It’s hard to overestimate the role small businesses play in the American economy:
- Businesses with fewer than 5 employees account for 62% of all businesses in the U.S.
- More than half of all Americans own or work for a small business.
- Small businesses are responsible for two-thirds of all new jobs created each year.
When you look at the magnitude of their economic impact, it would be easy to assume that small businesses know exactly what they’re doing and would be the obvious place to seek out business advice and best practices; however, the truth is more complicated than that.
Small businesses power the economy despite lacking the resources of larger organizations:
- 77% of small businesses rely on the owner’s personal savings for their original funding.
- Only 40% of small businesses are profitable.
- The vast majority of businesses that fail, do so because of cash flow problems.
Employees of small businesses wear many hats, starting at the top. The owners or leaders of small businesses are typically responsible for three or more of the following functions: operations, finance, sales, marketing, HR, customer service, product development, or IT.
When you look at it that way, it’s not hard to understand why many small businesses regard digital policies – if they think about them at all – as something they’ll get to “someday.” But that’s very unwise, especially considering that very few small businesses have the resources to survive the fallout from a crisis involving their online activity.
Owning a small business myself, I understand what it’s like to have to make choices about where to spend your resources. I certainly wouldn’t give you the same advice I give my global clients. Instead, I’ve narrowed digital policy development down to five things you absolutely must do to protect your business, your employees, and your customers.
Know which Privacy Regulations you’re Required to Meet
Laws and regulations regarding online privacy vary by country, state, and even industry – as do the penalties, which tend to be significant. Here are a few examples:
The General Data Privacy Regulation (GDPR)
The GDPR is an EU law that went into effect in May of 2018. It seeks to protect the private data of EU citizens by addressing how companies collect and use data, as well as the security of how that data is stored.
What many U.S. companies don’t realize is that jurisdiction is determined by the citizenship of the individual, not the physical location of the company. Thus, any American business that collects, processes, or stores data on customers with EU citizenship is obligated to comply with GDPR requirements.
The California Consumer Privacy Act (CCPA)
The California legislature passed the CCPA in June of 2018, shortly after the GDPR went into effect. It’s quite similar in its bias toward consumer privacy and its potential impact on businesses. And, like the GDPR extends beyond the EU’s boundaries, the CCPA extends beyond California’s state lines. As a result, you can’t assume you get a free pass just because you’re not physically located in California.
However, while there are many similarities between the two laws, there are also a number of technical differences. Resources like IAPP (The International Association of Privacy Professionals) provides up to date news and publications that can help businesses achieve compliance with privacy regulations.
Brazil General Data Protection Law (LGPD)
The LGPD is Brazil’s data protection law, which will go into effect in 2020. The LGPD isn’t quite as comprehensive as the GDPR, but it does put similar emphasis on the concept that individuals, not businesses, own their data. It details both compliance requirements as well as penalties for noncompliance.
More companies are passing their own digital privacy laws all the time. In addition, certain industries, like finance and pharmaceuticals, have their own regulatory requirements.
Make a List of Action Steps
Once you’ve identified the laws and regulations that apply to you, make a list of all of the requirements. I recommend creating a spreadsheet that documents which laws/regulations apply to you, which countries they apply in, and what you need to do to become compliant.
One tip I like to share with my clients is to prioritize actions that satisfy more than one requirement at a time. (For example, both Russia and China prohibit transferring their citizens’ information outside of national borders, so deciding whether and how to establish a local service hub in those countries would take care of two things at once.)
Identify Priorities
If you’re starting from scratch, it would be almost impossible to do everything at once. The best strategy is to prioritize policy development based on:
- Your level of activity in a particular country, industry, etc.
- The current legal environment surrounding that policy: Is the government aggressively enforcing compliance? Are consumers filing class action lawsuits? In other words, how likely is it that your noncompliance will come to light?
- What are the penalties for noncompliance? If you do get caught, can you withstand the repercussions? Or would you be at risk of going out of business?
Assign Responsibility
Once you’ve prioritized the policies you need to address first, assign responsibility and a deadline by which you’ll follow up.
Secure you Fort from The Barbarians at The Door
Think you’re too small to be hacked? Unfortunately, you’re wrong: 43% of cyber-attacks target small businesses. And it’s a bigger deal than you might think:
- 60% of small businesses shut their doors within 6 months of a cyber-attack.
- Cyber attacks cost these companies almost $900M in damages or theft of IT assets.
- Small businesses lost nearly $1M due to the disruption of normal operations.
Despite plenty of statistics that prove the barbarians are indeed at the door, barely half of small businesses dedicate budget resources to risk mitigation. But increasing your security would probably cost less than you think, and it would certainly cost less than a major breach.
Here are some effective, relatively low-cost steps you can take right now:
- Develop strict policies for internal security. A whopping 87% of small business have no data security policies for their employees.
- Many small businesses don’t have an employee password policy that addresses components of a secure password like the frequency that a password should be changed, the importance of not writing it down or sharing it with anyone.
- Astonishingly, of those employers who do have a password policy, only 35% strictly enforce it.
- Only 31% install regular software upgrades.
- Only 22% encrypt their databases.
Common practices like bring-your-own-device (BYOD) don’t help. And then you have “low-tech” risks, like not restricting physical access to servers that store sensitive information.
