The world is awash in stories about corporate data hacks, leaks and other intrusions. Most headlines focus on global companies with substantial consumer interaction. Likewise, most stories focus on the harm done to consumers when their financial information is taken from those companies. And the coverage paints a picture of outside “bad guys” hacking this consumer data from these companies.
All that news is accurate, but it does not tell the whole story about data protection.
If you watch the news, you might think that smaller companies and companies that don’t use a lot of consumer financial information have nothing to lose from a cyber perspective and nothing to gain by planning for cybersecurity. Reality is very different. There are many reasons to consider what data your company holds and how to protect it. A smart combination of policies and planning can help secure your corporate information and make it easier and less costly to respond to incidents you do suffer.
Showing that you are prepared is increasingly a requirement for your customers, investors, employees and potential acquirers. Having in place security processes and incident response plans accrues your bottom line. It keeps valuable material yours, minimizes costs and exposure from incidents, helps meet customer needs and expectations and positions your company for investment and assistance from outside sources.
All companies hold valuable information. It may be data about consumers, employee health and financial data or the company’s own intellectual property, trade secrets and confidential material. For most companies, it is a combination of these. Because this material is held on computers and connected devices, it is vulnerable to loss, theft and compromise.
Who Is a Threat?
Although hackers get headlines, most incidents result from an employee’s accidental or purposeful release of company materials. Also, although you may think small companies are not attractive targets, hackers increasingly go after them. Small companies are likely to respond to a ransom threat. They often don’t have insurance or backup access to their data, so they pay to stop an attack from paralyzing their networks. Finally, third-party service providers create vulnerabilities. If their systems are compromised, the effects are just as complex and devastating as if your company suffered a direct loss. Depending on your contract and their insurance, the costs may fall on you.
When an incident happens, the result is chaos, disruption, loss of work and great expense. Even in cases where a company doesn’t lose consumer information, the consequences of an incident are potentially crippling. Data may be lost or inaccessible. The network may fail. Someone must determine what happened and whether it has been contained. The company must figure out what information was involved, how sensitive it is and who got it (if possible). After that, the company must decide whether it has any legal duties to notify employees, customers, business partners or regulators. The whole process can take weeks. If the information was purely internal, they will need to discuss how harmful its loss is to the company. There may need to be internal communications and external public relations. There may need to be human resources and legal investigations in addition to the IT investigation.
Even a small incident can cost a company’s executives weeks of time. Insurance may offset direct costs and some indirect costs, but not all costs are covered, and they add up fast. Even 100 affected persons can mean tens of thousands of dollars in investigative and legal fees. That is not a daunting prospect for a large company but can be devastating for smaller companies and even more so for one that lacks insurance.
Outside actors, internal behavioral issues, technology failures and more can create points of security failure. Any company can devote a small amount of time to planning for its protection, security and incident response. These exercises do not have to be complex, expensive or intimidating. It can be as simple as having support while you survey what kinds of information your company holds and who has access to it, and adding low-tech protection in the network as well as employee training.
Many incidents can be avoided or mitigated with simple practices, including password or encryption requirements, confidential information policies and network access and upgraded policies. Adding a response plan and a cyber insurance policy can help, if there is an incident.
These measures are not just smart risk management tools; they are smart business practices. Purchasers and investors are adding cybersecurity requirements and assessments to their diligence endeavors. Commercial customers now require cybersecurity measures in services and consulting agreements. Insurance coverage and pricing may be affected by cyber planning and network security.
The world is changing. Data privacy rules in the EU are forcing a broader look at what is considered “personal” information and what companies must do. Employees’ work email, photo ID, phone number and more are considered personal data and may not be used without a proper legal basis. Even if you do not have European employees, your customers might, or they might have clients in the EU. Being able to meet those new legal requirements is an important part of employee relations. Anticipating customers’ compliance requirements will be an important part of customer service for B2B companies. And it will be a brand differentiator for B2C companies to be able to say “we meet the higher standards used in Europe”—even if they don’t serve European consumers.
In short, the demands of business are changing. Cyber planning is no longer just for companies with vast resources. It is a smart investment that can grow the resources of the company.
Mitzi Hill is a partner at Taylor English, where she focuses her practice on data security and privacy.