By Rick Kam, CIPP/US, president and co-founder, ID Experts, and Jeremy Henley, CHPC, director of breach services and insurance solutions executive, ID Experts
If you live in a very safe neighborhood, are you likely to spend thousands of dollars on a home security system? Would you buy flood insurance if you lived in the desert or earthquake insurance if you lived in the Midwest? Probably not because it isn’t prudent or sensible to spend money protecting yourself against a problem you don’t have. But it is prudent to know for sure what problems you actually could face. That’s the question that’s currently putting millions of small and medium businesses (SMBs) in the U.S. at risk every day.
According to Liz Fraumann, executive director of the Securing Our eCity Foundation (SOeC), “The typical SMB is concerned about keeping their doors open and making payroll, not protecting against cybercrime. They believe they are not in the crosshairs of the cybercriminal because larger organizations with big databases will be the targets of attacks. What they don’t realize is that they are an endpoint into their customers’ systems, and cybercriminals know they are unlikely have strong security. That makes smaller businesses into big targets.” Most SMBs are behind the curve in protecting themselves from data breaches, but a few cost-effective steps can go a long way towards building their defenses.
SMBs Hold The Keys to Cybersecurity
In a way, smaller businesses face double jeopardy because not only can cybercrime put their own business and their customers at grave risk, they can also be (and frequently are) the gateways to their clients’ larger business systems. Let’s look at a couple of scenarios excerpted from the SOeC booklet, Bringing IT Home, and the potential consequences.
John Alcott owns a small travel agency. His travel database is connected to a larger, national travel system that pulls traveler information from other agencies. One morning upon arriving to work, he finds he is locked out of the shared client database. He calls support and learns that someone had used his login for unauthorized access to the database and locked everyone out of the systems. Gigabytes of data were stolen, including clients’ personal identifiable information (PII) such as passport numbers, driver’s license information, credit card information, and more.
John’s business has become a compromised endpoint that will damage his own and possibly thousands of other travel businesses, as well as the company that runs the national database. His login information could have been compromised by a weak password, stolen by a disgruntled or dishonest employee in his agency, captured by malware he unknowingly downloaded with an app, or stolen via a coffee shop Wi-Fi network when he checked on some reservations over his smartphone. At the very least, John and the other agencies are going to lose some revenue during the time they can’t do business: how much will depend how long the outage lasts. It’s possible that the database company will drop John as a customer, the kind of consequence that could put him out of business. The database company may incur many thousands of dollars in breach recovery costs that they could sue to pass along to John’s agency, and if the very worst happens—if a customer is harmed by the breach or there is litigation by customers—the database company may pull John’s agency into the suit.
We have seen this happen, for example, to background screening companies who were holding significant amounts of data for their large client database when they were compromised. One of the initial reactions by their client, even without all the necessary information, was to jump to notifying consumers of the incident. This can unfairly damage the SMB’s reputation if the security incident doesn’t turn out to be a breach (no personal data is actually exposed). In either case, the SMB will face unexpected expenses and the potential for lost revenue.
Here’s an example that could be even more serious for all concerned:
Rob, a project manager at a Department of Defense (DoD) contractor, receives an email from someone he worked with on a DoD project about 3 years ago. There is a PDF document attached, and the sender asks Rob whether he would check some of the statistics for accuracy, so Rob saves the file to review later. A few weeks later, his company is contacted by law enforcement saying some of their documents have been found on a known hacker website. Then network logs begin to show a pattern of unusual late night traffic coming from Rob’s computer, and the IT manager asks Rob what he’s downloaded recently. He mentions the PDF and is asked to contact the old friend, who says he didn’t send the email request. Investigation reveals attempts to access various servers within the organization that contain sensitive DoD data and personal information on the contractor’s employees. The IT department has to wipe and restore the servers, all users have to change passwords, and the company begins to overhaul its security systems and procedures.
Rob’s company may have gotten lucky, depending what was stolen before law enforcement set them wise to the cyber-attack. At least they had monitoring in place that allowed them to pinpoint the illicit activity and put a stop to it. Law enforcement may have been able to take down the hacker site quickly, but if there were critical DoD documents (imagine if it were plans for a missile guidance system) and the theft compromised national security, Rob’s company could lose the contracts on which they depend. They certainly will incur costs in overhauling their security mechanisms and policies, but given the increasing frequency of cyber-attacks, that investment could someday save their business. Now they just have to hope that the initial breach didn’t put millions of their fellow citizens at risk.
5 Steps You Can Afford to Take
The point, says Fraumann, is to realize that every business, large or small, is part of a chain of information that connects potential thieves with a treasure trove of sensitive data. Even a small retail business that uses mobile payment connects to national financial systems. That means any business can be a target and suffer the consequences of a cyber-attack, and every business needs to take appropriate measures to protect itself. Here are steps that every business can afford in some form:
- Know what information exists on your network and where, and which data poses the greatest risks if it is compromised. Segment networks to protect the most sensitive information, and grant access only to staff members who really need it.
- Create security policies and procedures, and educate your staff on them. Teach them to use strong passwords, what not to download, and how to spot phishing attempts. Liz Fraumann points out that Microsoft releases security patches for its software on the second and, sometimes, fourth Tuesdays of every month. Training staff to install security patches right away is an effective and affordable way to protect your business. Make sure employees are following security procedures, and discipline or dismiss employees who don’t comply.
- Track and verify your company’s compliance with federal, state, and industry regulations. There are industry-specific regulations in healthcare, energy, finance, and other areas, but there are also federal and state regulations such as the Federal Trade Commission consumer privacy and data security rules that apply to all businesses, plus financial regulations such as the payment card industry’s Data Security Standard (PCI DSS). If you do have a data breach, being out of compliance with regulations can result in heavy penalties and enforcement actions.
- Have an incident response plan in place so that you can limit the damage when a potential data breach happens. When an incident happens, you need to quickly fix the vulnerability that led to the data loss or exposure and contain the evidence appropriately. Then you need to analyze the findings and determine whether customers and regulators need to be notified. . Having a plan and being ready to execute it can save your business.
- Have a business recovery plan. You should also have a plan to keep your business running in a situation such as the travel agency scenario above. What if you are suddenly cut off from online databases or a malware took down your computers? Do you have local, secure, portable backups? If you’re a retail business, do you have a physical credit card swiper, so you could at least continue taking payments during an outage? Every business faces these issues and every business should address them: a recovery plan protects your business in case of anything from a cyber-attack to a natural disaster. It’s smart and surprisingly inexpensive to get experts on retainer ahead of time to quickly implement your recovery plan.
None of these steps require expensive technology, and each of them can be adapted to a business of any size.
Right-sizing Your Defense
Every business needs to figure out its risks, its regulatory requirements, and what makes sense for them. You don’t need a security expert on staff to prepare. You can find some resources online: for example, the FTC web site has information on consumer protection law, and the SOeC site has excellent guidelines and checklists. Some business insurance providers also provide resources and tools to help you protect your business. These can include software tools to help you pinpoint your risks, templates for creating privacy and security policies and incident response plans, and reference materials and news feeds on regulations and the latest threats. Ask your provider whether they offer these as part of your insurance benefits.
Finally, remember that yours is not the only company facing these challenges, and because there is demand, lots of people are working on solutions to meet the need. The good news is that, just as any business could be a target, with a little determination, every business team has the ability to protect itself.
[clickToTweet tweet=”Five Strategies to Protect Your Organizations in the Cybersecurity Age” quote=”Five Strategies to Protect Your Organizations in the Cybersecurity Age” theme=”style3″]