We hear about huge data breaches all the time. It seems like major companies across retail, manufacturing, and finance make the news once every couple of weeks for exposing customer/client data to malicious actors on the dark web. But what about small businesses? Jim Davis, the editor of the HR Daily Advisor (one of our sister publications) had the opportunity to chat with Jim Anderson of IT consulting firm Switchfast to discuss some research that shows that very few in HR ever even find out when a data breach happens at their organization.
HR Daily Advisor: I was surprised to learn that 60% of small businesses that suffer data breaches go out of business in six months. We always hear about big companies suffering data breaches, and then basically nothing happens. Can you discuss the difference?
Anderson: When a small business is the victim of a cyberattack, more of their resources take a hit than at a larger business. The money, time and manpower used to recover isn’t something that many businesses can’t bounce back from.
HR Daily Advisor: I’ve been hearing about data breaches for a long time now, but I haven’t seen many practices change. How realistic is it for your every-day worker to start being more security conscious?
Anderson: Being more secure as a daily practices has to come from the top down, and what this survey found is that the C-suite is just as guilty of bad cyber-hygiene. It’s an extremely realistic goal to improve cybersecurity practices with small steps, like access, identification, etc., but it needs to start with a policy to guide employees. You can make improvement with outlining the right steps.
HR Daily Advisor: I think there might be a “it won’t happen to me” mentality going on when it comes to data breaches. How can companies raise awareness that it could really be you?
Anderson: There is definitely a “It won’t happen to me” mentality when it comes to breaches, and companies need to breakdown that mindset with something as simple as just creating a policy. A policy that employees have access to and are reminded about on a quarterly basis; they’ll be more conscious about their cybersecurity practices.
HR Daily Advisor: Nearly 20 percent of respondents said they have given a co-worker the password to their work email. But coworkers aren’t the source of data breaches, are they?
Anderson: It’s more about the fact that your password is out there. The more people who have access to that information, the more likely it will get into the wrong hands. While you might not be the victim of a phishing attack, your co-worker might be, and if they have your password, you are both compromised.
HR Daily Advisor: Your research showed that 19% of respondents have personally identifiable numbers in their work email password. Don’t most cyber attacks not require a password (like spearfishing, for example)?
Anderson: Yes, but if a hacker gets access to a password that’s written down somewhere, or if the scam does require you to enter a password, then those personally identifiable numbers are out there for the bad actor, which could lead to a lot of problems – like access to a bank account or social media profiles.
HR Daily Advisor: The research also showed that HR was the least likely to know if a company has suffered a data breach. What are the ramifications of that?
Anderson: HR teams are ultimately responsible for sharing policy information and ensuring information from the top is shared downward. If HR teams are unaware of the risks or any breaches that have occurred, they can’t effectively share that information with the company to ensure protective measures are taken in the future. Additionally, they won’t prioritize creating and sharing cybersecurity policies or training employees on cybersecurity practices.
You report that 35% were unsure if their business had an incident response plan, and that 33% didn’t have a plan. How is awareness of a plan and the existence of plan related? In other words, isn’t it more important that there be a plan than telling everyone that there is?
Anderson: Having an incident response plan means nothing if no one knows about it. If an employee falls victim to a scam and they don’t know who to report it to, that’s a huge problem. First things first, a plan needs to exists, and one step further, everyone needs to know it exists.