February 20, 2017
Following a July ruling against medical testing laboratory LabMD (which is now out of business), the Federal Trade Commission has emerged as a central regulator of cybersecurity practices for U.S. businesses. The FTC’s mandate to act on “unfair or deceptive” business practices that could harm consumers is being interpreted in a way that means any business that handles (and might potentially mishandle) consumer data is liable to fall under the organization’s scrutiny.
That’s almost every business today.
Some background: The Commission reversed an administrative law judge’s ruling and found that LabMD, a clinical laboratory for physicians, failed to protect the sensitive personal and medical information of consumers. From 2001 to 2014, LabMD collected this information for over 750,000 patients.
Based on the LabMD ruling, which cited a lack of “even basic precautions to protect the sensitive consumer information maintained on its computer system,” it appears that actual harm from a data breach doesn’t necessarily need to be proven if the potential for harm exists.
The ruling sends a clear and sobering signal to business owners: You must make significant, demonstrable efforts to protect yourself from data breaches or face the consequences.
A glimpse of what’s to come
“LabMD’s security practices were unreasonable, lacking even basic precautions to protect the sensitive consumer information maintained on its computer system,” the FTC ruled. “Among other things, it failed to use an intrusion detection system or file integrity monitoring; neglected to monitor traffic coming across its firewalls; provided essentially no data security training to its employees; and never deleted any of the consumer data it had collected.”
For small business owners who have a seemingly endless list of concerns to address, making time to focus on data security best practices is sometimes difficult to justify. But it has to be done: The FTC and other government entities are only going to sharpen their focus on data security and consumer privacy in the coming years. Data integrity must become a core aspect of doing business (rather than a minor detail that can be overlooked).
With this in mind, small business owners should be aware of a few common misconceptions surrounding data security, as well as the best practices they should rely on to address them:
Misconception No. 1: Data security is a ‘big business’ problem.
A surprising number of small business owners look at data security as something they don’t need to worry about. You’ll hear owners say, “Nobody is interested in the data we have. We’re not Sony or a government agency.”
But the truth is that cybercriminals are most certainly interested in your data, and according to Fox Business, 43 percent of worldwide attacks in 2015 were against small businesses with fewer than 250 employees.
On top of that, the prevalence of ransomware attacks means that it no longer matters if your data is important to other people. If it’s important to you — the owner — hackers can take it and force you to pay large sums of money to get it back.
As a small business owner, you must consider it critical to have a managed-data backup system in place. This won’t prevent attacks, but it can significantly mitigate harm to your business if one does occur, especially in the case of a ransomware attack.
Misconception No. 2: One solution for all threats
Small business owners are especially susceptible to believing that a single solution will defend against all possible threats. Security is better viewed as a managed process.
Simply having some legacy IT solutions in place shouldn’t let you develop a false sense of security and avoid asking important questions, including: Are we addressing vulnerabilities through security patching? Are we getting regular reports of that activity so that, in the event of a breach, it’s documented and we can respond effectively to an audit? Is our firewall being actively managed?
You need to have a managed security system in place, one that includes regular reports on security measures, potential threats and updates. If you need more information, conduct some research on third-party managed security service providers, which can offer on-premise and remote solutions depending on your needs.
Misconception No. 3: Cybersecurity training is for the IT guys.
Data security isn’t just IT’s responsibility — it needs to be a priority for all employees. Your entire network can be compromised if, for instance, just one employee falls victim to a phishing email.
The threat landscape is constantly changing. Implementing an employee-training program and being able to demonstrate that security should be a priority for all employees and is becoming increasingly important. Invest in regular training sessions and implement policies to reinforce the information shared.