It is all too easy to coast along and not worry much about your IT security simply because you’ve not had any big problems to date. It’s shocking how many companies seem to think that the out-of-date antivirus software on their computers is providing the protection they need and/or that no one would be interested in getting into their small business systems.
Of course, data breaches often make the news headlines like when Medvet and Defence here in Australia were hacked. But the stories reported tend to be about attacks on big companies where the results are losses of millions of dollars or the theft of thousands of people’s ID or financial information. So small to medium business owners are lulled into a false sense of security that their IT is safe – that they’ve nothing worth stealing and so why put an expensive security plan in place?
Security for small business
Smaller businesses suffer most from data breaches and have the most to lose. In 2014, Australian businesses experienced 47 discernible cyberattacks per week. Most of these related to viruses, worms, trojans and malware like malicious code atta21cks. And such attacks cost money. The average loss for Australian businesses was $8.3 million a year according to a 2015 survey by The Ponemon institute which looked at 30 benchmark Australian businesses.
The truth is, that while a good security system for your IT and data may seem like an expensive proposition, it’s going to cost you a great deal less than an attack will. Just look at the costs of firms in the Ponemon Institute’s findings which deploy security intelligence technology against those who don’t. The findings covered the six areas taken to resolve a cyber attack: recovery, detection, containment, investigation, incident management, and ex-post response. The figures showed that organisations with a Security Information and Event Management (SIEM) solution in place save up to $1.9 million a year.
Can your company afford to lose money?
Other costs for companies who’ve been breached are those involved in detecting that there was a data breach and where, escalation and the costs of notification. Meanwhile, organisations with technologies such as an Intrusion Prevention System (IPS) and Next-Generation Firewall (NGFW) boasted a 21 percent ROI result. So in the long term with cyber-attacks increasing all the time, a good security plan will pay for itself.
Data Breach Notification Laws
Things are now more expensive. Australian businesses can no longer keep quiet about data breaches. On February 22, 2018, the Privacy Amendment (Notifiable Data Breaches) Act 2017; which requires organisations to disclose data breaches with their clients, came into effect. How much you end up paying out will depend on how large the data breach was and the type of data that is compromised – it could run into thousands of dollars depending on how neglectful of security your company has been.
Of course, downtime and loss of money are just the immediate effects of a data breach. In the long-term your reputation and future custom could be at stake. People are doing more and more business shopping online, buying a huge range of goods and services, and they want to know that when they hand over their precious data to you that it is being held securely and that they are not at risk of identity theft.
The consequences of a data breach can make angry customers turn to social media to vent their anger, contact their local representatives or regulators and in the case of larger breaches talk to the press. These are all actions that could be a death blow to a small company or cause a huge drop in share price for larger public companies. In addition to this, a loss of reputation and trust may take years to recover from and more money will then have to be spent investing in media and marketing to win customers back.
We can’t emphasise enough that your customer’s trust is often linked to sales and personal data so you need to ensure such data is protected and that cyber attacks are detected before they compromise your systems. Here’s what you need to do:
1. Carry out security awareness training
Every member of your team who has access to your IT system or who works online needs to know about the risks out there and how to reduce them. You need to cover everything from dealing with old computers and hard drives, correct use of USB sticks, accessing networks from insecure Wi-Fi networks and even who you let into your server room. People often prove to be the weakest part of any IT security and the more training they have the fewer risks there are. Make sure people only have the information they need to work, and put security policies in place for different levels of your organisation.
2. Penetration testing
Penetration tests using similar methods that hackers use can be carried out by IT security experts who can find where the weaknesses in your systems might be and tell you what improvements you need to make to reduce risk of breaches. Such tests are vital for any companies dealing with sensitive financial data.
3. Security software
Of course most organisations have firewalls and antivirus and these need to be updated and patched regularly. But even when you are using the latest versions of such software they should only be seen as part of your security apparatus. Training and testing are still vital.
4. Cloud data protection
Make sure that your cloud data protection software handles encryption, deploys user analytics and gives real time visibility into your applications.
Ask yourself if your company could afford an IT breach and the after effects. As a small business owner it could cost you everything you’ve worked for. Surely a more sensible business decision is to invest in a dynamic and intelligent data protection system to block cyber criminals, utilise penetration testing and ensure you have extensive and regular staff training.