When people think of cyber threats, data breaches and
hackers stealing credit card and other personal information, it’s usually
large, billion-dollar corporations like Anthem, Citibank and Target that are
thought of as the, well, targets. But small businesses are just as vulnerable.
Those industry giants have been publicly and
embarrassingly hacked, suffering a loss of reputation, angry clients— some of
whom will sue —and potential fines and lawsuits. But the big boys aren’t the
only targets. Daniel Solove, professor at the George Washington University Law
School in Washington, D.C., said small businesses are also very
vulnerable.
“Hackers know that there’s a better chance they can
break in and go undetected,” said Solove, who has studied cybersecurity and
operates TeachPrivacy, a small business that provides privacy and security
training. “We don’t have as good data about small business breaches probably
because many aren’t even aware they’ve been breached.
“It depends upon the goals of the hackers and the
nature of the business. Not all personal information is equal to fraudsters,”
he said. “Personal data about children is more valuable because the fraud is
less likely to be detected for children. Personal data about health is also quite
valuable. Some hackers are after Social Security numbers. Others want to obtain
trade secrets or intellectual property. Still others are out just to wreak
havoc or create mischief. Some are looking to do corporate espionage. What
makes one a target thus depends upon the goals of the attackers.”
He said smaller businesses lack the resources that
larger businesses have, so they might not have a dedicated full-time security
person or security team or a privacy team. The lack of these personnel can expose
small businesses to greater risks. The vast majority of data breaches and
privacy violations are caused by human error, he said. “Good hackers don’t get
in just through technical prowess – they break in by tricking people through
phishing or social engineering,” he said. “There is also a risk from lost or
stolen portable electronic devices. The more employees, the more risk.”
According to a recent survey by software security firm
Symantec of 13,000 adults in 24 countries, average losses per cybercrime
incident are $197.28 per record exposed. In the past year an estimated 556 million
adults worldwide became cybercrime victims. And Symantec found that the largest
growth area for targeted cyber attacks in 2012 was businesses with fewer than
250 employees; with 31 percent of all attacks directed at them.
The number of breaches grew by 62 percent in 2013 and
eight breaches exposed more than 10 million people each. In 2013, 552 million
identities were exposed through data breaches, more than double the 232 million
exposed in 2011. Hackers stole birth dates, credit card data, e mail addresses,
financial information, home addresses, logins, medical records, passwords,
phone numbers and Social Security and other government identification information.
George
Washington’s Solove urged businesses of all sizes to devote more resources to
privacy and security and start by training their workforce. “Training reduces the largest source of risk. It is
not a cure all, but it does help reduce the most common and widespread risks,”
he said. “Businesses should not just throw up their hands because the problems
of data protection are quite large and difficult. Even if there’s not a cure
all, there is some low hanging fruit that isn’t expensive to address. If
businesses addressed the low hanging fruit, they’d get enormous risk reduction.”
Stephen Cobb, senior security researcher for the
cybersecurity solutions firm ESET North America based in San Diego, said his
firm sees many examples of small companies getting hacked and information or
money stolen. “Unlike traditional crimes when the criminals are geographically nearby,
in cybercrime the perpetrators may be half way around the world, so there are
more potential criminals to steal from you,” Cobb said.
“There is a thriving global market in
stolen information and the tools with which to steal that information are
readily available around the world. That means that if I’m in Russia, China, Thailand
or North Korea, I can go online and buy the crimeware needed to carry out
various forms of cybercrime, whether that’s stealing bank credentials, getting
wire transfers executed in the names of phone vendors using company accounts or
stealing the personal information of employees or customers and selling that on
the black market.”
Cobb advised businesses that can afford
it to hire a trained consultant to understand its vulnerabilities and risks. He
said there is a solid body of best practices for protecting organizations. The
first step is to assess risks, then develop policies to address those risks,
apply the kinds of controls that would reduce exposure and then test the effectiveness
of those controls.
“Businesses need to be able to control
their digital assets (information about finances, employee and customer
personal information and other proprietary data) and have strong security
policies in place to guide employees, management and new employees so everyone
is on the same page,” he said. “Many small businesses have high turnover and
new employees along with long time staff need to be regularly trained about
opening e mail attachments, taking company laptops or files home and accessing
company information from their cell phones or tablets.”
He said besides the secure
authentication (log ins), encryption, antivirus and anti-malware and anti-phishing
software, companies should have backup and recovery processes in place.
“It’s not sexy, but backup and recovery
are the last lines of defense. If you’re backing up your system you can avoid
being held hostage by ramsom ware or viruses that can take down your system.”
