Unless you’ve been so engrossed in your small business that you have not paid attention to the news for the past year, you’ve heard about the large-scale data breaches at Target, Home Depot, Sony, and other mega companies. You would think that these big companies would do more to protect the security of their data, and their customers’ data. After all, they have the resources to do it, and good security is just good business—or is it?
According to a recent post from Benjamin Dean, a fellow for Internet Governance and Cyber-security at the School of International and Public Affairs at Columbia University, those major data breaches did not result in significant costs for the affected companies.
For example, according to Dean, the now infamous Sony Hack (widely attributed to North Korea’s attempt to block release of the film The Interview) ended up costing the company about $35 million, less than 2% of the company’s projected annual revenue for 2014. The Interview is estimated to have grossed approximately $46.7 million, a good part of it likely as a result of the publicity related to the breach.
The larger Target breach, which occurred in late 2013 and exposed over 40 million credit and debit card account numbers as well as 70 million other PII (Personally Identifiable Information) records, ended up costing the company about $105 million, after subtracting insurance reimbursement and tax deductions for breach-related expenses. That is less than 0.1% of the company’s 2014 sales.
The Home Depot breach was barely a pin-prick to the company. The breach resulted in 56 million stolen credit and debit card numbers, yet cost the company just $43 million, $15 million of which was covered by insurance, leaving a $28 million cost—less than 0.01% of 2014 sales.
Dean notes that with the relatively low-impact of breach related costs on the bottom line, the relatively high impact (due to actual cost and increased operating complexity) of implementing more robust security measures, and the fact that most of the risks related to financial data breaches are being borne by the banks issuing credit and debit cards (Credit unions alone claim to have spent $60 million to replace compromised credit and debit cards due to the Home Depot breach.), these large companies have very little incentive to do anything significant to improve security.
If these mega companies can so easily weather a data breach storm, can small companies do the same?
Unfortunately, the research says no. According to this infographic, based on 2012 small business security research, 60% of small businesses fail within 6 months of suffering a cyber-attack. That number is even more concerning because studies show that 31% of all cyber-attacks in 2012 targeted businesses with fewer than 250 employees. Additionally, 55% of small businesses with less than $10 million in annual revenue reported experiencing at least one data breach in the previous year, and more than 50% reported experiencing more than one.
While it is never pleasant to contemplate catastrophe, forewarned is certainly forearmed. This post outlines the potential consequences for a small business that experiences a data breach. It covers everything from fines the business may face, to the impact of lost sales from reputation damage and suspension of payment processing accounts, to higher costs of doing business after the breach.
So with the stakes so high, what can small business owners do to implement strong security and protect against cyber-attacks and data breaches?
Start by creating a robust company security policy, making sure your employees both know about it and understand it, and enforcing it. While it might not be fun to be the “security police,” it is important that you, or a designated person in your company, take on the role of managing security. With a single person to turn to with questions, it will be easier for your team to consistently follow your policy as it was intended. PaySimple offers a sample security policy template designed specifically for small businesses using our product for payment processing. Feel free to download it and adapt it for your company.
Part of creating an effective security policy for your small business is understanding the risks your company faces based on the way you typically conduct business. For example, sharing passwords is a highly risky practice. If you know your employees do it, first take steps to make it unnecessary (even if this means purchasing additional software licenses or online User accounts), then create (and enforce!) a firm policy prohibiting password sharing under any circumstances.
The Workplace Security Risk Calculator from the National Cyber Security Alliance can help with assessing your small business security risk. Answer the questions to get a workplace security risk score. The calculator covers password sharing, personal use of company computers, vulnerability to hacking and malware attacks, and more. Each question includes information about the risks related to it, and several resources to help you implement better security are provided with your score. (To find out more about your personal risk for Identity Theft, which can end up impacting your company if you are a small business owner, also try the Online Identity Risk Calculator.)
For more information about protecting your small business from cyber-attacks, data breaches, and other security related risks, see these TIP posts:
- Does Your Small Business Practice Secure Email?
- Password Paranoia: Is Your “Strong Password” Really as Strong as You Think It Is?
- How To Identify Online Scams, Urban Legends, and Misinformation
- Can You Spot SPAM, Phishing & Other Malicious Email?