Data breaches at big companies are big news, but you’re unlikely to hear about how common they are at the small businesses in your neighborhood. In fact, 44% of small businesses report being a victim of a data breach, according to a 2017 Bank of America Merchant Services survey of small businesses and consumers. And while data breaches may be bad for the big guys, they could be downright catastrophic for a small business that lacks the resources to respond to the breach and repair its reputation.
Despite the risk, many small businesses are behind the curve when it comes to defense against fraud. Only 33% of small businesses reported they had purchased security software, and only 25% believed they were in compliance with the Payment Card Industry’s Data Security Standards (PCI Data Security Standards), which ensure that a business accepts, processes and stores credit card information as securely as possible. Nearly one in six admitted to having done nothing to protect their data.
The financial and reputational setbacks from a breach can be extensive—and some businesses may not survive the blow. Here’s a look at some of the costs of a breach, along with what small businesses can do to prevent one.
Financial and reputational costs
Among the small businesses Bank of America Merchant Services surveyed, 31% that experienced a customer data breach in the last two years spent more than $50,000 to resolve the issue. This cost includes fees paid to forensic investigators who determine the source of the breach, as well as legal counsel and public relations advisers to help repair reputational damage. Few small businesses are in a position to recover from a financial hit of that size.
What’s more, businesses that aren’t compliant with PCI Data Security Standards may face non-compliance fines, and may have to reimburse credit card companies for each compromised card the company must monitor or replace.
In addition to absorbing the direct costs of addressing a data breach, small businesses must contend with less tangible costs, such as lost business from wary customers. Consumers report that they are unlikely to trust small businesses that experience a data breach. Consider, too, that 20% of customers who had their banking or personal information stolen said they would no longer shop at the small business where the breach occurred. Protecting customers’ data is essential to building loyalty and avoiding the harmful effects of lost customers and brand damage.
Room to improve
Despite both the real and intangible costs of a data breach, many small businesses don’t put enough emphasis on proper security measures to protect customer data. Three-quarters of small businesses don’t feel that conducting regular security audits is critical. What’s more, about two-thirds don’t consider blocking unsecure internet sites a priority, nor do they require employees to follow strict data security policies.
Yet some small businesses are starting to take note of the importance of protecting their customers’ data. Over the last two years, 45% of small businesses updated their point-of-sale hardware, including adding EMV chip card payment capabilities. A slightly smaller number of businesses (36%) invested in training employees to properly collect payment details from customers.
Shoring up data defenses
Merchants must make personal data security a priority to protect themselves and their customers, and to maintain consumer confidence. In particular, small businesses should make sure they comply with PCI Data Security Standards, which differ depending on how a merchant processes credit card transactions. In general, businesses must have a secure data network, protect their cardholder information, and regularly maintain and monitor their systems.
In addition to adhering to the PCI Data Security Standards, small businesses should consider adding secure technology solutions, including EMV-capable credit card terminals, point-to-point encryption (P2PE) and tokenization.
EMV-capable terminals allow small businesses to accept chip cards, which are more secure than traditional magnetic stripe cards. P2PE encrypts credit card data when it is used at a point-of-sale, and the card information remains encrypted throughout the authorization process.
Further steps to protect card information can be taken by using tokenization, which replaces the actual credit card number with a “token” that is used to retrieve account information and authorization. This token can be used for accounting purposes, but if stolen, it does not contain actual account information that can be used by bad actors.
While adopting EMV is an important step, it is not a cure-all when it comes to protecting against fraud. Small business owners should also train employees to monitor credit card terminals for skimming devices that can steal customer information. Employees should also be trained to gather complete payment details, such as the security code found on the back of credit cards. It’s particularly important to get this information during online transactions, where chip cards can’t be used. In addition, small businesses should adopt data security protocols such as strong password protection, blocking unsecure websites and performing regular security audits.
With the proper data security precautions, small businesses can reduce the likelihood of data breaches and avoid the financial liabilities that come with it. That lets them get back to doing what they do best: building customer loyalty and growing sales.
Larry Brennan serves as the Senior Vice President of Merchant Data Security and Cybersecurity Director for Bank of America Merchant Services, responsible for ensuring that the company’s clients and associates are provided the tools and resources to prevent or react in the event of a data breach or cybersecurity attack.