Every day, it seems another security breach makes headline news. The victim list for the first few months of this year alone includes such big business names as Apple, Twitter, Facebook, Microsoft, Burger King, Jeep and The New York Times. The Federal Government is a target. Schools, hospitals and newspapers are on the list. Smaller businesses are, too – in large numbers.
Although the large companies make the headlines, small businesses represent a large percentage of data breach incidents investigated. According to the Verizon 2013 Data Breach Investigations Report (DBIR), organizations with fewer than 100 employees comprised 31% of data breach incidents investigated in 2012.1
Our society’s growing dependence on the Internet has made us increasingly vulnerable to cyber attacks. Hackers are finding ever more sophisticated ways to disrupt online service, access money and steal sensitive business and customer information. Sometimes their targets don’t realize that they’ve been victimized until much later, if ever.
“Everyone is at risk,” said Richard Hale, one of the Pentagon’s top cyber security officials. “Every business that is hooked to the Internet is vulnerable. It’s like gravity; the threat is all around us.”
A Big Risk for Business
But why, you might ask, would a hacker target smaller businesses? Simply stated, because it’s easier. Owners of smaller businesses often don’t have the resources or the technical know-how to combat data security threats. And since attacks on smaller business often don’t make headlines, some business owners may believe they’re immune.
It couldn’t be further from the truth. The 2012 DBIR reported that smaller organizations were the more successful target in most types of data theft activities.
“Attacks can be carried out against large numbers in a surprisingly short timeframe with little to no resistance,” the report says. “Smaller businesses are the ideal target for such raids, and money-driven, risk-averse cybercriminals understand this very well.”
Threats to data security are a new reality. Data protection for small business is essential. The key is to understand how breaches occur and to take measures to prevent them from happening.
Small Business Cyber Threats
Hackers specialize in exploiting vulnerabilities. Poor password protection, an unsecure wireless (WiFi) network and outdated system software each present opportunities to cyber criminals seeking access to information. There are many other tactics in the hacker’s toolbox, such as:
- Phishing: You receive an email or instant message with an attachment or link to a website. Once you open the attachment or follow the link, malware (short for malicious software) opens up, gives the hacker access to your computer and then spreads across the company’s entire network. The Department of Homeland Security’s publication, Avoiding Social Engineering and Phishing Attacks, provides more information on phishing attacks and how to avoid them.
- Infected USB keys: Be cautious of USB keys from strangers. It’s another way hackers target unsuspecting victims – for instance, by slipping a batch of keys containing malware in with legitimate handouts at an industry conference. If you’re unfortunate enough to be on the receiving end, your computer opens up to the hacker as soon as you insert the tainted key into the USB slot.
- Compromising web-based databases: Special programs can pick up the personal data customers enter when filling out a company form on a website and take over a system.
It’s Not All High Tech
Not all data breaches are the work of cyber criminals. They can involve break-ins or tactics like working the phones to solicit information from unsuspecting employees. They can also be crimes of opportunity: the laptop left on a train, a lost smartphone or a misplaced thumb drive that falls into the wrong hands. And you don’t need a computer to be at risk. Lost, stolen or misplaced files are a common cause of data breach.
If Your Business Is Targeted
If your business data is breached, the fallout can be far-reaching and costly. Standard recovery procedures can include a time-consuming process of notifying customers, investigating the incident, identifying and quantifying the losses, and monitoring credit or identity theft. You may need legal counsel to ensure you’re complying with state and federal laws and to defend your business if customers sue. There’s also the cost of repairing intangibles, such as your business’s reputation.
What’s a Small Business Owner to Do?
These steps can help you better safeguard your company’s data, protect your customer information and help ensure your small business can survive a data breach:
- Create clear policies to protect sensitive data and educate employees about the risk.
- Take steps to help prevent an data breach from occurring in the first place (see “10 Tips to Help Prevent Data Theft”).
- Create a plan that outlines how your business will respond if a breach occurs. The Federal Communications Commission (FCC) offers an online Cyber Planner Tool that can help you build a plan tailored to the needs of your business.
- Talk to your insurance agent about data breach protection. Data breach insurance from The Hartford can help cover the costs of recovering from a data breach and provide professional services to help your business respond quickly and effectively.
1 Percentage is an approximation based on the Verizon 2013 Data Breach Investigations Report.