This is also an easy and relatively cheap problem to fix. There are plenty of online resources for best-practices regarding employee data security. Find the ones that make the most sense for your company, document them in a digital policy (including the consequences for not following the policy), and implement it. If employees don’t take the policy seriously at first, you may have to consistently enforce the consequences until they do.
Outsource the Big Stuff
One reason cybercriminals target small businesses is that they know how expensive top IT talent is – and they know that few small businesses can afford it. Fortunately, there are plenty of security-as-a-service firms that can afford top talent, so outsourcing to them is a smart choice for small businesses. Some functions that are smart to outsource include:
- Website hosting
- Payment processing
- Data processing and storage
- Vulnerability testing
- Breach monitoring and mitigation
If you do decide to outsource, your policies should address not only which functions you’ll outsource but also how you’ll select and vet security providers. Complying with Payment Card Industry Data Security Standards (PCI-DSS) is a must-have. Don’t even consider working with a security firm that can’t provide proof of compliance. Other factors to consider include: their policies and process for ensuring that employees are aware of evolving threats, familiarity with your IT systems, and familiarity with the industry and market your business serves.
Additionally, breach reporting requirements can vary significantly, and you want a security partner who knows the requirements for your particular niche.
Your policy should also stipulate that contracts be reviewed periodically based on objective performance metrics. Remember, outsourcing digital security doesn’t mean you don’t need policies; it just means you need different policies than an organization that handles security in-house.
Protect Intellectual Property
Whether it’s an award-winning marketing campaign or the formula for a ground-breaking medical treatment, protect your intellectual property online as diligently as you do your tangible capital investments. Some companies have invested millions in software programs only to find pirated copies being sold overseas. Others have found key sections of coding incorporated in another company’s product.
Regardless of the specifics, theft of intellectual property can be quantified in terms of lost sales as well as in the amount of money it takes to rectify the situation. In a global market with a hodge-podge of laws and enforcement efforts, copyright infringement and theft of intellectual property is complex and expensive.
It’s much more efficient and cost-effective to protect your intellectual property on the front end, before it’s been stolen or pirated. Protecting it with a copyright or trademark from the beginning can save you a lot of expense and hassle down the road.
On another note – be vigorous when it comes to respecting other organizations’ intellectual property. Doing otherwise can get you in serious legal trouble and damage your brand’s reputation beyond repair.
Start Working on Accessibility
Failing to meet accessibility requirements is perhaps the biggest unknown risk in today’s digital landscape.
“Accessibility” refers to whether and how well your site is designed to accommodate users with challenges in sight, hearing, mobility, etc. While most American businesses are familiar with the Americans with Disabilities Act (ADA), many don’t realize that courts have ruled that it applies to digital spaces as well as to physical ones. The same is true in many jurisdictions around the world.
In fact, the number of lawsuits filed against businesses whose websites aren’t accessible has skyrocketed over the last few years. Not only is defending such a lawsuit expensive, there are other costs as well. About one in five Americans has some type of disability, and they have a combined disposable income of $645B per year. Add in their friends and family, and you have another 105 million people who probably won’t do business with you anymore.
In other words, we’re talking about a huge market segment. Do you really want your website to broadcast a “You’re not welcome here” message?
Steps Toward Accessibility
One of the most important things you can do is add an accessibility statement to your website. The point is not to claim accessibility you haven’t achieved, but to make a good-faith statement describing your awareness of the problem and your commitment to fixing it.
Aside from adding an accessibility statement, there are a number of steps involved in achieving accessibility compliance. You can start by doing things like:
- Adding captions to videos.
- Adding descriptive alt-tags to images.
- Using high-contrast text on light backgrounds.
- Providing a number for people to call if they’re having problems using your website.
Keep Digital-Channels Up to Date
The internet can change in the blink of an eye. Your customers can abandon one channel for another. Things that were considered trend-worthy one day can be deemed offensive overnight.
And then there are the digital channels themselves, which change Terms of Service in response to new legislation. In addition, digital channels change login and other security protocols in response to a breach.
One of the security products you may use might send out an important patch – a software update to fix a specific security flaw. But if that patch winds up at the bottom of everyone’s to-do list, it could pose a much bigger threat than most people realize. The Equifax breach provides a perfect example. They knew about the vulnerability, and they knew a patch was available — they just didn’t apply it.
That being said, many organizations have such a myriad of software products that it’s almost impossible to keep up. And, in one study, 65% of respondents said they had a hard time prioritizing what to patch first. The time required to implement the patches – particularly for a small business with employees inexperienced in cybersecurity precautions – adds to the cost and inconvenience.
The best way to address the issue is through digital policies. A policy that establishes a time table for reviewing channels and establishes triggers for taking action helps keep small problems from accumulating into an insurmountable mess. For organizations that do find themselves in such a mess, digital policies help avoid debates over how to fix the problem. When a policy tells employees what to do and the order in which to do it, you reduce the risk of a time-wasting debate – ensuring the most important priorities are handled first.
Conclusion
Small businesses have a zillion things to do and limited resources with which to do them. The tips I shared here are only a small subset of the digital policies I work on with my global clients, but they’re both the bare minimum and an achievable goal for most small businesses. In other words, almost everybody can afford to do them, and the survival of your business is at serious risk if you don’t.
