Cybersecurity: Not Just For Big Players Anymore
Eben Berry, Cyber Inspectors in Burlington: “Cyber adversaries are very sophisticated. If there's a motivation and attractiveness to your business, they will figure out a way.”
Many small-business owners, whether they're established or just getting started, might not think much about cybersecurity, which means protecting vital company or customer data from outside or internal threats.
Take this statistic from the National Cyber Security Alliance (NCSA): 66 percent of small businesses say they aren't concerned about data breaches. And nearly half think a breach would be an isolated incident that wouldn't have any effect on business.
But here's something else to think about: The only type of business that suffered more data breaches in 2012 than very large banks were retailers with 100 or fewer employees, according to an annual data breach report by Verizon that studied 621 breaches in nearly 30 countries, including the United States.
And if that doesn't drive home the point that the focus on data security has expanded into the small-business market, here's one more tidbit from the NCSA: Three out of five small businesses that undergo a cyberattack will close within six months.
"Breaches at smaller companies have definitely happened," said Marty Meyer, CEO of Corero Network Security in Hudson. "Thinking it wouldn't happen to you is not a good strategy for security."
What data thieves want, whether they're behind a computer in China or working inside a targeted business, is data. For many, that means credit card information. For others, it might mean intellectual property files.
Some external attacks are targeted, but Meyer said attacks are more random than people might think. Some programs randomly scan IP addresses to look for firewall vulnerabilities, he said.
Corero's software protects businesses against distributed denial of service, or DDOS, attacks, in which hackers spread malware to thousands of computers and instruct them to attack a particular website all at once, which either overloads the site's bandwidth and takes it down for a period of time or prohibits valid users from accessing the site.
Corero's clients are mainly mid-size and large enterprises, but it also sells its products to web-hosting companies that provide e-commerce services to many small businesses.
Meyer said most small retailers outsource their payment processing, which means a third party handles the back end of the point-of-sale system and stores credit and debit card data.
Meyer said small businesses should evaluate their processors carefully and ask them if they're PCI (payment card industry) compliant, which is a security standard. Another question should be if the processor's computer servers have been penetration-tested, he said.
Larry Ponemon, head of the Ponemon Institute in Michigan, which studies hacking and data theft, said data security used to be aimed at big businesses, but he said cloud-based security products are becoming more common among smaller businesses.
"There's almost a whole mini industry within IT security developed over the last four to five years," Ponemon said.
Financial damages can be wide ranging for companies that lose customer information, whether inadvertently — if an employee loses a laptop or disk drive — or through a security flaw in their systems.
There's the damage to a company's image if the information gets out (Massachusetts doesn't publish data breach reports online like some states, such as New Hampshire and California, do.). But news of large breaches typically gets out.
State laws vary, but in many, including Massachusetts, businesses are required to report a security breach. In Massachusetts, that means the unauthorized acquisition or use of electronic data that can compromise security, confidentiality, or integrity of personal information that creates a risk of identity theft or fraud against a state resident.
The most recently available numbers from Attorney General Martha Coakley's office said there were more than 1,800 breaches reported between 2007 and 2011, which affected more than 3 million Bay State consumers.
But the largest cost from a data breach can come in the form of lawsuits filed by affected customers.
Coakley also has the authority to fine companies that are found to have violated the state's 2010 data security law, which requires encryption of customer information that's transmitted over the Internet or carried on portable devices.
Coakley has used that authority sparingly, but her office fined South Shore Hospital $475,000 last year (and gave it credit for $275,000 in security investments it made after the breach) after the hospital shipped three boxes of unencrypted back-up tapes containing personal information on 800,000 people to an off-site contractor to be erased and resold. Only one of the boxes arrived at the subcontractor's Texas facility. Coakley's office has indicated that it has no knowledge that the lost information has been misused.
The opportunity to steal and sell personal information, or sometimes just to make a political statement, has bred very talented hackers, said Eben Berry, president and founder of Cyber Inspectors in Burlington.
"Cyber adversaries are very sophisticated," Berry said. "If there's a motivation and attractiveness to your business, they will figure out a way."
Business owners and leaders need to assume they might be targeted.
"Not that they need to get a degree in it, but they need to make a commitment to have a fundamental knowledge," Berry said.
Getting a degree is exactly what Clark University is offering, with Berry's help.
The Worcester school began offering a cybersecurity concentration for information technology master's degree students in the fall. Berry is teaching two of the six courses, and has helped recruit other teachers from the industry.
He hopes the curriculum — which aims to combine technical expertise with management skills — can provide a greater number of capable cybersecurity experts to business.
"We're already seeing there are more jobs than talent," Berry said.
Emerging Field
Virtually all brick-and-mortar business owners carry insurance against fire, flood, theft and other revenue-destroying events. But most policies don't cover the cost of losing customer data by accident or by theft.
Cyberinsurance, which covers the cost of attorneys, settlements and public relations help in the event of a breach, has become more available for small businesses.
Annual premiums for a small company might cost up to $12,000 a year, Ponemon said, but the plans vary in their design.
Ponemon, who used to work for Pricewaterhouse Coopers in the late 1990s, was once assigned a project to help a major insurer design a cyberinsurance policy. But he said it didn't go forward.
"There was a lot of uneasiness by the underwriters," he said. "In theory, an exposure could be catastrophic."
But data collection on data theft has improved over the years, and a number of insurers have put insurance products on the market. Locally, Worcester-based Hanover Insurance and Arbella Insurance offer data breach coverage.
Ponemon believes cyber insurance is a good idea, but he said companies who purchase it shouldn't neglect other security measures. For one, good security practices can lead to a discount on some policies, much like a good driver discount does for automobile insurance; second, some policies may not cover damages if a business neglects to protect its data.
______________
Image credit: FreeDigitalPhotos.net.
WBJ Web Partners
Most Recent
Most Recent
0 Comments