Guest post by Attorney Martin McKenzie
Hardly a week goes by when we don’t read or hear about a cyber-attack against a large business. But small businesses are at least as vulnerable to hackers, perhaps more so. That’s because small businesses have information that would be valuable to steal, but are less likely to be as careful about information security.
In part, this is because small businesses often underestimate their risk level, assuming that they are not targets because, in their estimation, they aren’t worth the effort. But if your business takes credit card payments from customers, maintains computer records of current and past employees, etc., you have exactly the kind of information that draws the attention of hackers. In the great majority of cases, cyber-attacks seek to acquire such sensitive information in order to support identity theft or other criminal schemes. Cyber extortion, often through the use of “ransomware” that takes control of a computer system or its data and holds it hostage so the attackers can demand payment from their victims, is also a fast-growing problem. Further, if you do business with a larger company, a customer perhaps, hackers might seek to exploit vulnerabilities at your company to try getting past the larger one’s defenses.
Finally, your business may be subjected to regulations that could be very costly in the event of a security breach. For example, the Illinois Personal Information Protection Act imposes on any business that collects personal information, the obligations to take reasonable steps to prevent the unauthorized disclosure of that information, and to timely notify any affected person of a breach. What constitutes “reasonable steps”, however, is not defined.
So, how can you prepare your business to reduce the risks that these threats pose? Generally speaking, there are three ways that you should consider protecting such valuable information, as well as your company.
Security Solutions –
These can be a combination of software or services to protect against electronic threats, whether those threats are manifested as malicious software (malware), unauthorized access to a computer or network, or social engineering/phishing, that uses fraudulent (but authentic looking) e-mail or websites to induce an unsuspecting recipient to reveal sensitive information. Any security solution should also implement a data backup component, so that any information lost in a breach can be quickly restored and put you back in operation as fast as possible.
Cyber-security Insurance –
Even if your company carries general liability insurance, it is unlikely to include coverage for losses related to a data breach. While more carriers now offer cyber-insurance policies tailored to small business, those coverages can vary widely and should be reviewed carefully to make sure your company has the appropriate coverage for both your budget and risk-exposure requirements. You should look for a combination of first and third-party coverage, so that your company is protected against both its own direct losses, as well as any affected third party that may sue you over a data breach.
Best Practices –
These are a combination of policies and procedures to reduce your risk, beginning with keeping computers’ software up to date with security patches. Drafting, enforcing, and periodically testing security policies regarding appropriate use of company computers and third-party devices (including smart phones that can get access to your company’s data), and ongoing education about how to reduce the risk of infiltration and recognize the signs of a breach.
The threats faced by small businesses to the sensitive information stored on their computers and networks are evolving, and growing daily. Managing this risk requires planning and expertise to identify and apply an appropriate solution to the threat level. DregerLaw has experience in proactively advising business owners in how to prepare their company against the risk of cyber attacks. To schedule a consultation and evaluation of your cyber risks, contact DregerLaw today.
Copyright, 2016 Law Offices of Martin J McKenzie, Ltd.