Companies, such as Target, Home Depot, and Michaels—to name but a few, have made a lot of big data security blunders lately, and they've made equally big headlines for those mistakes, as you can see here, here, and here.
These companies remain in business because they're far too big, with far too many lawyers, to let a data breach (even a major one) send them to bankruptcy. Small businesses generally lack this luxury and one data breach—even a modest one—could completely disrupt a small business's operations. A major data breach could kill the business entirely.
In addition to data security breaches, data compliance concerns haunt many small businesses, especially those in highly regulated sectors or that have government contractors for clients.
4 Small Business Data Security Mistakes
Clearly, small businesses face daunting challenges in today's breach-prone world, but there are ways to mitigate the risks. Let's take a look at four of the most common data security errors that small business owners should avoid.
1. Lax Personal Email Policies
You don’t need to look further than the email scandal that has enveloped 2016 Presidential hopeful Hilary Rodham Clinton to appreciate the value of adopting—and enforcing—an effective policy on personal email use at work. Last month found Clinton center stage in mainstream media—and not in a good way—after The New York Times broke a story about her work email habits during her tenure as U.S. Secretary of State.
According to The New York Times and subsequent reports by other outlets, Clinton exclusively used her own personal email address—hosted on her own personal email server, located at her home in Chappaqua, N.Y.—for all of her official Department of State email correspondence and other emails containing sensitive government information. Reportedly, some of Clinton's aides also used her private server to conduct official government business over email.
Politics aside, the scandal highlighted the data security, privacy, and compliance concerns that come with commingling personal email use with workplace correspondences. An employee's personal email may be less secure and more easily hacked than his employer's systems. More distressingly, divulging customer information over systems not overseen or controlled by the employer may violate data privacy regulations (particularly in highly regulated sectors) and, consequently, result in a substantial fine or worse.
In addition to simple policy and training to help prevent such a shadow IT disaster, a small business should set up its employees' company-approved mobile devices to help prevent an inadvertent mix-up between different email accounts.
2. Draconian Personal Email Policies
On the other hand, trying to regulate how employees use their personal email can be a double-edged sword; overzealous small businesses might employ tactics that could be a step too far from a compliance standpoint.
You may be tempted to monitor an employee's personal email use on a company-owned or company-controlled device. If the employee transmits or receives legally protected data from his or her personal email account, however, your company could be on the hook for a host of data privacy law violations. For instance, your company may commit a HIPAA violation if those monitoring measures snag employee medical information, according to attorneys at Buchanan Ingersoll & Rooney, P.C.
3. Ignoring the Cloud's Fine Print
The cloud can make running your business easier, but that cloud-enabled simplicity may turn into a storm of troubles for the small business that throws caution to the wind when it comes to a cloud contract.
A typical cloud service-level agreement (SLA) can contain numerous gotchas for the unwary—involving compliance issues, data security and privacy risks, and more.
For example, if you store customer data in the cloud, it can be a difficult task to track, let alone assure, where a particular client's data "lives" geographically in the cloud. This creates uncertainty about which sovereign states' laws and regulations your clients' data may be subject to. It is important that your cloud provider SLA spells this out, so that you can assure national and international compliance and mitigate any potential liabilities.
For certain regulated industries (particularly healthcare and financial services), small business owners should make sure that the cloud provider properly complies with all relevant laws and standards. For example, many cloud providers are not SEC-compliant—and many of those that claim to be are only incidentally so (and as such may not guarantee their compliance).
A good SLA will also address and mitigate the risk of data compromise—including details on customer notice in the event of a data breach or data loss. For added prevention against data compromise, a savvy small business will ensure that it—and not the cloud provider— holds and controls encryption keys for its cloud-stored data.
Even performance assurances in an SLA need to be carefully reviewed. A contractual guarantee of 99.9 percent uptime still leaves room for nearly nine hours of downtime every year. Besides that, cloud providers may define "uptime" and "downtime" differently from how their customers might define it. They may not count certain types of downtime (such as planned downtime) against the contract, or separate some cloud-related services from uptime guarantees. Worse, many cloud providers' standard SLAs provide for no significantly meaningful penalties should they fail to meet their uptime obligations.
The bottom line, then, is that you need to read, understand, and (as applicable) properly negotiate every cloud contract before signing it—just as you would any other business contract.
4. Failing to Insure Valuable Data
Data compromises can be devastatingly expensive. Last year, the Ponemon Institute reported that the average cost of a data breach to a company increased 15 percent in 2013 to $3.5 million. The above-average data breaches are much worse; Gartner has indicated that more than 90 percent of companies that suffer a major data loss go out of business within two years (about half of that figure immediately so). Obviously, small businesses are much more sensitive to these liabilities than are larger enterprises.
Therefore, a small business should insure its valuable, mission-critical data—to do otherwise is nothing short of foolhardy. Fortunately, cyber insurance is rapidly becoming ubiquitous—particularly as major enterprises fall prey to a plethora of high-profile cyber-attacks.
Of course, as with cloud contracts, small business owners should carefully examine their general "umbrella" insurance policies, as well as any proposed cyber insurance policies, to assess what they cover—and ensure adequate coverage.
Joe Stanganelli is a writer, attorney and communications consultant. He is also principal and founding attorney of Beacon Hill Law in Boston. Follow him on Twitter at @JoeStanganelli.
|Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!|