When people think of cyber threats, data breaches and hackers stealing credit card and other personal information, it’s usually large, billion-dollar corporations like Anthem, Citibank and Target that are thought of as the, well, targets. But small businesses are just as vulnerable.
Those industry giants have been publicly and embarrassingly hacked, suffering a loss of reputation, angry clients— some of whom will sue —and potential fines and lawsuits. But the big boys aren’t the only targets. Daniel Solove, professor at the George Washington University Law School in Washington, D.C., said small businesses are also very vulnerable.
“Hackers know that there’s a better chance they can break in and go undetected,” said Solove, who has studied cybersecurity and operates TeachPrivacy, a small business that provides privacy and security training. “We don’t have as good data about small business breaches probably because many aren’t even aware they’ve been breached.
“It depends upon the goals of the hackers and the nature of the business. Not all personal information is equal to fraudsters,” he said. “Personal data about children is more valuable because the fraud is less likely to be detected for children. Personal data about health is also quite valuable. Some hackers are after Social Security numbers. Others want to obtain trade secrets or intellectual property. Still others are out just to wreak havoc or create mischief. Some are looking to do corporate espionage. What makes one a target thus depends upon the goals of the attackers.”
He said smaller businesses lack the resources that larger businesses have, so they might not have a dedicated full-time security person or security team or a privacy team. The lack of these personnel can expose small businesses to greater risks. The vast majority of data breaches and privacy violations are caused by human error, he said. “Good hackers don’t get in just through technical prowess – they break in by tricking people through phishing or social engineering,” he said. “There is also a risk from lost or stolen portable electronic devices. The more employees, the more risk.”
According to a recent survey by software security firm Symantec of 13,000 adults in 24 countries, average losses per cybercrime incident are $197.28 per record exposed. In the past year an estimated 556 million adults worldwide became cybercrime victims. And Symantec found that the largest growth area for targeted cyber attacks in 2012 was businesses with fewer than 250 employees; with 31 percent of all attacks directed at them.
The number of breaches grew by 62 percent in 2013 and eight breaches exposed more than 10 million people each. In 2013, 552 million identities were exposed through data breaches, more than double the 232 million exposed in 2011. Hackers stole birth dates, credit card data, e mail addresses, financial information, home addresses, logins, medical records, passwords, phone numbers and Social Security and other government identification information.
George Washington’s Solove urged businesses of all sizes to devote more resources to privacy and security and start by training their workforce. “Training reduces the largest source of risk. It is not a cure all, but it does help reduce the most common and widespread risks,” he said. “Businesses should not just throw up their hands because the problems of data protection are quite large and difficult. Even if there’s not a cure all, there is some low hanging fruit that isn’t expensive to address. If businesses addressed the low hanging fruit, they’d get enormous risk reduction.”
Stephen Cobb, senior security researcher for the cybersecurity solutions firm ESET North America based in San Diego, said his firm sees many examples of small companies getting hacked and information or money stolen. “Unlike traditional crimes when the criminals are geographically nearby, in cybercrime the perpetrators may be half way around the world, so there are more potential criminals to steal from you,” Cobb said.
“There is a thriving global market in stolen information and the tools with which to steal that information are readily available around the world. That means that if I’m in Russia, China, Thailand or North Korea, I can go online and buy the crimeware needed to carry out various forms of cybercrime, whether that’s stealing bank credentials, getting wire transfers executed in the names of phone vendors using company accounts or stealing the personal information of employees or customers and selling that on the black market.”
Cobb advised businesses that can afford it to hire a trained consultant to understand its vulnerabilities and risks. He said there is a solid body of best practices for protecting organizations. The first step is to assess risks, then develop policies to address those risks, apply the kinds of controls that would reduce exposure and then test the effectiveness of those controls.
“Businesses need to be able to control their digital assets (information about finances, employee and customer personal information and other proprietary data) and have strong security policies in place to guide employees, management and new employees so everyone is on the same page,” he said. “Many small businesses have high turnover and new employees along with long time staff need to be regularly trained about opening e mail attachments, taking company laptops or files home and accessing company information from their cell phones or tablets.”
He said besides the secure authentication (log ins), encryption, antivirus and anti-malware and anti-phishing software, companies should have backup and recovery processes in place.
“It’s not sexy, but backup and recovery are the last lines of defense. If you’re backing up your system you can avoid being held hostage by ramsom ware or viruses that can take down your system.”
