Data breaches are a universal concern for small, medium and large businesses today. The breaches that are most publicized are the ones that hit international corporations like Target and Home Depot, but any company of any size can be targeted. In fact, over 50 percent of companies targeted for data breaches have under $500 million in revenue, and 25 percent are under $50 million! In 2014, a whopping 60 percent of cyberattacks targeted SMBs!
Assuming that just because you are a smaller business means you will be a less attractive target to cybercriminals is a dangerous mindset that will leave you completely off-guard, if and when you are eventually breached! Read below to understand the common causes of data breaches, the implications they could have for your company, and how you can plan to prevent one today.
How Are Companies Breached?
It might surprise you that in 2016, the most common industry targeted for data breaches was health care (23 percent). Retail, where most major newsworthy data breaches occur, was only the fourth most targeted industry, with 12 percent of attempted or successful data breaches. Rounding out the top three most targeted industries were financial services (18 percent) and education (16 percent).
You might ask how are these companies being breached? Well it’s not an elaborate force of specially trained cyber criminals. In fact, in most cases the attacks take advantage of simple security and policy issues. Just take a look at the eight most common causes of business data breaches:
- Weak or stolen credentials (passwords)
- Backdoors and other application vulnerabilities
- Social engineering (phishing)
- Too many permissions (people have access to sensitive information or systems they don’t need)
- Insider threats
- Physical attacks
- Improper system configurations (user error)
Most of these attacks are preventable through measures such as password complexity requirements, multi-factor authentication, up-to-date system and application patches, and proper antivirus and anti-malware protection. However, if you are uncertain of how your company is protecting any of these attack vectors today, it’s time for a serious sit-down with IT!
The Impact of a Breach
Could your business survive a data breach? The odds aren’t great for SMBs: The U.S. National Cyber Security Alliance found that 60 percent of small companies were unable to sustain their businesses just six months after a cyberattack! This is not just because of the direct costs of a data breach (such as litigation, vulnerability remediation and notification of the breach), but the indirect costs that hide below the surface of every data breach, which could be as much as 95 percent of the costs related to the breach! “Below the surface” costs include things like raised insurance premiums, loss of current or prospective business, decreased company valuation, and all the time spent managing the breach and its effects instead of running the business. For a small business, costs average $36,000 – $50,000 per breach, but this is only the “above the surface” portion. With 95 percent being below the surface, you can see how quickly things can add up.
Given the risks and the real extent of the costs associated with a data breach, it’s important to talk about necessary steps you should take to protect your company. First, you need to treat cyber security as the business risk it truly is. It can be much more devastating than losing your best customer, or than a new competitor in your market. It has the ability to completely halt a company in their tracks, and in most cases, close them down completely. Once you understand the real threat, it is time to have a business conversation with your IT team around identifying and protecting your most critical data. Here are the key questions to ask to close any gaps with your IT team and protect the business:
- What kind of data do we have?
- Where is our data stored?
- What data or systems would have the most negative business impact if they were compromised?
- What are we doing today to protect the data and systems?
After identifying these aspects of your business IT strategy, ask your IT where they stand on core (the essentials), intermediate (“above and beyond”), and advanced (specific to your business and industry requirements) measures to protect your data. Identify any gaps in protection, and ask what you can do to help them get the critical protections you’re missing in place as soon as possible.
Also, examine your internal policies as they relate to data. Do your employees know what data is critical? Do they know how to manage that data? Do they know what to do in case of an issue or a breach? Are they following basic security requirements? All of these are critical in protecting your business from online (and offline) threats.