Recently at a gathering of small business owners I overheard a conversation that intrigued me. The discussion was about the cost and implementation of a cyber security plan for small business. I listened from outside the group for a few minutes before joining the conversation.
What I learned rather quickly was that small business owners have so many challenges facing them that cyber breaches, hackers, and the issues that cyber-attacks represent are just not on their radar as immediate threats. When you are dealing with making payroll, worried about benefits, taxes, insurance, and regulations, cyber breaches seem like a distant concern.
As the conversation continued there were differing opinions about the state of cyber security and small business. Most of the talk was about recent breaches at large corporations and government sites. The prevailing thought was that hackers are organized criminals in foreign lands that are seeking large payloads by gathering massive quantities of data or poaching secrets and sensitive trade data. Then an interesting thing happened to the group. A gentleman who had been listening in while chatting with another group joined the conversation. He had a different view of cyber security and small business.
His view was as a victim. His company that he had spent 12 years building had been the victim of a phishing attack. It was in the form of an email with a free offer that one of his unwitting employees opened. The offer was from a restaurant offering a free meal in return for a few minutes to take a survey.
The second the employee opened the email, the nightmare began. From the moment the employee opened the email the attack was underway. His business was exposed. As the owner of a health care facility, the company collected personally identifiable information. Patients were required to give insurance information, names, address, birth dates, social security numbers, driver’s license numbers, and credit card information. He was aware of his responsibilities to safeguard the information according to HIPAA regulations. He thought he was compliant but there were issues with his security, his back-up and archiving, and his encryption strategy.
The result was devastating. He was required by law to register the attack and make remedy to all of the people affected by the breach. Since his facility had been open for over 12 years, he had amassed a fairly large client list. They all had to be contacted and protected with credit reporting services. The information he shared with us next was eye opening to say the least. After he reached out to all of his clients, almost 60 % of them expressed concern over his inability to protect their information. They were angry and suggested they would not continue to use his services. In the end he lost 30% of his clientele. The loss of clients combined with the cost of recovery sent his business into a downward spiral. His business was in trouble. Six months later, after a long battle to recover his business he lost the fight and filed bankruptcy.
His message to the group was clear and simple. “Small businesses are in cyber risk denial.” The threat is clear and present and needs to be addressed as a matter of routine business. He explained to us that the death of his business was a direct result of his denial to see all the signs around him. He was passionately sincere when he looked at each one of us and told to open our eyes to the risks around us. “Now that I have been through this experience, I am acutely aware of the severity of this problem and the exponential growth of cyber-attacks on small business.”
His advice to us was simple. “Be prepared and take the necessary steps to protect your business. It is not about if you will suffer a breach, it is about when. Discover your vulnerabilities, protect your data, educate your employees, and consider buying a cyber insurance policy. Above all, do not be in cyber risk denial…because denial could mean the death of your business.”
Call us today for your free Cyber Security Evaluation – 919.582.6212 or fill out our contact us form.