Eighty-five percent of small business owners feel that their cyber security is adequate, according to a recent survey. However, that sense of security may be a false one, as two out of three businesses have been victimized by a data breach or cyber security incident, according to a national preparedness report recently released by the Federal Emergency Management Agency.
“There’s a false sense of security out there by business owners,” says Jason Corrado, commercial insurance advisor for First Commonwealth Bank. “They believe that it will never happen to them or that they are properly protected, but things are changing so quickly that more times than not, that is not the case.
Smart Business spoke with Corrado about the cyber threats facing businesses and how to prepare for them and protect your business.
Why is cyber security so important to businesses, especially mid-sized ones?
Look at where technology has gone. Think about where we were 10 years ago, where we were five years ago and where we are today as far as the transfer of electronic data, customer information, etc. And it’s only advancing faster and faster. It’s an important subject, especially now, because many businesses have been slow to realize the severity of the risk they face, and 40 percent of businesses don’t even back up their data.
As larger companies — such as Sony and Zappos.com, that have had data breaches — take this more seriously, they are investing time, energy and money into protecting their clients’ information. As a result, hackers will pursue the low-hanging fruit — the smaller and mid-sized businesses that haven’t invested the time and energy into security because they don’t think they have the resources.
What are some of the risks that employers face?
There are the obvious ones, such as hackers who find weaknesses in software and electronic systems to gain access, sometimes with the aid of malicious codes such as viruses, worms and Trojan horses. Cyber extortion, in which someone will hijack your website and hold it hostage until you give them X, Y and Z, is also increasing.
However, there are other risks you might not think about. If a company allows its employees to take laptops with them on the road or home, and one of those is stolen, what happens to the data on there, especially if it includes sensitive customer information.
Another risk is your Wi-Fi network. Have you taken steps to make sure it is secure? It sounds simple and you may assume that most people do so, but as many as 50 percent of businesses have open Wi-Fi networks that can be picked up by a smartphone, making them easier to hack.
What steps can a business take to combat exposure?
The first step is risk assessment. If you have a website, if you do business online, you need to figure out what your exposures are, and if you don’t know, then enlist the help of someone who does. What kind of data are you capturing from clients? Where are you storing it and how are you backing it up? If you don’t understand your risks, you can’t eliminate them.
Risk management is the second part. Put together an IT risk management plan, which is a formal written document that addresses the scope of the plan, the roles employees in your company play, the responsibilities of individuals and departments, compliance criteria, how you’ll tell customers if there is a breach, etc.
The plan outlines what you can do to prevent cyber attacks. You can train employees on cyber security; install and update anti-virus, anti-spy software on computer systems; check your Internet firewalls; make sure software and systems are up to date; back up and make copies of critical data; and control physical access to computers by ensuring employees use the proper passwords and don’t leave terminals or laptops open.
You can also take smart business steps such as evaluating your Internet service provider. All service providers are not created equal, so beyond getting you on the Internet, what does it offer to reduce exposure with security and privacy?
Once the IT risk management plan is in place, you need to hold all employees – including yourself — accountable. Sometimes owners and officers are the biggest offenders for not following proper procedures where data is concerned. You also need to review your plan annually, or when you make significant changes to the systems that you are operating.
Aside from an IT risk management plan, are there other ways to manage your risk?
You can identify all the exposures that are out there and getting a plan in place, but risk financing can also act as a backstop if your prevention measures fail to protect your company.
With cyber liability insurance, you pay a premium to an insurance company to help you in case something does happen. If your systems are hacked and you’re down for a couple of days or you lose data, the insurance will protect your company’s assets and help you recoup costs. Cyber liability insurance also will protect you if one of your employees sends an email with a virus and a third party’s system gets infected. In addition, you can use business interruption insurance to fill the gaps of lost revenue if a cyber attack stops you from conducting business.
By using risk assessment, risk management, risk prevention and risk financing together, even mid-sized businesses can hedge against cyber attacks.
Jason Corrado is a commercial insurance advisor for First Commonwealth Bank. Reach him at (724) 934-4569 or Jason.Corrado@fcfins.com.
Insights Wealth Management is brought to you by First Commonwealth Bank