The Fine Print

LeFebvre Law's blog exploring legal issues related to the small business community, entrepreneurs, contractors, the construction industry, along with occasional pieces about futurism, the commercial space industry and space law, and other emergent technologies and novel legal fields. "Always read The Fine Print!"

The Fine Print

LeFebvre Law's blog exploring legal issues related to the small business community, entrepreneurs, contractors, the construction industry, along with occasional pieces about futurism, the commercial space industry and space law, and other emergent technologies and novel legal fields. "Always read The Fine Print!"

Cybersecurity and Your Small Business – Written Information Security Policy

Hacker typing on a laptop

Cybersecurity and Your Small Business – Written Information Security Policy

If you have been following the media, no doubt you are aware of the many cyber attacks that seem to be occurring with an ever greater frequency. Individuals, hostile nations, and even unscrupulous competitors are testing the limits of information security, and the takeaway is even large corporations and the U.S. Government are not taking the precautions they need to in order to protect sensitive data.

Now, as a small business owner, you might be thinking that you are just not a big enough player to face a cyber attack or to have your information stolen. This just isn’t true. It is not simply massive companies like Sony or Ashley Madison that are the targets of these types of attacks. Symantec’s 2016 Internet Security Threat Report shows that 1 in 40 small businesses risk being the victim of a cyber crime, and that last year “phishing” campaigns targeted small businesses 43% of the time. That is very significant. And suffering a cyber attack can be extremely costly, potentially ruining your small business.

Indeed, there are many valid reasons why a small business owner would want to implement certain procedures to ward off security breaches. Apart from your reputation being ruined if your customer’s personal data is stolen, there are also significant monetary costs – according to a survey by Kaspersky Labs, small businesses pay on average $38,000 from each data breach.

Fortunately, there are steps you can take as a small business owner to mitigate against a cyber attack or other form of information theft.

Audit Your Security Procedures

The first step is to look at what your current security procedures are and to identify where they are lacking. What you need to remember is that this goes beyond weak passwords. The majority of information breaches are far more mundane and occur in person. For example, if an employee leaves personal data for a customer on their desk and the cleaning service comes in after hours, that data is potentially compromised.

Consider who has keys to your office, and even whether your offices are securely locked when you are closed. Identify all key-holders, including employees, landlords, janitorial staff, and others. When an employee leaves your business, do they continue to have access to the office? Do employees leave sensitive data in plain sight?

Then you should consider your hardware. Are your servers encrypted and securely locked? Is your business using an encryption program on all computers? Do you have up to date malware detection and antivirus software? Are your employees allowed to access data remotely? Is an encrypted connection such as VPN required? Does your company have a strict password protocol or require randomly generated passwords? Do you keep personal data or trade secrets in the cloud?

This is hardly an exhaustive list, but gives you a sense as to what to look for when seeking out security vulnerabilities. Obviously if you find any vulnerabilities, you will want to correct those weak spots and keep them in mind when you start to craft your official Information Security Policy.

Craft a Written Information Security Policy

Once you have identified potential security vulnerabilities, you will want to create a Written information Security Policy (WISP). This is your business’ official policy on handling information, reduced to writing and distributed among your employees.

The purpose of your WISP is to create effective administrative, technical and physical safeguards for the protection of personal information and other proprietary data. The WISP should set forth procedures for evaluating electronic and physical methods of accessing, collecting, storing, using, transmitting, and protecting personal information.

Consider designating a qualified employee as your Data Security Coordinator to implement, supervise and maintain the WISP. That employee will be responsible for implementation of the WISP, training employees, regular testing of the WISP’s safeguards, evaluating the ability of third party service providers to implement and maintain appropriate security measures for the personal information to which your business has permitted access, and requiring such third party service providers by contract to implement and maintain appropriate security measures, as well as reviewing the scope of the security measures in the WISP annually, and similar responsibilities.

You will want to lay out your plan to deal with internal risks to the security, confidentiality, and integrity of any electronic, paper or other records containing personal information. Some examples might include distributing a copy of the WISP to each employee and having your employees acknowledge in writing the receipt of the WISP. Consider amending employment contracts to require all employees to comply with the provisions of the WISP. Establish disciplinary procedures for violating the terms and provisions of the WISP. Limit the scope of personal information collected to that amount reasonably necessary to accomplish your company’s legitimate business purposes and consider limiting access to records containing personal information to those persons who are reasonably required to know such information in order to accomplish your legitimate business purpose. Expressly state that terminated employees must return all records containing personal information, in any form, that may at the time of such termination be in the former employee’s possession, including all such information stored on laptops or other portable devices or media, and in files, records, work papers, etc. and a terminated employee’s physical and electronic access to personal information will be immediately blocked.

The policy will want to address your employees’ user IDs and passwords, which must be changed periodically. It should encourage employees to report any suspicious or unauthorized use of customer information. Be sure to prohibit employees from keeping open files containing personal information on their desks when they are not at their desks, as this is one of the most common ways personal information is accessed. Provide that all files and other records containing personal information must be secured in a manner that is consistent with the WISP’s rules for protecting the security of personal information at the end of the workday. Implement procedures such as restricting access to electronically stored personal information shall be electronically to those employees having a unique log-in ID and requiring re-log-in when a computer has been inactive for more than a few minutes. Ensure that paper or electronic records containing personal information are properly disposed of.

Apart from the internal risks, you will also need to address external risks. Such measures might include provisions requiring reasonably up-to-date firewall protection and operating system security patches installed on all systems processing personal information, up-to-date versions of system security agent software which includes malware protection and up-to-date patches and virus definitions, encryption on all laptops and portable devices that contain personal information, and the monitoring of all computer systems for unauthorized use of or access to personal information.  

Be sure to require secure user authentication protocols, such as protocols for control of user IDs and other identifiers and a reasonably secure method of assigning and selecting passwords.

Buy Cyber Security Insurance

It is always wise to prepare for the worst case scenario. With that in mind, it may be a good idea to invest in Cyber Security Insurance. Such plans are offered by a number of insurance companies. Depending on what type of coverage you receive, Cyber Security Insurance will cover costs like notification, identity protection solutions, public relations, legal fees, liability and more. This type of insurance could be critical in the event of a breach in your security protocols, which as was stated earlier, costs on average $38,000.00 and can drive a smaller company out of business.