This article first appeared in the All About IT column of Vermont Business People in January 2018.
As a small-business owner or manager, you may think your company is too small to be concerned about data breaches and data risk management. If so, you aren’t alone. Sixty-eight percent of business owners surveyed in 2017 by the HR firm Paychex reported that they are not concerned about cyber threats. And to the extent they are concerned, they assume others will feel the pain.
In a recent Harvard Business Review, Alex Blau reported that “many C-level executives believe that their own investments in cybersecurity are sufficient but that few of their peers are investing enough (a belief that, given how widespread it is, can’t possibly be true).”
In fact, data breaches are a serious and increasing threat for small organizations and their leaders. In a recent Ponemon Institute survey of businesses with fewer than 250 employees, 54 percent of respondents reported a data breach in 2016 (this, of course, excludes those not detected). Traveler’s Insurance reported in 2015 that 62 percent of data breach victims are organizations with fewer than 500 employees.
So why don’t we pay as much attention as we need to? One reason: It’s hard to estimate the cost of data breaches and the ROI of related investments. Breach costs include cleanup, forensics, lost efficiency, exposure to legal claims, and reputation damage — all of which vary widely from industry to industry and company to company. Still, as difficult as it is to quantify the risks, they are real, and as often is the case in small organizations, we need to rely on estimates and judgment to prioritize efforts.
A good technology risk management plan can reduce the likelihood of a breach, provide the tools to identify security problems when they happen, and minimize the damage caused.
The good news: The same measures that reduce data breach risks also help avoid costly disruptions by improving the overall reliability of information technology, and allow quick recovery from mistakes and failures. Here are three straightforward steps to develop a risk management plan:
Evaluate the sensitivity of the various data that you create, store, and modify. Prepare for continued operation during failures and disasters, consider cyber-insurance, and develop written security and incident-response plans.
Over time make changes that manage risk and provide the best “bang-for-the-buck” protection of sensitive information. This includes firewalls, backup systems, patch management, strong authentication, password management, encryption, and replacement of systems that are out of manufacturer support.
Cybersecurity is a process, not an event: Assign responsibility to internal or external resources to review logs and provide employees with continuous security awareness and social media training. Proactively maintain and replace systems. Regularly test, review, and improve your security plans to include new vulnerabilities.
Even the smallest of businesses can do this. Require that someone inside or outside the organization is continually overseeing cyber security. Develop a risk summary, commit to small steps each year, and continuously monitor improvement. It will all be worth it when your business escapes unscathed from the latest cyber attack.