than 11 employees plan to spend, on average, $13,000 on data and information security in the next two years. That's a fair amount, but it's significantly less than the $120,000 or more you'll be out if you suffer a breach, and potentially closing your doors forever.
A big investment, to be sure, but one your small businesses needs to make to ensure data security.