5 Reasons SMBs Plan for the “IT Unthinkable” (and how your business can too)

Cyber security was the topic of choice at the Association for Corporate Growth – Minnesota's annual members luncheon

By Brian Martucci
Wednesday, October 28, 2015

The Association for Corporate Growth — Minnesota, a trade organization for “professionals involved in corporate growth, corporate development, and mergers and acquisitions for mid to large companies,” held its annual members’ luncheon at The Marquette Hotel’s Windows on Minnesota, on the IDS Center’s 50th floor, this month.

The topic du jour: data security, certainly a top concern for SMB owners and executives everywhere. ACG tapped three cybersecurity, legal and accounting professionals for the event’s expert panel:

  • Beau Hurtig, a Fredrikson & Byron shareholder whose purview includes cybersecurity and data protection
  • Jerry DeWees, an IT consultant and recently retired FBI Special Agent who spent 15 years spearheading forensic cybersecurity investigations with the Bureau’s Computer Analysis Response Team (CART)
  • Chad Nordstrom, a senior cybersecurity consultant with CliftonLarsonAllen’s Information Security Services Group

Guided by moderator Evan Berquist, a Minneapolis attorney who practices in the Corporate division at Fredrikson & Byron, P.A., the experts identified five reasons SMB leaders need to plan for the unthinkable: a hack, or data breach, that compromises their corporate IT assets and threatens sensitive information. They also offered some surprisingly simple tips to prevent, mitigate and clean up corporate IT messes.

  1. Ad Hoc “Fixes” Actually Make Things Worse
    After a hack, many SMB owners direct their teams (or attempt themselves) to address the breach’s visible symptoms and attempt to get things back to normal. According to DeWees, this understandable and well-intentioned impulse often makes things worse by obscuring the digital trail left by the hackers.

    “If we can’t figure out what happened after the fact, we can’t guarantee that the problem is solved or that you’re safe from danger,” he said.

    With a clearly articulated post-attack plan — and a trusted cybersecurity partner on standby — you don’t need to take matters into your own hands and potentially make things worse.

  2. Help Foil the Bad Guys
    Since so many hacks originate outside the United States, and many occur with the blessing of local governments, arrests and prosecutions are rare — particularly for smaller-scale attacks.

    But for larger, U.S.-based attacks, calling in the experts raises the likelihood of bringing at least some of those responsible to justice. Even when no one’s held responsible, post-attack plans that include reports to cybersecurity experts and/or law enforcement contribute to an increase in the good guys’ knowledge of what the bad guys are doing.

  3. Protect Your Company (and Team) from Retribution
    According to Nordstrom, the proverbial disgruntled employee represents a huge cybersecurity risk, even if they’re not an IT expert. All it takes is a terminated employee walking out the door with a physical storage device or passwords that haven’t yet been changed to cause serious, lasting damage. To mitigate this risk, Nordstrom recommends involving human resources in data security planning and ensuring that the separation process involves a systematic removal of data access privileges — beyond simply deactivating the employee’s building access card.
  4. Pay A Little Now to Save a Lot Later
    The tangible cost of a big data breach can be huge — a significant slice of any company’s revenue. Future costs are even scarier, particularly if hackers target your business to gain access to a larger, juicier client. (For instance, Target’s infamous 2013 data breach started at one of the company’s vendors; said vendor’s legal liability is incalculable, but potentially huge.) And the intangible cost of a lasting hit to your company’s reputation (see also: Target) might be scariest of all.

    Bottom line: In the event of a serious data breach, the $5,000 to $10,000 cost to call in a cybersecurity consultant and devise a plan is well worthwhile.

  5. Boost Corporate Value and Marketability
    According to Hurtig, most SMB owners view cybersecurity as a “sunk cost” that they’ll never recover. That might be true in the short term, but companies with comprehensive data protections — including legal indemnification in supplier contracts — tend to be more marketable, and may even fetch a premium when it comes time to sell.