Should I be concerned about data breaches with my small business?

We’ve all seen the headlines, another large corporation is hit by a hacker, compromising their customers’ sensitive information. Corporations like Equifax, HBO, Target, and Home Depot, with enormous IT budgets, attract widespread attention affecting hundreds of thousands, if not millions of users. Unfortunately, many small business owners mistakenly believe that only large companies face this growing digital threat.

A study in 2016 found that 43% of all cyber-attacks actually were targeted at small businesses. Even more alarming is that a staggering 60% of small businesses hit with a cyber-attack or data breach go out of business within six months.

One of the challenges in determining the true impact of a data breach is that a significant portion of the financial costs are hidden. Disclosed damages as a result of an attack are almost always less than the hidden damages. Professional services consultants Deloitte recently determined that up to 90% of cyber-attack’s total costs were hidden in an analysis titled “Beneath the Surface of a Cyber-attack.” Deloitte claims that costs can accumulate for years after an attack or breach and often include hard-to-measure effects like:

  • Brand and reputational damage
  • Decreased confidence in the company’s ability to competently deliver products and services
  • Increased costs associated with debt financing.

Because of factors like these, Deloitte claims that currently accepted financial estimates surrounding cyber-attacks and data breaches are greatly underestimated.

To give you an idea of the overall impact to smaller organizations, the following industry-specific examples are based on claims data collected by the data breach insurance carrier RGS Limited and a 2016 small and medium-sized company data breach report published by the state of California.


Dental Practice – Patient records were stolen resulting in a total breach response cost of $33,000 including notifying each affected patient.

Restaurant – A breach of payment card information resulted in $24,000 of audit expenses and an additional $75,000 in fines and penalties from the credit card companies.

Travel Agency – A breach of private customer information ended up costing $27,000 in forensic audits, fines, and various legal expenses.

Retail Store – An undisclosed data breach resulted in a $39,000 fine after a $10,000 forensic audit exposed the cyber-attack.

Bowling Alley – A breach involving payment card information and personally identifiable customer details triggered a $60,000 fine from the credit card companies whose information was exposed.


On average, a small business data breach involves 9,850 records costing $51,000 in damages. Obtaining data breach insurance to cover these “above the surface” costs is recommended and a great first line of defense. In fact, most cyber liability and data breach insurance policies will pay for fines, forensic audits, notification costs, and legal costs.

But how do companies deal with the “below the surface” hidden costs that Deloitte estimates to be far more significant? Insurance won’t cover the impact on your reputation and these hidden impacts of a data breach.

The best line of defense is to consult with a security expert and take some basic steps that all companies can take to protect themselves and their customers. To start, look at the following:

  • Password Policy – Employees are notorious for using weak or common passwords that are easy for thieves to hack. Educate your entire team on the importance of strong and regularly updated passwords. When possible, enable settings that force strong passwords by requiring a combination of upper and lowercase letters, numbers, and special characters. For even greater security, employ two-factor authentication in addition to your robust password policy.
  • Deploy a Firewall – Setting up a firewall is like surrounding your company network with layers of walls and checkpoints. They manage access to all incoming and outgoing data through fully customizable rule sets and logging.
  • Protect Company Email – Email is one of the most common ways for hackers to gain access to a company’s data. We’ve all received emails that sound too good to be true or asking us to click an unfamiliar link. Always run your business email through a reputable email provider like Microsoft’s Office 365. When properly configured, these email providers are capable of identifying and filtering out nearly all phishing attempts.
  • Virus Protection – Deploy a reliable virus protection software on every computer system in your organization. Make sure that the virus software is updated frequently.
  • Patching – Make sure your computers, software, and other network devices are kept up to date with security patches. Software and hardware manufacturers work hard to fix the vulnerabilities in their products, but without updating, you can be left wide open to attack.

Unfortunately, cyber-attacks and data breaches are a real and costly threat that every small business owner must accept. And while cyber liability and data breach insurance is a protection that companies of all sizes need to have in place, it isn’t designed to be the only safeguard. By combining a robust security posture with a sound insurance policy you’ll be well-equipped to respond and overcome to what 43% of all small business owners experience each and every year.

The information technology security team and Anderson ZurMuehlen Technology Services are trained and ready to help companies of all sizes improve their security footprint. From assessments and vulnerability scans to end-user training, AZTS can help protect you.

For a limited time, AZTS is offering a quick assessment of your current security preparedness. Please complete the following survey and an AZTS security expert will provide you with a quick assessment report you can use to plan your next steps.

Security Survey