While Reno business owners are working diligently to improve their bottom line from marketing to operations efforts, they also need to be focused on protecting their company and client data.
A data breach can be a catastrophic event for any type of organization, especially a small business. Most small businesses often think they are shielded from cyber exposure, but a recent report by Symantec revealed that in 2015, more than 30 percent of phishing attacks and 43 percent of all attacks were aimed at organizations with less than 250 employees.
No less than Warren Buffet has called cyberattacks the No. 1 threat facing mankind, even worse than nuclear weapons. The FBI’s Cyber Division has observed that there are two types of businesses: those that have been the victim of an attempted cyberattack and those that will be the victim of an attempted cyberattack.
Given this reality, what is a Reno business owner to do, especially a small to medium-sized business that doesn’t have the resources of a Fortune 500 company? The following are some suggested strategies for businesses of all types and sizes to protect their data, their customers and their livelihood.
At every level, business owners must ensure that anyone and everyone with access to the organization’s data is aware of the reality of the cyber threat. Company leadership must make cybersecurity an organizational priority and have a comprehensive prevention and response plan in place to address it.
Employees must be trained to understand the threat, both in terms of how attacks are carried out — most cyberattacks use social engineering, not brute force, to breach a company’s IT systems — and what potential damage can be done. Hackers are increasingly creative and resourceful.
Basic cyber-hygiene, including regular cybersecurity awareness training for every employee, strong password policies, multifactor authentication and anti-virus protections, cannot be overemphasized or too strongly enforced. Within any size business, cybersecurity must be seen as everyone’s responsibility.
- Make Cybersecurity a Priority
While many businesses do not have the resources (or the need) to have a full-time chief information security officer (CISO), it is well worth the cost to bring in a cybersecurity consultant to provide an evaluation of your data systems, recommend best practices that are right for your business, and provide training and periodic testing of your system’s ability to withstand attacks.
When selecting an IT security consultant, look for one with relevant certifications, the most common being Certified Information Security Manager (CISM), as well as practical experience, and ask for and check references. And don’t think a “one and done” approach is adequate.
Expert advice, assistance and auditing should be a regular, ongoing part (and cost) of doing business.
- Consult with the Right Experts
If you don’t know if your insurance covers data breaches, it’s important to get this confirmed. A data breach can damage more than a business’s IT system, it can put employees and customers at risk.
Increasingly, cyber insurance is available to minimize such risks. A cyber insurance policy, also known as cyber liability insurance coverage (CLIC), is designed to mitigate risk exposure by offsetting costs related to a cyber breach or related events.
Consulting firm PwC estimates that about one-third of U.S. companies currently carry some type of cyber insurance. These policies can make sense as a risk management tool, but as with all insurance, the devil is in the details.
Key questions when considering such coverage include: (1) what are the limits of coverage?; (2) what deductibles apply?; and (3) what exclusions apply? In addition to obtaining your own policy, it is important to determine whether your vendors with access to your system(s) also have adequate coverage.
Consult with your business insurance broker on what coverage options are right for your business.
- Does your Insurance Cover Data Breaches?
It’s one thing to have a response plan — but imperative that you put it into play educating your team on the importance of the plan.
Legendary football coach Vince Lombardi often said, “Hope is not a strategy.” This is certainly true when it comes to your business’s cybersecurity strategy. It is critical to have a breach response plan in place, and to practice implementing it.
Adequate cybersecurity for any business demands a multifaceted, multidisciplinary approach to the threat. This includes having not only expert technological support in the form of a cybersecurity consultant, but having expert legal, government relations and public affairs support ready as well.
You need professionals that know the law, have the necessary industry and government relationships, and have the experience managing these circumstances. The reality of a cybersecurity situation for your business is a matter of when, not if. Be ready.
Greg Brower and Michael Rounds are both shareholders at Brownstein Hyatt Farber Schreck and have been practicing law in Nevada for more than 20 years. Go to www.bhfs.com to learn more.
- Have a Multidisciplinary Response Plan in Place and Practice It