When Main Street Meets the Cloud

Small Business Risks to Consider When Accessing Technology for Growth

It’s a familiar small-business success story: A company extends its storefront from Main Street to the Internet. It uses social media to spread the word. Payment card processing is now outsourced to the cloud. The company staffs up with employees working remotely nationwide. All of these steps add up to good news for the company’s bottom line.

But there is another part of the story not often heard: As the company’s outreach and profits grow, so do the risks. When small businesses tap the efficiencies and capabilities of technology, they infuse new exposures into their day-to-day operations.

In the Cloud

Use of the “cloud” gives growing businesses economies of scale, cost-savings and capabilities they could not build efficiently in-house. Entire back office functions are being outsourced to the cloud — including server hosting, payment card processing and sales management. But what if the small business’ technology service-provider suddenly goes offline and clients can’t access its site — or its customers’ credit card transactions cannot be processed?

Customer satisfaction plummets and reputational damage grows by the minute. Network business interruption losses — including lost sales revenue and extra expenses to get back up and running — are significant.

There is also the omnipresent threat of a data breach by malicious hackers or by employee accident. And what if the cloud provider holding data on the small business or its customers suffers a network security breach?

Never mind that the cloud provider is the one that suffers the breach, the small business owner is still left to pick up the pieces, potentially handling a costly, multi-tiered response.

In 2010, those response costs helped drive the average annual cost of cyber attacks for small- and mid-sized businesses to nearly $200,000. Given the cost, it’s no surprise that roughly 60 percent of small businesses shut down within six months of a cyber attack.

On The Road

Mobile computing — via laptops, tablets and handhelds — enables business to be conducted anytime, anywhere. However, the downside is the real potential of a lost, stolen or otherwise compromised mobile device.

Just a single lost laptop loaded with potentially sensitive information costs a business an average of $50,000, according to the Ponemon Institute — including forensics, notification costs, lost intellectual property, and legal, consulting and regulatory expenses required to appropriately manage the incident.

Among Friends

The widespread use of social networking websites such as Facebook and Twitter add to a business’ vulnerability. In the world of social media, lines between work and personal lives are easily blurred. Content posted on company-related sites or elsewhere by company employees may expose a business to claims of libel, slander, invasion of privacy, as well as a vast array of embarrassing public relations issues.

Tightening digital regulations impacts small businesses. For example, if a small business accepts credit cards, a thief may slip through the network security net and steal cardholder data. PCI Security Standards’ regulations say the merchant could potentially face fines, penalties and even termination of the right to accept payment cards.

Leveraging Technology, Mitigating Risks

Small businesses must manage technology’s risks as actively as they seize its benefits. Brokers can help steer small businesses down the path to proper risk management by raising four simple questions.

1. Do day-to-day business operations rely on outside entities or vendors, such as IT or internet providers, Web-based software providers, and systems or other cloud providers? If so, IT policies and procedures must contemplate not only your own systems and operations within your control, but those of these and other third parties
2. Does the business have disaster recovery, business continuity or incident response plans and procedures to respond if the business’ systems or those of its vendors are intruded, compromised or disrupted? The time to think through how the business will respond — and keep running — if a major vendor’s operations or systems are interrupted is before an incident occurs. Lay out specific contacts needed in a crisis after an incident — from forensic experts to help a business determine the cause and extent of a breach, to legal experts to navigate the maze of regulatory issues, including state notification requirements. View specific state notification requirements at: www.beazley.com/databreachmap.
3. Does the company have written policies and procedures for employees? Policies should encompass not only in-house systems, but all mobile devices and laptops used by employees. Make encrypting these devices mandatory. That way if a device is lost or stolen, the likelihood of data being accessed is small. In many states, if data on a lost device is encrypted, costly notification requirements may not even apply. Social media policies must also be established, well communicated and enforced. The Federal Communications Commission has developed a Small Biz Cyber Planner to help businesses develop their own policies: www.fcc.gov/cyberplanner.
4. Has the small business considered what risks it can transfer with the appropriate insurance coverage? Often the liability associated with a data breach is the least worry. The time and money required to respond to the breach — whether it emanates from the business itself, a cloud provider, or an employee working on the road — can be substantial. Fortunately, insurance products today contemplate the costs and complexity of data breach incidents and their response. Even costs that result from technology issues with a third-party cloud provider can be covered with the appropriate network business interruption coverage.

Leveraging technology and services from cloud providers may certainly be critical to a small business’ success, but so are sound risk management practices.

Topics Cyber Legislation Tech