Every year, Deloitte publishes its Tech Trends report, which highlights trends from the last 12 months and issues recommendations for technology professionals in the year ahead. The 2013 Tech Trends report (published last month), like those from other years, focuses attention primarily on large IT enterprises and IT departments in large companies.
While the trends the report highlights are relevant to technology freelancers and small-business owners, owners of smaller IT businesses need to take into account that they face liability from their clients' networks as well as their own. This guide summarizes key cyber security threats from the “No Such Thing as Hacker-Proof” section of the report and outlines three strategies IT service providers can implement for their small-business clients to avoid the latest IT threats and help their clients maintain healthy infrastructure in the coming year.
Where Does Cyber Risk Come from for Small IT Businesses?
Independent contractors, freelancers, and business owners in the IT sector can face serious financial consequences from data breaches, just like everyone else.
But their primary risk comes not from having their own network breached (most small IT shops have too few clients for a data breach for their exposure to be significant) but from having one of their clients’ networks breached. That’s because, as a technology professional who contributed to a client’s network or security systems, their work could be blamed for enabling or failing to prevent a data breach.
And when a costly data breach hits a business without adequate liability insurance, that business will likely attempt to recover its losses by suing any parties it can reasonably accuse of contributing to the breach.
Because of this exposure, it is in the best interest of IT freelancers, contractors, and small-business owners to help minimize their clients’ exposure to data breaches. Read on for the major ways your clients are exposed to breaches and specific steps you can take to reduce that exposure.
Deloitte: Biggest Threats for Technology Businesses in 2013 – 2014
The Tech Trends 2013 report found that, among the cyber threats that have exposed technology businesses to risk in the past, the most significant threats of the last 12 months include…
- Undersized security budgets. IT departments at large businesses are consistently under-budgeting for risk prevention and security maintenance. Perhaps the most telling evidence of this, according to the report, is that companies that experience hacking or data breach events consistently spend more on response to and recovery from the incident than they did on prevention measures. Freelancers and independent contractors working on projects for larger firms can be burned by this oversight if and when a data breach occurs. In that instance, the affected company may sue any parties who were involved in the system that was breached – and fighting a lawsuit is a major expense regardless of its ultimate outcome.
- Risk management focused on generic threats rather than those specific to a business’s products or services. Understanding a business’s specific exposures and vulnerabilities requires in-depth analysis of its information assets, the value of those assets, and the type of criminal most likely interested in accessing them. Because this process takes time and money, though, many businesses skip it and opt for security measures that address more generic threats. In addition to leaving businesses exposed to serious threats, this approach can engender a false sense of security and lead to complacency in risk management.
- Small businesses as primary targets for cybercrimes. Many small-business owners still operate under the misconception that they are not attractive targets to cyber criminals because of their limited resources. But 2013 proved that this was not the case. Verizon Enterprise’s 2013 Data Breach Investigations Report found that, in reality, data breaches at small businesses are common and are much more likely than those at large businesses to involve hacking (72% vs. 40% of incidents). IT professionals who serve smaller clientele could suffer from their clients’ lack of awareness about their viability as targets.
3 Risk Management Strategies for Small IT Businesses
To minimize the risk exposure they face from the three primary threats outlined above, small technology businesses (including freelancers and independent contractors) can implement the following strategies:
- Encourage small clients to increase budget allocations for preventive measures such as antivirus software, regular software updates, employee education, and Cyber Liability Insurance. If you’re working with small-business clients, tell them that the average data breach in 2012 cost $188 per exposed record (aka $18,800 if 100 records are exposed and $188,000 if a thousand records are leaked). Mention that following basic security protocol can minimize their risk of a data breach and that Cyber Liability Insurance can cover the costs of recovering from a breach when one happens. If you’re contracting for a larger technology company, make sure your Errors and Omissions Insurance is up to date so you’re prepared to fund a data breach-related lawsuit, should one arise.
- Help smaller clients conduct a risk audit and build a data security plan around the specific exposures their businesses face. While you may not be able to do much about the risk management measures taken by larger IT firms you contract with, you can have an impact on data security for your smaller clients. Boost their confidence in the value of their risk management dollars by helping them map out a strategy that actually applies to the work they do and the risks they face. Showing them the specific ways their business is exposed and how they can minimize those exposures will help them understand the value of their investment in data security.
- Keep clients in the loop about cyber risks to small businesses. Subscribe to major industry publications like Verizon’s Data Breach Investigations Report, Symantec’s Cost of a Data Breach study, and blogs like Krebs on Security, which publish the latest numbers and trends around data breaches. This lets you alert your smaller clients to significant breaches and trends, answer their questions about data breaches, and establish yourself as a trusted expert in the realm of data security.
For more TechInsurance guides to managing cyber risk, check out the following blog posts:
Data Breach Response Guide
What to Do If You’re Sued: A Practical Guide
5 Steps to Protect Your Business from 2014’s Biggest Data Security Threats