Startups and small businesses might discount their exposure to cyber liability issues because they do not have the depth and volume of information that is maintained by larger and more established companies. Verizon’s 2013 Data Breach Investigation report, however, contradicts this perception. A key finding in that report indicates that almost two thirds of all data breach attacks are aimed at small businesses.
For a variety of reasons, almost 90% of all startup businesses fail within their first year. A startup can control many of the causes of failure, including procuring cyber risks insurance to protect against financial losses associated with a data breach attack. Startups can enact other policies and procedures to ward off a business failure, including:
- Establish guidelines for data sharing between personal and business devices that employees use to access the startup’s network.
A startup should carefully monitor and control its data security and encryption practices when it allows employees to use their own personal devices to connect to the company’s network. Those devices can pose a significant cyber attack risk, even to larger companies that have established robust data security procedures.
- Enforce effective data and privacy practices.
Data and privacy practices are an extension of personal device guidelines. Startups need to regularly monitor and analyze unusual data events, control applications and email, watch for inconsistencies in cloud data storage and web applications, and protect against malware incursions. Cash-starved startups might place a low priority on these tasks, but data or privacy losses can cost far in the long run and can be the primary contributor to a startup’s failure.
- Perform penetration tests.
Startups that do not have the resources to devote toward elaborate cyber security measures can perform regular penetration tests to simulate potential cyber attacks and to identify weaknesses in their networks. Penetration test components might include launching a series of phishing emails to determine how much information would be divulged by careless employees, or infecting networks with malware replicants to determine whether the networks would free up confidential data or other information in response to malicious code. A number of third parties offer relatively low-cost network penetration testing services.
- Create a data breach response plan.
A common axiom for all startups is to hope for the best but prepare for the worst. That preparation should include a data breach response plan that the startup can implement immediately upon detecting an unauthorized incursion into its network. A good plan will revolve around three priorities: understanding the startup’s data breach risk factors; assessing the type of information that the startup collects, uses, stores, and transmits; and developing the best incident response plan that incorporates those first two priorities. With respect to the first priority, a startup’s risk factors will typically involve its people, processes, and technology. Its information can run the gamut from superficial employee, customer, or vendor data, to detailed personal or medical files. Lastly, a good incident response plan will establish procedures to determine the data breach source, to assess the scope of the damage, to formulate response and protection plans going forward, and to resolve problems that arise with victims of the breach.
- Invest in Cyber Risk Insurance
No amount of controls can provide absolute protection against data losses and breaches of a startup’s networks. A startup that is the victim of a successful cyber attack will likely lose its clients, expose itself to ruinous lawsuits, and be faced with the embarrassing reality of having to communicate the situation with hard-won vendors and customers who placed their trust and faith in the startup. Insurance will not rebuild these relationships, but it will give the startup a financial safety net that it can use to begin the process of re-establishing itself as a trustworthy business partner.