When a major corporation such as Target or Home Depot suffers a data security breach, the cost can easily reach tens of millions of dollars. Target paid various financial institutions $67 million in the wake of its massive 2013 data breach.
When a startup’s data security fails, the dollar amounts might not generate headlines, but the impact on the small business can be even greater. Target can absorb a $67 million charge to its bottom line and move on. A startup that loses proprietary data can lose its competitive advantage and can be shut down even before it is fully up and running.
At a hearing on “Protecting Small Businesses Against Emerging and Complex Cyber-Attacks,” US Congressman Chris Collins said,
Unfortunately, the growth of information technology has also attracted a growing number of cyber-criminals looking to steal sensitive information – including intellectual property and personal financial information. These attacks can be catastrophic, leaving many small businesses unable to recover. A report shows that nearly 60 percent of small businesses will close within six months of a cyber-attack.
Below are eight common data security mistakes startups make and ways to avoid them.
- The biggest single problem is not prioritizing data security. Startups are concerned with many pressing issues – raising money, optimizing their product, finding customers. Depending on its business model, a startup might not have any senior IT professionals as part of the executive team. Yet, data security is an issue every CEO needs to address.
- No one is responsible for data security. Small companies often do not have one person who is clearly responsible for creating and enforcing even basic policies that address and mitigate data security risks. Without a go-to person for data security, no one will be proactive about protecting data. The solution is simple: include data security in an executive’s job description and responsibilities.
- Failing to have clear privacy policies and terms of use on their websites. Companies can legally limit their liability for certain types of data breaches and protect themselves from lawsuits for misuse of private data (from a third party breach) through well written privacy policies and terms of use, which become a binding contract on a user of a website by virtue of its use of the site. However, copying another company’s policies is not a good idea because every business collects unique data on its customers and website visitors and might use such data for different purposes. The solution again is simple: companies are advised to consult with a knowledgeable attorney or law firm to have appropriate policies put into place.
- Not paying attention to data security “boilerplate” clauses in contracts they sign. Contracts such as Non-Disclosure Agreements (NDAs) can include clauses requiring a party to undertake to take certain protections when using the other party’s data. Companies need to make sure they understand the provisions they are agreeing to and the protections they are undertaking to put into place.
- Not paying attention to laws in different countries. The privacy rules in Europe are very different from the privacy rules in America. Small companies may think they will not be enforced against them since they are not Google and may still be under the radar, but ignoring such differences can result in potential liability. The person in charge of data security needs to be aware of the requirements of each country in which the company does business.
- Allowing employees to use weak passwords. People like simplicity. They often use passwords that are easy to remember. The most common password is “password.” A simple 8-character password can be cracked in less than a day. System protocols should require long, complex passwords that must be changed on a regular basis. Requiring “non-obvious” user names can add an additional level of security.
- No controls over “BYOD.” “Bring Your Own Device” is the reality for most startups. As startups often operate in ‘bootstrap’ conditions, limited investment in hardware and software systems is often the norm. Employees may be welcomed and even advised to use cloud services and their own smartphones, tablets, laptops, or home computers giving them full access to corporate data on private devices. Having tight controls on company desktop computers, while allowing employees to sync corporate data to unprotected personal devices can create substantial exposure. Startups are advised to implement policies that control access to corporate data from personal devices.
- Lax personnel procedures. An article in Forbes describes how one small company kept losing bids to a competing firm to which one of its sales people had moved some time before. It turned out that no one had shut down the former employee’s access to the company network. As a consequence, the employee was able to log on, find his former employer’s bid, and undercut them. The lesson: data security policies should address issues beyond the technical.
While entrepreneurs are loathe to spend time on the “administrative” task of data security which does not “add value” in the same way as raising money or finding new customers, ignoring data security can come with a very heavy price tag down the road. A little attention can prevent a big disaster.