Better Understanding the Risk of Data Breaches
Online and Mobile Safety Small and mid-sized businesses understand cybersecurity risk but aren’t doing all they can to protect against threats.
The definition of marketplace trust has changed dramatically in the past few decades. Cybersecurity, once non-existent, is now the most significant trust challenge facing businesses today. No one knows this more than the Better Business Bureau, which has been helping businesses earn and maintain trust for more than a century.
The effects of a data breach
Major corporations have faced significant legal, financial and reputational damage resulting from data breaches that have compromised the personal information of their customers, but the situation is especially challenging for small businesses, which make up 97 percent of the total businesses in North America. Small businesses are vital to our economy, and they have a unique role in the cybersecurity ecosystem. Unfortunately, that role could leave critical infrastructure— transportation, communications, defense, water — vulnerable as small businesses are gateways to larger companies and government agencies.
BBB’s State of Cybersecurity analysis found that while small business owners are becoming more aware of cyber-threats and are taking some proactive security steps, they could — and would — do more if they had greater resources and knowledge. 76 percent of all businesses are aware of the risk of phishing (a common cybersecurity risk), and about 93 percent of BBB Accredited Businesses had heard of at least one of the most prevalent cyber-risks (ransomware, malware, tech support phone scam, etc.).
What do we actually know?
However, the numbers fell when we quizzed these business owners on how much they actually know about cybersecurity. The average score was 60 percent, which is barely passing. Only about 20 percent gave a correct response about what to do first in the event of a data breach. Immediately notifying those impacted may seem like the responsible and ethical approach, but breach notification is a complex issue, with laws that vary by state. Ideally, every business should have a cybersecurity plan as part of advanced incident response planning. To “consult and follow the plan” would be the correct first step.
When it comes to investing in cybersecurity, it’s not just the amount of money being budgeted but how well it is being spent. Smaller business can’t afford to make mistakes when it comes to investing in technology and training. No one needs to re-invent the wheel; the Cybersecurity Framework from the National Institute of Standards and Technology provides the best practices that businesses need to create and implement a cybersecurity plan.
Many of BBBs across North America have staff who are trained to present BBB’s “5 Steps to Better Business Cybersecurity,” which is based on the NIST framework. They will be presenting events during National Cybersecurity Awareness Month in October and throughout the year.