Small and medium-sized businesses (“SMBs”) are not immune from cyber liability and can be held responsible, not only for a cyber breach, but for laxed cybersecurity. Laxed cybersecurity will inevitably result in financial harm in the form of penalties or lost business.
Historically, SMBs may have thought of themselves as too small to be noticed in matters involving cybersecurity. Perhaps, the idea that SMBs could go unnoticed was reinforced by an assumption that only big businesses could be monitored or held accountable for a data breach. After all, why would anyone care to monitor the cybersecurity of a SMB?
With the strictest laws in data privacy and, effectively, cybersecurity, taking effect in May 2018, the days of going unnoticed are over. While the new laws might not directly affect SMBs, the indirect affects will be just as significant to the SMB’s existence.
For example, businesses directly impacted by the new laws will have a duty to ensure its third-party vendors have adequate security measures to protect data. The third-party vendors are often SMBs. The SMBs’ failure to use adequate security will cost the business substantial amounts of money. Rather than risk millions or billions of dollars (i.e. GDPR fines), the business directly affected by the strict laws will have a great incentive to trade the unsecure SMB for more secure alternatives.
As if a threat to a company’s existence is not sufficiently compelling, there are also U.S. laws that directly impact SMBs. Depending on the SMB’s industry and the type of collected data, laws that dictate data privacy might require strict security. Violations of such laws may subject SMBs to financial penalties, fines and other civil punishment.
To demonstrate that no business is small enough to go entirely unnoticed, imagine a boutique hair salon. The salon regularly purchases hair products from an international distributor. The salon uses an online portal to order supplies and since orders are fairly regular, they are scheduled automatically every few weeks. Imagine that the salon also accepts credit card payments and stores customer information to track a salon-awards program. The awards program offers customers credit at the salon for each fifty dollars spent. The salon has no cybersecurity policy because the owner believes the salon doesn’t work with “technical stuff” or “secrets” that a hacker would want. There is one administrative password shared by the staff. It is “password123”. The same password is used to login to the distributor’s portal. The company has been in business for ten years and has had to buy more computer storage for all of the customer information. The salon has never purged information.
For the salon, it is business as usual until one day, the computers are down. The salon can’t process credit card and it the computers seem to have a glitch. The salon will eventually realize that its systems have been breached. Credit card and customer information have been stolen, and the salon’s portal to the distributor is compromised. As a result, the international distributor is also breached.
Laws involving cybersecurity, data, and privacy directly and indirectly can have a devastating impact on SMBs. It is more important now than ever that SMBs implement an adequate cybersecurity program. There are many online guides to help you get started. There are also cybersecurity consultants, experts, and attorneys who can help you understand how to protect your data, comply with laws, and ultimately minimize your liability. Cybersecurity is an investment in the future of your business. For SMBs, it is survival at the securest.