Cybersecurity is critical to all businesses, especially small businesses. In order to understand cybersecurity, we’ll begin our Cybersecurity Basics with some definitions, why cybersecurity is relevant to small businesses, and a review of some of the legal requirements associated with data security and consumer privacy.
Cyberspace is the global interdependent network of information technology infrastructures, including the Internet, telecommunications networks and computer systems. Information Systems are a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of information. Cyberattacks target an enterprises’ use of cyberspace for the purposes of disrupting, disabling, destroying and/or controlling data. Cybersecurity then, is simply the ability to protect or defend the use of cyberspace from cyberattacks.
A whopping 44% of small businesses were the victims of a cyberattack in 2016. 36% of these cyberattack victims lost money at an average annual cost of $79,841. Nearly 60% of businesses fail within 6 months of a cyberattack. And 59% of small businesses have no contingency plan even though 66% of all cyberattacks target small or medium-sized businesses.
In short, every business is at risk for a cyberattack.
Cybersecurity Basics: Laws & Regulations
The following is a list of federal regulations governing data security and consumer privacy, which affect small businesses. This information provided should not be used as a substitute for consultation with a legal advisor. Always consult legal professionals to ensure compliance with federal and state laws and regulations.
The relevant components of the broader regulations are summarized here:
- The Federal Trade Commission Act (FTCA) prohibits unfair or deceptive practices in relation to offline and online privacy and data security. The FTC has authority to charge companies that fail to protect consumer personal data: leaving such data vulnerable to cyberattacks, altering privacy policies without providing notice and/or failing to comply with posted privacy policies.
- The Title V Gramm-Leach Bliley Act (GLB) regulates the collection, use and disclosure of financial information. It requires written notice of privacy procedures, the attainment of consent for utilizing financial information (including opportunities to opt-out), and the implementation of certain security programs. In short, it requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data. This act is also known as the Financial Services Modernization Act.
- The Health Insurance Portability and Accountability Act (HIPPA) sets standards for the collection and use of health information, and for protecting medical data and electronic transmissions. HIPPA requires notice of privacy practices. There regulations protect patient rights through the protection of individually identifiable health information, otherwise known as protected health information (PHI).
For a listing of state cybersecurity legislation, visit: National Conference of State Legislatures
More on Cybersecurity for Small Businesses
To continue learning about Cybersecurity for Small Businesses, view our next section: Cyber Attacks & Defenses for Small Business
Additional Small Business Resources
Already in business or thinking about starting your own small business? Check out our various Small Business Snapshots, Market Research Links and our Sample Business Plans collection. Remember, you can also receive free professional business advice and free or low-cost business training from your local Small Business Development Center!