This article originally appeared American Business Magazine on May 2, 2024. View the original article here.

Many small- and mid-sized business owners believe that they are not prime targets for a cyber breach and that threat actors only go after large companies. This is an incorrect and costly assumption. Smaller organizations are experiencing more data breaches and incurring considerably higher data breach costs year after year.

Smaller companies are rife for data breaches for a number of reasons. First of all, they are desirable targets. Cybercriminals know that weaker security measures will make small businesses more vulnerable to an attack than larger companies. Additionally, most small businesses will not have a sophisticated infrastructure lacking best practice protocols such as backups of data stored offsite or offline which may necessitate the payment of a ransom to obtain a decryption key. In comparison to larger, more-prepared companies that typically maintain backups, smaller companies are at a disadvantage and threat actors are taking full advantage.

Smaller organizations are often not financially equipped to withstand a cyberattack and most do not have cyber insurance. According to the 2023 IBM Cost of a Data Breach report, organizations with fewer than 5,000 employees reported that the average impact of a data breach increased nearly 20% with an average cost of between $3.29 million to $4.87 million. If this is correct, a successful cyberattack could result in the closure of more than 50-percent of small businesses.

We all know data breaches are costly and the costliest record types are customer and employee personal identifiable information (PII). In 2023, customer PII such as names and corresponding Social Security Numbers cost organizations $183 per instance, with employee PII following close behind at $181 per record. In the past three years, customer PII was the most breached record type, and 52% of all breaches involved some form of customer PII. Employee PII is the second-most compromised data type at 40% and continues to grow year on year.

Since data breaches are becoming an “if”, not “when” occurrence, small to mid-sized businesses should take steps now to reduce the exposure and ultimate cost of a cyber incident. Understanding that smaller businesses might have less money to take preventive measures, here are some cost-effective best practices to implement:

1. Obtain Cyber Insurance

Cyber insurance can cost as little as $30 per month and averages about $145 per month for small businesses according to Insureon. Costs can escalate quickly in the event of a cyberattack with everything ranging from interruption to the business, attorneys’ fees, forensics and recovery costs, to data mining and the expense associated with state-required data subject notification. These costs force many small businesses into bankruptcy, which could have been avoided with cyber insurance.

2. Password Hygiene

Encourage employees to change their password each month and to not include easily guessed names or phrases. Instruct employees not to use their work email to sign up for non-work-related accounts, newsletters, and so forth. Additionally, train employees to not reuse passwords across personal and work-related accounts.

3. Employee Training on Phishing Awareness

Teaching employees about phishing awareness (email phishing, spear phishing, smishing, and vishing – oh my!) is one of the most effective ways to protect any business from cyber threats. A phishing awareness training program helps employees understand the diverse types of phishing and its impact on businesses, as well as how to not fall prey to these tactics.

4. Classify and track your sensitive data

Data mapping is the process of creating a visual representation of your data. It helps you understand the landscape of your organization’s information, including where it resides and where sensitive data is stored. Depending on the size of your organization, you may be able to conduct data mapping manually. This can be a time consuming and labor-intensive process. Consider using GenAI context-based scanning tool for an initial assessment of where pockets of sensitive data are stored and how many of those are duplicative.

5. Practice deletion

Do not continue the habit of storing old organizational data because that is what the organization has always done. With the ever-increasing cyber incident liability risk and changing threat environment, sticking to status quo policies is no longer the way to go. There is much more risk associated data retention than ever before, so practice deletion.

Small to mid-sized businesses are at a much higher risk of cyber incidents than they think, and the cost of such incidents can be devastating. It is important for these sized businesses to take preventive measures to reduce the cost impact of an inevitable cyber incident. Some cost-effective best practices include obtaining cyber insurance, instituting good password hygiene, training employees on phishing awareness, classifying and tracking sensitive data, and practicing deletion. By implementing these measures, small to mid-sized businesses can better protect themselves against the growing threat of cyber incidents and their costly consequences.

Megan Silverman

Vice President – Cyber Solutions