Cyber security is something that small businesses should take seriously. Many small businesses tend to neglect cyber security because they typically do not think that they are a target for hackers. However, the number of cyber attacks made on small business entities has been on the rise for the past five years. A whopping 43% of small businesses have encountered some sort of cyber security threat or have been hacked.

Small businesses make for good targets because they rarely have sufficient resources to dedicate to bulking up their cyber security. For hackers, small businesses can be a treasure trove for gathering customers’ personal data and payment information because more often than not small businesses are using outdated technology, outdated protection software, and poor security practices. Small businesses are often vulnerable to attack, and small businesses that do not make cyber security a top priority are effectively sitting ducks.

Small Business Cyber Security Statistics

According to Symantec’s 2016 Internet Security Threat Report, small businesses are under constant threat from cyber attackers. According to the Threat Report, small businesses are defined as having 250 employees or less. Below is just a sampling of Symantec’s cyber security statistics that are relevant to small businesses.

• While one out of every two large businesses are at risk for suffering a cyber security attack, one out of 40 small businesses are at risk of suffering some sort of cyber security breach.
• Hackers often do not just make a single attack on a small business. Hackers usually make multiple attempts to gain access to a small business’s computer systems.
• Ransomware type attacks against small businesses are on the rise as many small businesses are easily overwhelmed when their computer systems are held hostage by malware.

Phishing is Still Used by Hackers Against Small Businesses

Small businesses are most likely to be hacked through some sort of phishing scam. Oftentimes, hackers target their phishing attack on employees whose job functions relate to managing the company’s finances or those employees with access to customer information. Hackers who use phishing scam to gain access to a small business’s computer systems rely on the employee making a mistake, or being tricked into opening an infected email and clicking the link contained inside, or downloading the attached file. 30% of phishing emails are opened by employees at companies, and 13% of phishing emails are successful at having an employee infect a work computer system.

Over time, phishing attacks have evolved to become even more tricky; spear phishing has become an increasingly popular type of cyber attack used against small businesses. Spear phishing attacks on small businesses increased a whopping 55% between 2014 and 2015. Spear phishing is where an employee appears to receive an email from a known source, such as a fellow co-worker, superior, of third party business partner, but the email is really a fake designed to infect the recipient’s work computer.

Cyber Security Best Practices

Small businesses are constantly faced with the threat of a cyber attack and cyber security is going to become more and more important as hackers use more sophisticated hacking techniques. Small businesses need to follow cyber security best practices to protect themselves and their customers’ personal information. They need to give cyber security the time and resources necessary to rebuff cyber attacks and to neutralized cyber threats or face growing liability.

Legal Liability When a Small Business Is Breached

Many small business owners assume that because they are small, the legal consequences of a data breach will also be small. This assumption is wrong. The same breach notification statutes that govern Fortune 500 companies apply to a five-employee accounting firm or a 20-person medical practice. All 50 states require businesses to notify affected individuals following a breach of unencrypted personal information, and many require concurrent notification to the state attorney general. These notifications must meet specific content requirements, must be sent within defined time windows, and must be accompanied by documented efforts to identify the scope of the breach.

For small businesses that handle health information — including solo medical practices, dental offices, physical therapists, and even certain fitness and wellness businesses — HIPAA adds an additional layer of obligation. A covered entity under HIPAA that experiences a breach of protected health information must notify affected individuals within 60 days, notify HHS, and in some cases notify local media. HIPAA fines for failure to comply range from $100 to $50,000 per violation, with annual caps of $1.5 million per violation category. In 2018, HHS OCR settled with a small cardiology practice — Allergy Associates of Hartford — for $125,000 following a HIPAA breach, demonstrating that small providers are not immune from enforcement.

The Small Business Case for Cyber Liability Insurance

Cyber liability insurance has become an essential risk management tool for small businesses. A standard commercial general liability (CGL) policy typically excludes data breach and cyber incident claims. Cyber liability insurance fills this gap by covering forensic investigation costs, breach notification expenses (including mailing, call center, and credit monitoring costs), regulatory fines where insurable by law, business interruption losses, ransomware payments and recovery costs, and defense of third-party claims brought by customers whose data was exposed.

Premiums for small business cyber liability insurance have risen significantly as insurers have sustained losses from ransomware claims, but coverage is still attainable and affordable for most small businesses. Some policies include pre-breach services — access to a cybersecurity hotline, employee training resources, and incident response retainers — that provide value even if a claim never materializes. Small businesses should have an attorney review any proposed cyber policy to confirm that the coverage is adequate for their risk profile and that exclusions do not swallow the coverage.

Building a Small Business Cyber Defense on a Budget

Small businesses do not need enterprise-grade security budgets to reduce their breach risk materially. A small investment in the right controls produces disproportionately large risk reduction. High-priority steps include:

• Multi-factor authentication (MFA) on all business email, cloud services, and remote access systems. Most breaches that start with credential theft would be stopped by MFA. Free or low-cost MFA is available through Microsoft 365, Google Workspace, and most major cloud providers.
• Regular, tested backups stored offline or in a separate cloud environment from the primary systems. Offline backups are the primary defense against ransomware — if you can restore from a clean backup, you do not need to pay the ransom.
• Endpoint protection software on all company devices, kept current with updates. Unpatched software vulnerabilities are among the most common ransomware entry points.
• Employee security awareness training focused specifically on recognizing phishing emails, which remain the most common initial attack vector against small businesses.
• A written data breach response plan that is reviewed annually and that identifies outside legal counsel to engage in the first 24 hours after a suspected breach.

If your small business has experienced a cyber attack, or if you want to assess your legal exposure and compliance obligations before a breach occurs, the data breach attorneys at Revision Legal are available to help. We work with businesses of all sizes across the country. Contact us using the form on this page or call us at 855-473-8474.

This post first appeared on SmallBizClub.com. Image credit to Instant SSL Certificates.