Massive data breaches in the last year continue to reverberate in the legal and business communities, and the recent hack attack on Sony Pictures Entertainment exemplifies the huge risks for companies large and small.
Though the majority of hacking incidents are aimed at stealing financial data to sell on the Internet’s black market, the Sony event seems to have been motivated by revenge. Moreover, this may be the first major hacking incident in which the impact on the company’s employees becomes a central issue moving forward.
Many small business owners mistakenly believe that they are too small to be a target of cyber crime. However, what happened at Sony can happen to your company. In fact, small businesses are often at greater risk for cyber crime, simply because hackers know they don’t have robust network security to protect themselves.
Of course, no company can be made completely invulnerable. Still, there are few important lessons you and your company can take away from what happened to Sony.
Don’t ignore warning signs
Ignorance is not bliss in the small business world. Both Sony and Target (in its data breach that dominated headlines earlier this year) have been accused of ignoring strong warning signs that their information networks had been infiltrated and compromised. While those companies are often large enough to weather such a storm, smaller companies will likely not survive if their computers are compromised, and in many cases, they must close their doors while rebuilding their networks and trying to regain customer confidence.
Do not ignore warning signs offered by your computer security software or employees. Plugging the hole in a compromised network is very time-critical.
Make certain your network is properly structured
In the Sony incident, hackers obtained a gargantuan amount of data from all facets of the business, including emails about actors and producers, employees’ salary information and copies of movie scripts. In short, the hackers ran rampant within the production company’s network.
Small businesses should ensure that their networks are compartmentalized and encrypted so that if someone does breach one area, they cannot automatically penetrate the entire system. The more sensitive the data — for example, customer credit card information or employee social security numbers — the more fortified the wall should be around that area.
Cyber insurance isn’t just for the big guys
Insurance companies have reacted to the growing risk of loss from cyber and privacy violations in two ways. First, most insurers have excluded cyber risks from more traditional insurance policies such as Commercial General Liability (CGL). Second, insurance companies are racing to the market with new products aimed at providing specialized coverage for losses from cyber attacks and data breaches.
As companies of all sizes approach the end of the year, now is the time to analyze exposure for cyber risks and, if necessary, address insurance needs to close any gaps in coverage.
Familiarize yourself with the different cyber insurance options
Businesses can obtain cyber insurance for first-party and third-party losses. It is critical to understand both types of losses and to ensure there is appropriate coverage for both.
First-party coverage can include within its scope computer data restoration; re-securing a company’s information network; theft and fraud coverage; business interruption; forensic investigations; and extortion. First-party losses are typically the most expensive for a business suffering a cyber-attack, so coverage here can be critical.
Certain companies, even small businesses, should think about third-party coverage as well. Most coverage in this area will provide for a defense to litigation from customers alleging direct losses due to a breach. Insurance may also cover the following: crisis management; credit monitoring for customers; the cost associated with notifying customers of a breach; media and privacy liability; and responses to regulatory investigations.
More generally, be proactive
The best defense against a data breach incident is to take an aggressive offense against attacks and breaches. It is easier to prevent a breach than to clean up the mess.
Start with the Federal Communications Commission’s website, which offers tips to protect small businesses and even provides a Small Business Cyber Planner 2.0. Implement a formal plan and keep it updated. To backstop the exposure, consider a robust cyber insurance policy. But buyer beware: Not all such insurance policies are created equal, and owners need to thoroughly vet the coverage they are buying.
Again, no company can be 100 percent secure, but these steps will help you mitigate the risks.
Collin Hite leads the Insurance Recovery Group at Hirschler Fleischer, a Richmond, Va.-based law firm. He works with companies regarding insurance recovery and coverage litigation nationally.