Small to medium-sized technology firms are just as susceptible to cyber risk as other similar-sized firms, according to international insurance firm Travelers.
Although awareness of cyber risk issues may be higher large firms, resources to respond are likely to be just as limited, according to Mike DeHetre, vice-president of product development for select accounts at Travelers.
“Their focus is on customer service and the myriad other things a small to medium-sized enterprise (SME) owner has to do to stay successful,” he told Computer Weekly.
“There is also often a false sense of security because they are small and believe they are unlikely to be targeted by cyber attacks,” said DeHetre.
But attackers are not only focused on large companies, and the fact that small tech firms often keep large amounts of sensitive data on customer IT operations makes them more likely to be attacked, he said.
If small tech firms work for larger entities, they are even more likely to be targeted as potential routes into those larger organisations through connected IT systems.
According to DeHetre, there are five things small to medium-sized tech firms can do to reduce their cyber risks.
1. Train employees to protect sensitive information
There is also often a false sense of security among SMEs because they are small and believe they are unlikely to be targeted by cyber attacks
Mike DeHetre, Travelers
Even though time and resources are limited, all employees should learn the importance of protecting the information they regularly handle to help reduce exposure to the business.
This includes everything from locking up customer records to keeping passwords strong and confidential. Employees should also be taught how to handle a breach if one occurs.
“Like any safety training, it cannot be a one-off event; it has to be ongoing to reinforce on a regular basis the things employees should be doing and thinking about to ensure data is protected,” said DeHetre.
“It is about things like how you manage physical access to your laptop, connecting to public Wi-Fi networks and updating passwords regularly,” he said.
DeHetre said security training requires the business owner to recognise that it is as important as customer service and ensure that time is managed accordingly.
2. Ensure basic security protections and security updates
This means implementing appropriate firewall and antivirus technology and ensuring that security software patches are updated in a timely fashion.
Small businesses should then evaluate the security settings on software, browser and email programs, and select the system options that will meet the business needs without increasing risk.
Regularly maintaining security protections on operating systems is vital to them being effective over time.
“Again this requires business owners to put procedures in place that enable employees to do the right thing and follow good practices,” said DeHetre.
3. Monitor use of mobile devices and public Wi-Fi access for employees
Establish usage standards and be sure they are clearly communicated. For example, to avoid security breaches, employees should be instructed to use public Wi-Fi only in very limited circumstances.
Hackers can easily intercept public Wi-Fi, so it is imperative that employees cautiously use the internet and transmit information.
SMEs need to plan for data breaches in the same way that they plan for natural disasters such as hurricanes, floods and fires
Mike DeHetre, Travelers
“There need to be processes in place to manage public Wi-Fi access, and if employees are using their own devices, there needs to be a control mechanism around that,” said DeHetre.
4. Have a plan in place to manage a data breach
If a breach occurs, there should be a clear plan that sets out who is to manage the situation and what action should be taken, such as informing the insurance provider.
“SMEs need to plan for data breaches in the same way that they plan for natural disasters such as hurricanes, floods and fires,” said DeHetre.
This includes having data backup and recovery services in place to get the business up and running as quickly as possible after a data breach, and a plan to communicate with stakeholders and media.
“It all comes down to good business discipline and taking time to focus on being a good business owner as well as a supplier of technology goods and services, and putting controls in place,” he said.
DeHetre said while failure to put such control in place can be found at both ends of the spectrum, some small companies are “absolute standard bearers” on risk management concepts, proving it can be done.
“Then there are large companies that pay it no attention, but that is just gambling and hoping that the worst will not happen – and ‘hope’ is not a strategy,” he said.
5. Incorporate errors and omissions cover
This is a risk that technology companies need to be thinking about in addition to data breaches as part of their whole risk management strategy, said DeHetre.
More on cyber insurance
- Security Think Tank: Cyber insurance – buyers beware
- Cyber insurance: Understanding the legal language
- An introduction to cyber liability insurance cover
- Security Think Tank: Cyber insurance no substitute good security practices
- Is it time for cyber liability insurance?
- Cyber threat moving to critical infrastructure, study shows
- Cyber liability insurance: MSPAlliance revamps group coverage
- Security Think Tank: When cyber insurance is right and when it is not
- Security Think Tank: Cyber insurance is a two-way street
- Exploring the risky business of cyber insurance and IT services contracts
“Tech companies typically have a greater errors and omissions exposure than other companies because their business is providing services to their clients,” he said.
“They are doing things like maintaining network systems that impact the function of the business of their client companies. As a result, if they make an error or omission in providing the service, they could case a loss to the client company, for which they might be liable to provide restitution.
“Errors and omissions insurance cover helps to address that and reduce the risk of unexpected financial liability that could easily bankrupt a small or medium-sized business,” said DeHetre.
This is particularly important for small companies that are suppliers to bigger companies which will typically have contractual requirements around data security.
While small companies rarely have subcontractors they have to worry about, they do need to think about whether they have key clients that represent a significant portion of their revenue, said DeHetre.
“They need to think about how that impacts the decisions they make, such as how they put together their insurance coverage or the way they do disaster planning,” he said.
Cyber risk is only one of several risks small and medium-sized technology businesses can take steps to reduce, according to Travelers.
Other manageable risks include risks to data through property damage, employee accident compensation claims and international travel risks.