Cobb said many small businesses hire managed service providers who provide
computers, software programs and protections and maintenance for a monthly
service fee. “That can be a good option for many small businesses who can’t
afford to do all of that for themselves,” he said.
He said small businesses should contact
their local chambers of commerce, business associations and trade or
professional groups for guidance.
Jason Weinstein, a Washington, D.C.-based attorney
specializing in privacy and cybersecurity with the firm Steptoe & Johnson,
said owners cannot assume that smaller business means smaller risk. Weinstein
said while large corporations typically have greater cash flow and assets, many
small businesses have hundreds of thousands of dollars, even millions, flowing
through their coffers. But he said both large and small businesses need to take
many of the same steps to prepare.
He said it’s very important for a business of any size
to evaluate its insurance options as well as the risks it faces. Cyber
insurance may be prohibitively expensive, but businesses should at least explore
it.”
Don’t overlook the legal risks of breaches
Weinstein said anytime private information is
compromised, a company faces potential legal risks. He pointed out that class
action attorneys quickly file for class status to initiate lawsuits after high
profile breaches. Banks or retailers will blame vendors when they are hacked
and try to recoup their losses for any fraudulent charges that follow. He said
there is also the risk of state or federal regulators taking actions. If the small
business is a healthcare entity, it could be investigated by the U.S.
Department of Health and Human Services (HHS) for potential privacy violations
under the Health Insurance Portability and Accountability Act (HIPAA). Grocery
stores could face actions from the Federal Trade Commission or the state
attorney general.
He said each state has its own breach notification
obligation that requires businesses to inform their customers of hacking. “And
courts will also look at how well you protected that information.” Businesses
must also look at third parties that they do business with – vendors,
suppliers and even clients who may have access to their system – to insure
that they are also protected.
Ron Culler, founder and executive vice president of
Greensboro, N.C.-based Secure Designs, Inc., said his firm specializes in
serving the cyber security needs of small businesses, installing more than
7,000 firewall appliances. Culler, who also serves as Security Designs’ chief
technology officer, said small businesses are often viewed by hackers as easy
entry point to larger corporations with which they do business. He pointed out
that the large Target Stores data breach came through a heating and air
conditioning vendor.
“Typically smaller businesses don’t have sophisticated
systems, monitoring or diligence and hackers know that,” he said. “Those folks
are busy running the business.”
Cyber thieves don’t sleep
Culler said small businesses should regard cyber
security the same way they do physical security: alarms, locks, video
surveillance systems and insurance to protect their business. “But when they
get an Internet connection, it’s not local thieves that they must concern
themselves with,” he said. “It’s like having an office everywhere.”
Culler urged small business owners to consider “The Internet
of all insecure things” as a highway with many entrance and exit ramps and
points of entry. “Now a network-enabled video system that you can connect to your
iPAD is a potential breach: if you can do it, somebody else can, too. If you
can see it, they can see it, too, and may be checking to see if you’re there. Clicking
onto wireless networks when you’re traveling could put you at risk. Your cash
registers should only talk to your credit card processors. Companies should
separate networks. It’s easily doable and by separating that system from the
rest of the systems in your workplace environment, you’re isolating and
erecting further barrier to hackers.”
Think of
your hacking site as a crime scene
Steve
Doty managing director for the international security consulting,
investigations and digital forensics firm, Stroz Friedberg, said it’s critical for
companies to develop an incidence response plan before they’re hacked. He said breached
firms need to preserve the state of the machine where the hack was discovered
so investigators can capture what’s happening within the hard drive and its
memory.
“It helps
firms like ours to uncover clues to establish whether other machines have been compromised
and what the hack looks like,” he explained. “Don’t reboot or run virus scans.
Simply unplug the network cable to isolate the machine. In some large corporate
breaches we even allow the attacker to continue and monitor what’s happening if
we think it’s part of a larger crime enterprise.”
Larger businesses may consider consulting a
public relations advisor “to manage their reputation and assist in media
messaging.”
After a
breach incident, Doty said businesses face post-incident triage remediation:
how to put controls in place that hopefully will prevent this and other kinds of
attacks. He said strong training in passwords and recognizing phishing scams
are important in educating staff and preventing future incidents. “There are a
number of free or low cost techniques small businesses can use in assessing
future threats from historic breaches to help protect themselves,” he said.
Top Ten
Types of Information Breached in 2013
- Real names
- Birth dates
- Government IDs (SSN)
- Home Address
- Medical Records
- Phone Numbers
- Financial Information
- Email Addresses
- User Names and Passwords
- Insurance
Information
Source: “Internet Security Threat Report 2014” (Symantec
Corporation)