What would you do if you arrived at the office and you found files all over the floor and computers missing? The first call you would make is to the police, but as you wait for the police to arrive you realize you have client information missing. Your thought – how can I recover that information for my business? The police arrive and flurries of questions ensue to ascertain what was stolen and who might have committed the crime. After the police leave and you are only left with your thoughts about what is next, you recall the previous thought about client information and then it hits you – there were names, addresses, dates of birth, social security numbers and other vital information about clients and employees. What if that information gets in the wrong hands? Devastating!
We hope you never have to face a scenario like this, but it does happen and it happens every day to small businesses throughout the world. The ownership or management go through the same process to recall and determine the extent of the loss of tangible equipment, but that is a mere fraction of the potential damage if any lost personal information is misused. As a matter of fact, fifty percent of companies that have this unfortunate experience end up losing their reputation and failing.
What we have just described to you is data breach. Most people think data breach has to do with hackers, computer networks and the Internet. The truth is the highest percentage of data breaches happen from the loss or theft of computers. Less frequently it is due to the loss of external storage devices and disgruntled employees. That being the case, what responsibility does the small business have? If you are in the State of Indiana, you must notify the Attorney General and notify all persons whose information could have been compromised, if a breach or suspected breach has occurred. Squarely, you as a small business are fully responsible!
Our research has shown us that most businesses are not knowledgeable about the laws and requirements let alone knowing how to handle something like this if it should occur. We recommend preparedness. You must know, you must train and you must minimize the potential for the loss of personal identifiable information within your company. The process starts with knowledge and begins with knowing what is required and why. The second part is assessing where you are in comparison with similar companies and developing a best practice. The next step is to create an improvement plan, or road map, to mitigate the risk of loss of this data. And lastly, it requires an action or emergency plan that can be followed should information be lost or stolen. We have found that combining knowledge and assessment go hand in hand. As questions are asked and explained, great knowledge is gained. The assessment typically leads to a best practices score and allows the company to prioritize and develop a plan to mitigate the potential for loss. We find this process narrows down and focuses each company on the most important priorities, so it can be managed and implemented effectively.
_________________________________________________________________________________________
Here are several myths associated with data breach:
Myth 1
Data breach is about computers and the Internet and we don’t use the Internet except for research in our business and most of our records are in paper files.
The Truth
Data breaches occur all the time by unintentional means. Misplaced files, stolen files and incorrectly disposed of files are a few of the ways information is compromised.
Myth 2
Data breaches only occur to large companies.
The Truth
Large companies get all the media attention, but more and more small businesses are being compromised every year. Recent statistics show that 43% of small businesses have suffered a breach already.
Myth 3
There is no real risk to us, we are a small business and we only have 100-150 clients.
The Truth
Allowing information to get into the wrong hands is costly. It has direct financial consequences to every business. The first cost is notification, unless you just let it slide, because you don’t think anything will happen to the information. If you don’t follow the laws there are civil and criminal penalties that could be assessed. The fine to a small business could be up to $1,000 per record for those records that have been compromised. If you decide to notify your clients, statistically the average base cost is $215 per record.
Myth 4
We keep records on our computers, but they are protected with passwords and firewalls.
The Truth
Most passwords are never changed and we even find the passwords on post-it-notes on the computer. And, firewall protection consists of off the shelf protection, which most elementary hackers can breach.
_________________________________________________________________________________________
Our hope is that you gain a sense of urgency about managing your data. We know it seems overwhelming and you are probably saying, “We don’t have the resources for this,” and that statement is true. Most small businesses do not have the human and financial resources to manage data securely. Most small businesses don’t even know where to start. We recommend hiring an assessment company. The problem is you will have difficulty finding an assessor to do it at a cost you can afford.
It is time to brag a little. We have owned many small businesses and we know the struggle to find affordable and effective resources. This is exactly why we founded “Fortress Data Control.” We developed the idea from our risk management experience in insurance. We understand that properly managing risk needs to be affordable and bring more value than it costs. Our service starts at $500 for a complete and thorough assessment. Depending on the number of employees you have, the fees may go up, because we found a direct correlation between the number of employees and the potential for mishandling data. Our assessments help business owners and managers understand how they control data, access data, and use electronic media – which we call systems configuration and control. Lastly, we assess what, if any, emergency planning has been done to handle a possible breach. We hope you will give us a call to discuss our service and the benefit it will bring to your company, so you are not sitting there someday wondering what to do next!
Rick Bowman
President
Fortress Data Control
rick@fortressdatacontrol.com