Data breach can cost about $3.2 million. So what has your business done to protect important data?

Is your company’s data adequately protected? The answer is likely no. That’s the findings of two recent studies and if you’re a small business owner it’s a matter that needs your attention … immediately.

The first study, conducted by the password manager firm Keeper Security, found that 60 percent of the small business owners they asked admitted they do not have a cyber attack prevention plan, with two out of three respondents believing that a cyber attack is “unlikely.”

That’s just wrong. In reality, according to that same study, 67 percent of small and medium-size companies experienced a cyber attack in the last year alone. Research from another study released last week by IBM showed that the cost of a data breach has risen 12% over the last five years and now averages $3.92 million per business.

Data security is a big, expensive issue and yet not enough small business owners seem to be paying attention. The issue has become so significant that a new bill — the Small Business Cybersecurity Assistance Act — was introduced last month in the Senate and aims to authorize the country’s Small Business Development Centers to work with the Department of Homeland Security to “provide consulting to small businesses on how to strengthen their cybersecurity protocols." New materials and education programs are also part of the proposed legislation.

Whether or not such a bill gets passed shouldn’t matter if you’re running a small business. You need to take data security seriously because if you don’t, you could not only be facing a potentially significant disruption in your business but lawsuits from your customers or others if they (or their attorneys) believe that you were negligent.

“Thinking about how to respond to a cyber-event after it happens is a poor strategy,” says Tim Francis, a vice president specializing in cyber insurance at Travelers Insurance. “Business owners need to consider cyber-attacks just as they would any other risk -- like fire, theft, or severe weather -- and plan for it as part of their business continuity strategy.”

So what's the best defense? It’s not just one thing. It’s many.

For starters, you need to make sure you’ve got good security software installed on your network such as Malware Bytes, Webroot, and ESET Endpoint Protection as well as a good firewall appliance from companies like SonicWall or Cisco. Setting up this stuff isn’t as easy as you think, which is why most of my clients hire a technology firm to do these things and perform other important data protection services.

“A good firm will follow industry best practices when handling data for their clients," says Anthony Mongeluzo, president of PCS, a technology services firm based in Moorestown. “Many of our clients – particularly larger organizations -- will give companies like ours a set of standards for security policy, auditing, monitoring, and maintenance. But for all of our clients, our team watches their networks 24/7 and stays attuned to any hacker trends that we spot, which might indicate a new approach that they’re using to compromise our clients’ data.”

Training is also important, according to Mongeluzo. He says that fake emails are by far the most likely way that an intruder will gain access to a network. Michael McCully, who owns Red Arrow Technologies in Eatontown, N.J., agrees. “Employees are more often than not the reason why networks get attacked or viruses come into the network,” McCully says. “Strong passwords and password expiration guidelines are a must. We also set up file and folder level access based on the most restrictive and least permissive access rights.”

Both Mongeluzo and McCully recommend using software tools like KnowBe4 to simulate potential email “phishing” scams. “It is the number-one way to protect yourself,” Mongeluzo says. “The other advice is to constantly remind your team that vigilance is permanent, and not just after a pep talk or when you’ve returned from a conference.”

These kinds of software and services aren’t cheap. The technology firms I interviewed say they charge their clients anywhere from a few hundred to thousands of dollars a month for protecting their data, all dependent on the company’s size, configuration, and requirements. But then again, who can put a price on protecting one’s data?

Even with all these precautions, breaches still occur, which is why every small business should have a technology services firm perform a cyber “audit” at least annually to help determine if there are any vulnerabilities. Most companies I know will do this either for free or as part of their ongoing services agreement, especially if you’re committed to a longer-term relationship.

Finally, and considering all the risks, every small business needs to make sure there’s some type of cyber insurance in place. That’s because many of the agreements with the cloud-based providers that are hosting data put the onus of liability back on their customers, especially if any breach was caused by lack of training, software, or due diligence on the customer side.

“A lot of companies assume that they have cyber coverage through a different insurance policy, and that is often not the case,” Traveler’s Francis says. “A single breach can result in significant costs, and the damage is not limited just to lost data. It can also extend to loss of customer confidence, financial harm, legal challenges, and business interruption.”