By Anthony Cammarata Jr.
It is rare today to read the daily news without seeing yet another instance of a large company experiencing a major data breach or hacking and consequently facing the threat of high-cost litigation. What many overlook, however, is that small businesses are just as susceptible, if not more, to the risks of cyberattacks. A recent study conducted by the National Cyber Security Alliance found that almost 50% of small businesses have been victims of a cyberattack, and that more than 70% of all attacks target small businesses. Even more concerning, the study found that approximately 60% of those small and mid-sized businesses that suffer a cyberattack go out of business after just six months.
There are five primary concerns that all small business owners should consider in order to be better prepared for the threat of cyberattacks:
First, while it can sometimes be difficult and expensive to institute the types of technological barriers needed to fully prevent cyberattacks and data breaches, a small business owner can take one important preventative step by training his or her own employees to reduce the risk dramatically. Despite advances in technology, humans continue to be the biggest security threat to businesses of all sizes and industries. There are cases of employees intentionally abusing their access privileges, hampering the company's security in the process and causing a huge loss. However, an employee with malicious intent is not always behind cyberattacks, and in fact cyberattacks affecting small businesses are most often a direct result of simple human errors. To overcome this security concern, small businesses owners should adequately educate and train their employees on the basics of cybersecurity and include data and cybersecurity policies in all employment and independent contractor agreements.
Second, conducting periodic tests and simulations of a cyberattack can be a valuable method of identifying weak links in your company's cybersecurity systems. We all remember participating in fire and weather emergency drills in grade school. These drills provide school administrators useful information on how teachers and students respond in these emergencies and expose potential vulnerabilities in their emergency preparedness systems. This same model can be applied in your small business to prepare for and prevent potential cyberattacks. For example, "phishing" is a type of scam in which an electronic communication that appears to be from a legitimate source is sent to obtain sensitive information such as usernames, passwords, and customer data. Periodically sending phishing emails to your employees is a simple measure to investigate if any are susceptible to click a fake link, open a potentially dangerous attachment, or unwittingly provide sensitive information.
Third, small business owners should thoroughly vet their web hosting, credit card processing, and other network solutions providers, particularly if those companies maintain any sensitive customer information. I have represented clients in the past that had adequate internal cybersecurity systems in place at their own companies but were nevertheless exposed to the risk of litigation because of data breaches at their providers' companies. Small business owners should reduce the possibility of facing privacy lawsuits from their customers by making sure that their providers are competent. Do not hesitate to inquire into the cybersecurity measures the provider itself has in place to safeguard sensitive customer information. Likewise, in the unfortunate event that you receive a notification of a suspected data breach from your provider, regardless of the assurances the provider may deliver, contact your attorney or IT professional immediately so that you may formulate a plan to properly address how the breach could affect your company.
Fourth, it is a good idea for small business owners to acquire cybersecurity insurance to reduce the damage of a potential cyberattack. Most general liability insurance policies will not cover losses or legal fees associated with data breaches, thus a separate policy to cover these types of damages could be advantageous to small businesses that can afford it. Such a policy should cover general costs incurred by your company after a breach, including public relations campaigns and business interruption expenses, as well as legal fees from potential lawsuits if sensitive customer information is compromised.
Finally, small business owners should establish a system and plan to move forward in the aftermath of a cyberattack. If your business were to become the victim of a cyberattack and it suddenly lost access to its website, email, work logs, accounting sheets, or customer data, how quickly would you be able to get back up and running again? Most businesses that fail and go out of business after a cyberattack do so because they do not have systems in place for accessing their data and applications after such an attack. It is imperative that small businesses maintain regular offline backups of vital company data, stored in multiple locations.
If you own a business, it is important for you to take the time to talk to a lawyer and IT professional to review the technological and logistical measures you can take to reduce the risk of exposure to cyberattacks and data breaches, and to develop an effective cybersecurity strategy that works for your company.
Anthony Cammarata Jr. is an associate attorney with Flint, Connolly & Walker, LLP currently assisting clients in various corporate, civil, and transactional matters. He is experienced in a range of legal issues affecting business owners and companies and has dedicated a significant amount of time researching the effects of the COVID-19 situation on his clients.