Content posted by Built In Chicago written by CNA's Kirsten Charlton and Chad J. Layton, Segal McCambridge Singer & Mahoney
Imagine you're preparing for your second round of funding and Brian Krebs calls you asking if you were aware your company had been hacked. Your first question, inevitably, is "what do I do?" and your next thought, "what could I have done to prevent this?"
The news that yet another company has been victimized by a cyber-attack comes almost daily. While hacks against large companies such as Sony, Home Depot, Target and the like are the cyber-attacks that capture headlines, the reality is that hackers more frequently target smaller businesses. According to industry data, a staggering 60% of targeted cyber-attacks are against small or mid-sized companies. A more sobering fact is that, due to the significant expenses incurred by a business following a cyber-attack, almost 60% of small businesses that suffer such an attack are forced to shut down.
Small tech companies and start-ups simply cannot ignore the reality of this impending threat, especially those companies that handle high-value data. Best practices dictate that, to best prepare for a breach, there are several steps that a company can and should proactively take now to minimize the risk of a cyber-event later and, at the same time, strengthen your case for funding.
Costs of a Hack
Common belief is that it's not a matter of if a company will get hacked, but when. Hackers will target any company – large or small – if that company stores or maintains data that is of value. It is critical, therefore, that tech companies and start-ups understand the type and quantity of their data in order to properly evaluate the threat that this risk poses to their business. In addition to a company's intellectual property and financial data, hackers are interested in obtaining any information that will facilitate identity theft, including names, e-mail addresses, telephone numbers, and other personal identification information. Companies must also gain an understanding of how their data is stored, used and moved within the organization.
A cyber-attack can exact serious and devastating consequences to a company, both financial and otherwise. In fact, this risk is heightened for small tech companies and start-ups, given that a cyber-attack could be a death sentence, and force such companies to shut down. A cyber-event can negatively impact customer loyalty and, importantly, the reputation of the business. A cyber-attack will also cause a company to incur significant expenses, including lost revenues, lost funding opportunities, the payment of regulatory fines, fees for outside consultants, the cost of detecting and containing the breach, as well as the significant cost involved in notifying customers and clients of a breach, which may be required by law.
The average cost of business lost in the wake of a cyber-attack exceeds $3.3 million. The average cost for a company to comply with notification laws exceeds $500,000. Statistics also indicate that it takes a company approximately four months to recover from a malicious or intentional cyber-attack. All states except for three have breach notification laws, and the failure to timely comply with applicable laws can lead to additional legal liability. Given this data, small tech companies and start-ups must proactively take steps to manage this risk.
Best Line of Defense
You wouldn't leave your grandmother's heirloom diamond ring on the table in front of an open window, would you? No. You probably have insurance for it, a safe place to keep it, and you only allow certain people to use it. Treat your data like you would your most prized possessions. You won't necessarily be able to avoid a hack, but you can make it so difficult that hackers spend their efforts elsewhere.
Many companies simply do not have sufficient personnel, tools or funding to properly manage and minimize the risk of a cyber-event. Fortunately, there are cost effective steps that you can take now to address this risk, and to ensure your company is prepared to respond to a breach, should one occur. A prudent tech company or start-up will address the following key areas: technology, employee training, management of business partners, securing appropriate insurance coverage, and the development of an Emergency Response Plan.
When it comes to technology, a company should work with its IT personnel as well as outside forensic experts in order to ensure that technical safeguards are sufficient, and updated as necessary. In fact, a company should consider retaining an outside forensics expert to conduct penetration testing in order to assess the sufficiency of its safeguards.
It is also critical for tech companies and start-ups to properly manage relationships with business partners and outside vendors who will gain access to a company's data. A company should include specific provisions in vendor contracts that will ensure that its business partners implement and maintain their own data protection measures, in addition to reserving the right to audit a business partner's data security practices. Business contracts must also define who owns and controls data, and when, and must include appropriate indemnification and insurance language. The Target breach was initiated through a small HVAC vendor. This example highlights the reality that hackers do, in fact, target smaller companies, and also demonstrates why vendor management is so important.
Next, employee training is critical in order to create a culture of "cyber-awareness" within your organization. Human or employee error is the cause of more than 95% of all cyber-events. IT professionals should be involved with employee training to ensure that employees and human resources understand the importance of this issue. A company should also procure sufficient insurance coverage that will afford key protection in the event of a cyber-attack. Finally, best practices state that tech companies and start-ups must develop, practice and maintain an Emergency Response Plan that will be utilized in the event of a cyber-attack.
There is no certainty in preventing a data breach, but you can put your best line of defenses in place early. The management of cyber-risk is a task that tech companies and start-ups need not – and should not – tackle alone. It is critical to include insurance experts, attorneys, IT experts and others on the team to ensure that your management of this risk is as complete as possible. If your company takes the right steps with the right team in place, you will be able to minimize the risk of a cyber-attack.