Cobb said many small businesses hire managed service providers who provide computers, software programs and protections and maintenance for a monthly service fee. “That can be a good option for many small businesses who can’t afford to do all of that for themselves,” he said.
He said small businesses should contact their local chambers of commerce, business associations and trade or professional groups for guidance.
Jason Weinstein, a Washington, D.C.-based attorney specializing in privacy and cybersecurity with the firm Steptoe & Johnson, said owners cannot assume that smaller business means smaller risk. Weinstein said while large corporations typically have greater cash flow and assets, many small businesses have hundreds of thousands of dollars, even millions, flowing through their coffers. But he said both large and small businesses need to take many of the same steps to prepare.
He said it’s very important for a business of any size to evaluate its insurance options as well as the risks it faces. Cyber insurance may be prohibitively expensive, but businesses should at least explore it.”
Don’t overlook the legal risks of breaches
Weinstein said anytime private information is compromised, a company faces potential legal risks. He pointed out that class action attorneys quickly file for class status to initiate lawsuits after high profile breaches. Banks or retailers will blame vendors when they are hacked and try to recoup their losses for any fraudulent charges that follow. He said there is also the risk of state or federal regulators taking actions. If the small business is a healthcare entity, it could be investigated by the U.S. Department of Health and Human Services (HHS) for potential privacy violations under the Health Insurance Portability and Accountability Act (HIPAA). Grocery stores could face actions from the Federal Trade Commission or the state attorney general.
He said each state has its own breach notification obligation that requires businesses to inform their customers of hacking. “And courts will also look at how well you protected that information.” Businesses must also look at third parties that they do business with – vendors, suppliers and even clients who may have access to their system – to insure that they are also protected.
Ron Culler, founder and executive vice president of Greensboro, N.C.-based Secure Designs, Inc., said his firm specializes in serving the cyber security needs of small businesses, installing more than 7,000 firewall appliances. Culler, who also serves as Security Designs’ chief technology officer, said small businesses are often viewed by hackers as easy entry point to larger corporations with which they do business. He pointed out that the large Target Stores data breach came through a heating and air conditioning vendor.
“Typically smaller businesses don’t have sophisticated systems, monitoring or diligence and hackers know that,” he said. “Those folks are busy running the business.”
Cyber thieves don’t sleep
Culler said small businesses should regard cyber security the same way they do physical security: alarms, locks, video surveillance systems and insurance to protect their business. “But when they get an Internet connection, it’s not local thieves that they must concern themselves with,” he said. “It’s like having an office everywhere.”
Culler urged small business owners to consider “The Internet of all insecure things” as a highway with many entrance and exit ramps and points of entry. “Now a network-enabled video system that you can connect to your iPAD is a potential breach: if you can do it, somebody else can, too. If you can see it, they can see it, too, and may be checking to see if you’re there. Clicking onto wireless networks when you’re traveling could put you at risk. Your cash registers should only talk to your credit card processors. Companies should separate networks. It’s easily doable and by separating that system from the rest of the systems in your workplace environment, you’re isolating and erecting further barrier to hackers.”
Think of your hacking site as a crime scene
Steve Doty managing director for the international security consulting, investigations and digital forensics firm, Stroz Friedberg, said it’s critical for companies to develop an incidence response plan before they’re hacked. He said breached firms need to preserve the state of the machine where the hack was discovered so investigators can capture what’s happening within the hard drive and its memory.
“It helps firms like ours to uncover clues to establish whether other machines have been compromised and what the hack looks like,” he explained. “Don’t reboot or run virus scans. Simply unplug the network cable to isolate the machine. In some large corporate breaches we even allow the attacker to continue and monitor what’s happening if we think it’s part of a larger crime enterprise.”
Larger businesses may consider consulting a public relations advisor “to manage their reputation and assist in media messaging.”
After a breach incident, Doty said businesses face post-incident triage remediation: how to put controls in place that hopefully will prevent this and other kinds of attacks. He said strong training in passwords and recognizing phishing scams are important in educating staff and preventing future incidents. “There are a number of free or low cost techniques small businesses can use in assessing future threats from historic breaches to help protect themselves,” he said.
Top Ten Types of Information Breached in 2013
- Real names
- Birth dates
- Government IDs (SSN)
- Home Address
- Medical Records
- Phone Numbers
- Financial Information
- Email Addresses
- User Names and Passwords
Information Source: “Internet Security Threat Report 2014” (Symantec Corporation)