With technological advancements rapidly increasing over the past couple of years, it’s unsurprising that data breaches have slowly crept up the list of small business owners’ biggest fears. For an SME (small-to-medium enterprise) that may not have even considered the possibility of this issue, the consequences of a breach could, in some cases, be fatal to the business. So you can see why the thought of not having protection in place is a scary one. So with an ever-increasing need for better risk management, what do you really need to know?
Preventative risk management
Preventative risk management is just as important as reactive risk management, if not more so. Yes, reacting to and handling the situation once something has gone wrong is great, but it’s far more cost-effective and far less damaging to take steps that aim to prevent the issue altogether.
This is why it’s important to implement strategies that can help you deter an attack. A recent study found that over 70% of executives believed that their employees and other stakeholders didn’t fully comprehend the severity of a data breach. Essentially, 7 in every 10 business leaders believe their team members (the people working to prevent breaches) don’t understand the seriousness and consequences of something going wrong.
What this shows is that one of the biggest preventative tactics you can employ as a small business owner is better educating your team. Solutions should be discussed from the top down to ensure that everyone is on the same page, and the leadership team should discuss and implement an incident response plan. Formalising this by documenting it and keeping it somewhere permanent (such as Confluence, if you use a platform like this) helps keep everyone in the loop. With these steps taken, if something does go wrong, there should be no confusion about the best actions to take.
Physical and digital preventative measures are also important. Tech teams should be across this and should implement anything technological that doesn’t negatively impacting the website (eg, slowing down site speed). This includes fraud prevention against anything capable of providing device intelligence, risk assessments, a layered authentication strategy, traditional personally identifiable information (PII), validation and verification, as well as any other contextual information management you may require.
Reactive risk management
Reactive risk management takes place once a breach has happened. The most important thing to do is maintain clear communication with team members and your customers (if applicable).
If your database or customers have been impacted, they’ll initially be angry and mistrustful. When communicating with them, it must be done with honesty and empathy. Your customers need to believe that you’re taking every step possible to correct the situation, and reimbursement should be offered if you believe it’s necessary.
Cyber liability insurance also comes into play here. Although the act of taking out insurance is definitely preventative, the benefits are typically only reaped after a breach has taken place. While it can be expensive (depending on a range of factors), consider the potential costs you could face if you don’t have cover. Policies should cover the costs involved with managing the problem, such as alerting your customer base. Most insurers will also go the extra mile and collaborate with you to assist with working out your strategy.
At the end of the day, it’s important to consider the consequences of a data breach and take action to implement a risk management strategy so that if something does go wrong, you can remain calm and sort it out.
Laycock, Richard (2018). The ins and outs of risk management. Recovered on 29 March 2018 from https://www.cso.com.au/article/635532/ins-outs-risk-management/