Data Security Breaches: How to Protect Your Business

James Chiodo, Certified Information Privacy Professional CIPP/US

A data security breach can spell financial doom for a company that is unprepared. But if you run a small to medium-sized business (SMB), you may have questions about the consequences of a data breach. For example:

• Does your business need to be prepared?
• Who are responsible for most data breaches?
• What if your business deals with the medical industry?
• How much can a data breach cost your business?
• How can you prevent a data breach?

Read on to learn the truth about data breaches and how to protect your company.

Small to Midsize Businesses Targeted
If you think your business is safe from a data security breach because it’s “too little for hackers to care about” guess again. SMBs actually face the greatest risk of attack with more than 3 in 5 cyber attacks targeting smaller companies in recent years. After all, most hackers are opportunists looking for a quick score of valuable data. Why hack a corporation with a huge IT team when it is far easier to hack a dozen smaller operations?

You also can’t fall for the trap of thinking your business won’t be targeted because you don’t save payment information. Hackers will target any type of information they think can be profitable. While financial data is a shortcut to a big payday, social security numbers, addresses, birthdates, and login credentials all have value. One of the most targeted industries is education for this very reason.

But is every data breach caused by a lack of system security? No. In fact, human error is a far more common problem, and this poses a big threat to smaller companies where a budget for tech training may be lacking.

Employee Error – A Major Factor in Data Security Breaches
You have a firewall in place. Every user on your system has to create a secure password. The system still gets hacked. What happened? It may be something as simple as an employee clicking a link in the wrong email.

Untrained employees can easily fall prey to phishing scams whereby an employee’s login credentials can be stolen. If employees are not properly trained to recognize and avoid scam emails, a hacker can easily acquire the credentials they need to hack into your system and make off with sensitive data. Malware is also often downloaded to computers from shady websites and through video ads that are set up as booby traps.

While we attribute data theft to the hacker who creates the malware, the malware can only hurt a system that it is allowed to enter. That means a user is almost always culpable in any hack, even if they did so unwittingly (which is usually the case). Whether an employee is negligent or simply untrained, the result is the same.

Medical practices and hospitals are often targeted. They hold high amounts of valuable data, and IT concerns are usually far down on the budget agenda after medical equipment and other operational costs are considered. Unfortunately, HIPAA laws make deprioritizing data security a huge mistake. The same holds true for any company that saves medical records.

The High Cost of Data Breaches that Result in HIPAA Violations
If you run a medical facility or company that deals with medical insurance and doesn’t carry insurance against a data breach, you may change your mind about that decision in the next few minutes.

The Department of Health and Human Services (HHS) can issue a facility up to $1.5 million in fines per violation per year. In 2014, the average cost of a single patient record loss was $359. Now imagine having thousands of records stolen at a time. We’re talking the potential for millions of dollars in loss from one breach.

For most small to medium practices, that could be the end right there. Remember, a breach can cost more than just the HHS fine. Affected patients must be provided with a credit monitoring service for a period of time after the breach. There may be class-action suits against the company. That means attorney fees and probably a large settlement. You may lose up to 40% of the patients whose data was affected by the breach according to some researchers. Plus, you will need to update your systems to ensure such a breach does not occur again (assuming there is still a company to protect).

The implications of a data breach that results in a HIPAA violation are dire indeed. But the fact is that any data breach – medically-related or not – is going to cost a business a lot of money, possible enough to close down most smaller businesses.

The Costs of a Common Data Breach
IBM helped work on a study that revealed the costs of lost data in 2015. The study showed that even the cost of an individual record or data being lost has increased just from 2014 to 2015. The average price tag per lost record now stands at $154. While that is significantly less than a breach that violates HIPAA, you can still see how several thousand lost records can quickly add up to hundreds of thousands of dollars and close down a small business.

The numbers also fluctuate depending on the industry a company is involved with. For example, for retail stores, a lost data record averaged about $165, and that industry saw the largest increase in average cost from 2014 to 2015.

The fact is that each year thousands of data breaches occur, and millions of records are stolen. That adds up to billions of dollars, and your company needs to be kept out of those statistics. So how can you protect yourself from a data breach?

How Can Small to Medium Size Businesses (SMBs) Prevent Data Breaches
There are several things that can be done to protect data. Unfortunately, SMBs are tasked with doing so on a much slimmer budget than major corporations (which is why they get targeted). While you may not be able to implement all of these processes and procedures instantly, you will want to apply some of the most important ones as soon as you can and continue to add money to the data security budget from here on out.

• Install a firewall, antivirus, and antimalware software – These are your primary lines of defense for stopping an attack.

• Only store what you need – Let hackers be disappointed if they do get into your system. Don’t collect data you don’t need, and don’t store anything that you don’t have to.

• Delete data permanently before discarding old equipment – Hackers don’t need to get into your system if you toss out old computers without using some kind of data shredding software on the hard drive first.

• Use encryption – Email, messaging, and data storage should all be encrypted. The tougher you make it for hackers to get usable data, the more likely they will move on to an easier target.

• Have strong password requirements – Your system is only as strong as the weakest password used by one of your employees. Require employees to use longer passwords that cannot easily be guessed.

• Staff Training – Be sure that everyone who has access to your network has been trained to avoid scam emails and shady websites that are ridden with malware.

• Have a plan – What will you do if a breach occurs? Have a plan in place so you can respond immediately.

• Risk audit – Periodically examine your security measures to determine if any gaps exist. Follow up by shoring up weak spots.

• Keep all computers on the company network updated – Operating system, software, and application updates often fix known security issues. Staying up to date will leave fewer ins for hackers. Again, most hackers are opportunists. If you secure known exploits, they may simply decide to go after a company that hasn’t.

If, after taking all the possible preventative steps, the unthinkable happens, it is time to enact your plans for dealing with a data breach. Some of the biggest factors in keeping down expense are to assess immediately what data was lost and to be transparent with regulatory agencies and customers throughout the process so as to maintain credibility and reduce liability. A quick response will minimize both damages and fines.

Having security measures in place before such an act occurs will also show clients and regulatory agencies that your company followed best practices
when employing security measures to protect important data.

While we all hope never to have to deal with a company data breach, the best thing a business owner can do is take the proper precautions, plan for the worst, but hope for the best.

Data Breach Resources

New California & Nevada Privacy Laws Affect Website and Mobile App Owners ➞ Read More