Managing cyber security

Published On: October 1, 2015

Don’t fall asleep at the computer.

The recent headlines about Internet hacking and high-profile security breaches have focused on large retailers such as Target, Neiman Marcus and Home Depot, and big banks like JPMorgan Chase & Co. Unfortunately, fraud and financial data losses are not limited to retailers or even to one industry. Small businesses are increasingly vulnerable to cyber crimes, including online identity theft, hacking or phishing.

Today, even with almost every specialty fabrics business involved with some form of Internet connection or storage of data (customer lists, employee information, books, records, job estimates, receipts and tax documents, for example), nearly 83 percent of small businesses do not have a contingency plan outlining procedures for responding to and reporting data breach losses. However, according to the National Cyber Security Alliance, a nonprofit cyber security educational organization, one in three small businesses is a victim of cybercrime each year—with 60 percent of those victimized going out of business within six months.

Protection basics

We correspond through email, transfer important information through the Internet and hold business meetings online. Some businesses have almost reached the “paperless” state, although that’s not as common as was predicted decades ago.

Often overlooked is the fact that any business that takes names, Social Security numbers and other sensitive customer information may be required by law to take all of the steps necessary to protect this data from loss and theft. No business of any size can hope to remain safe from cyber threats if the necessary precautions are not taken in advance.

A data breach or hacking incident can do immediate harm to a business and can lead to a continuing lack of trust on the part of consumers, partners and suppliers. Small businesses should make plans to protect their operations from cyber threats and help employees stay safe online. In fact, it is a business’s obligation to protect the personal data and financial information of customers, suppliers and employees.

Problem times ten

So-called “cyber-hacking” is big business, and no one—not individuals, not small businesses and not large corporations—is safe from attack. In the U.S. most states have breach notification laws, and other countries are following suit. Many laws mean written notification must be sent to individuals who have been affected. Even where such laws are not in place, any reputable business should be prepared to provide breach notification.

It should come as no surprise that social media sites can also expose information at light speed with little control. It’s not only a business site but also an employee’s activity on social media sites that can trigger liability, especially if the business is responsible for maintaining the sites. Defamatory statements, leaked information and copyright infringement are growing concerns.

Losing the trust of customers can be much more damaging than the financial loss of repairing the effects of any breach. Even worse, a business can be held liable for the loss of third-party data and face expensive damage claims.

DIY risk management

How to manage these risks? Security experts agree that the easiest place to start is strong password protection. Yes—password protection. Many recently exposed hacking cases have been traced back to weak passwords that were either not encrypted or “salted,” or not changed regularly.

If managing passwords for all of your servers, apps, cloud services, databases, tablets and laptops seems daunting, there are affordable password management professionals and software that will do it for you.

Other tips to help secure data and reduce liability:

  • Install a firewall. There are hardware and software approaches that are inexpensive and easy to use.
  • Conduct regular risk assessments to reveal hardware, software and individual site vulnerabilities.
  • Computers used for sensitive applications, such as making bank deposits or transfers, should be isolated from the rest of your network.
  • Control access to data, which means limiting delivery and exchange of customer, supplier or employee-related documents and information to secure channels.
  • Install anti-virus software and use it. There are a number of popular packages, most relatively inexpensive. Although free updates are usually included, make sure to update the program regularly; or better yet, allow the software to do so automatically.
  • When an employee or contractor who has had access to the system leaves your employ, make sure their passwords are no longer usable. Many employers lock an employee out of the system just before or at the same time as the termination.
  • Create and implement a data security plan that includes immediate notification of all affected parties. In many cases, it’s the law.
  • Share the liability by demanding similar protocols with suppliers and checking for compliance.

Insurance to the rescue

Little business data is typically covered under today’s insurance policies. Admittedly, some business insurance policies might offer general liability protection. Directors and Officers (D&O) liability may, for instance, provide a measure of coverage in these areas. Unfortunately, as the risk escalates, it is only after a hack attack that many professionals discover what is and what isn’t covered by their insurance policies. By then, it’s too late.

A business interruption insurance policy rarely helps in the event of a system failure because of a malicious employee, computer virus or a hack attack on the business. But, while few so-called “umbrella” policies or blanket liability insurance policies cover these types of losses, a relatively new type of policy, cyber liability insurance, has been available for almost 10 years, although rarely purchased.

Cyber liability insurance covers hacker attacks, viruses and worms that steal or destroy a business’s data. Even email or social networking harassment and discrimination claims can be covered, along with trademark and copyright infringement. This kind of insurance will often cover the loss of profits due to a system outage caused by a non-physical peril such as a virus or attack.

When looking into cyber insurance, common sense dictates that all potential risks should be covered, including laptops and mobile phones. Because portable devices make it much easier to store and to lose information, a missing USB stick, a stolen iPad® or a laptop left in a taxi are all real possibilities for losses, and, for a hacker, can be a gold mine.

A good insurance company will ensure a policy holder has all the protection possible, including helping to make sure a firewall is in place to protect the network and creating social media policies that reduce risk. Even if data is stored in the cloud, a business may still be liable for a breach. Although controlling how a cloud provider handles the business’s data is almost impossible, cyber insurance can protect any operation from those mistakes.

While many large corporations often have risk management budgets, most hack attacks target operations with fewer than 250 employees, a group that’s sometimes without the financial means to pay the fines and lawsuits that often result from breaches or data losses, or to stay afloat throughout the process of cleansing the system and regaining customer trust.

Hacking threats

Data breaches or hacking incidents can harm any business. If you transact business online, your company should have a cyber security plan that includes keeping computers “clean,” protecting information, changing passwords frequently and using good anti-virus software.

Hackers are getting more sophisticated every day, sometimes forming syndicates of like-minded criminals to share information and new techniques. Businesses, even independent small specialty fabric products businesses, are increasingly in their crosshairs and need to use every protection strategy available to combat the growing cyber threat. If you don’t have an IT department, or even an IT person, consider contracting for these services to receive regular security assessments.

Mark E. Battersby, based in Ardmore, Pa., writes extensively on business, financial and tax-related topics.