In May 2019, Fortune 500 title insurance company First American became the latest high-profile victim of a cyber blunder when its website leaked more than 8.8 million documents related to mortgage deals. Bank account numbers, mortgage and tax records, Social Security numbers, and other highly sensitive customer data were temporarily exposed, all thanks to what company representatives have called a “design defect.”
I can’t say whether any of this information fell into the hands of criminals, because no one really knows for now. I do know that this information is a goldmine for the types of people who normally run online scams. All of those email addresses, account numbers, and other pieces of compromised data will certainly be used to create very convincing fraudulent personas.
In nearly 20 years as the CEO of a busy IT support company, I’ve seen scenarios like these play out many times. Usually the consequences for the hacked companies are far more severe.
While, again, I don’t know how First American will ultimately be affected, it’s safe to say that most companies—especially small businesses—can’t afford to expose sensitive customer information to potential bad actors.
The price of losing data
When a breach happens, there are usually a lot of losers. Unfortunately, if your company is at the center of it, then you’ll lose the most. Perhaps the most obvious consequence of failing to secure customer data is losing the trust of customers and the public—and the more sensitive the data, the bigger the breach in trust.
If I, as a customer, give you private information and you put me at risk of identity theft or financial loss because you can’t keep that information private, that’s grounds for terminating my relationship with you. If I can’t trust you to protect my data, how can I trust you to meet other terms of our contract, including providing whatever service I’m paying you for?
Breaches can seem devastating when they’re occurring, yet oftentimes it’s the aftermath of the breach that harms a company the most. An erosion of trust cuts deep, but recovery is possible if handled correctly—both before and after a breach.
Marriott could have lost millions of customers after a breach at its subsidiary, Starwood, became the largest of the year in 2018. However, the company has been relatively proactive about managing the fallout and keeping customers informed about how they may have been affected. In all likelihood, people will continue to book reservations at Marriott’s hotels, though they may take precautions about the type of data they share when doing so.
As Marriott shows, the best thing you can do after a breach is to be transparent about what happened: Be clear about what went wrong and what you’re doing to try to make it right.
Oftentimes, the story you tell in the aftermath is just as consequential as the breach itself. The worst thing you can do is point fingers at someone else. The best thing you can do is show people that you had taken the proper preventive measures and that the breach happened in spite of that.
If the compromised data was encrypted, if your employees had received training on how to correctly handle sensitive information, and if your servers had several layers of protection, and the breach still happened? That’s a much easier story to tell.
Ultimately, your reputation in the marketplace will take a hit after a breach, and you may lose some customers no matter how many precautions you took and how tirelessly you work to mitigate the damage. If you’re a small business, you may not have many customers, and losing any could be a huge hit.
Here are three ways you can prevent that from happening:
1. Understand that even small businesses are a target
Every company—small or large—is a target in the digital age. The big breaches make headlines, but data compromises occur every single day. Moreover, cybercriminals are increasingly targeting small businesses because they tend to be more vulnerable than companies that can afford to spend big bucks on cybersecurity.
With the advent of new hacking tools and out-of-the-box scams, it’s painfully easy for anyone to become a hacker. Don’t succumb to a false sense of security.
2. Be proactive about communicating with your customers
You want your customers to know what measures you’re taking to keep them safe. As cybersecurity and data privacy become more prominent topics of everyday conversation, fewer people will take them for granted. That’s a good thing, but it also means that you’ll be expected to meet certain standards with regard to security and data storage.
I often tell clients to imagine a scenario in which their company has suffered a data breach and there’s a story about it on the front page of the newspaper. What do you want that story to say? It could announce that you were blindsided and completely unprepared. On the other hand, it might describe your strong password policy, security monitoring policy, regular firewall updates, security audits, and regular penetration testing. That’s the story of a company doing everything it can to prevent a data breach and falling victim anyway.
You decide what makes a better story.
3. Provide regular training to employees
Many small businesses need to provide employees with some kind of basic security training in order to be compliant with new regulations. But employees are constantly bombarded with malicious emails from scammers and phishing attackers. That’s why a one-time training webinar will hardly keep you protected from an ever-evolving cybersecurity threat.
Provide them with training that’s practical, easy, and ongoing so that they get regular updates on the latest online threats and learn to recognize attacks before it’s too late. Unfortunately, most data breaches occur as a result of employee error. Humans are fallible, and you can’t expect your employees to be the exception. But with regular training, you can transform them from your primary liability to your strongest line of defense.
We know from the headlines that major security breaches are big news and aren’t likely to let up. With limited cybersecurity defense budgets, small businesses are at just as much risk—if not more so—as large corporations. Taking a few basic precautions can help prevent a data breach or, if not, at least preserve your customers’ trust and your reputation.