Smaller companies need to be prepared for data breaches.
October 7, 2015 | By Patricia Harman |
By: PATRICIA L. HARMAN
If you’re a business, there’s a target on your back, or your data to be more precise. Cyber criminals have developed a lucrative, black market enterprise that will rival some major companies when it comes to valuing information that’s been hacked from legitimate sources.
Hardly a week goes by without a release about a high-profile cyber attack against a company. At a presentation entitled, “Hacked: The Realities of a Cyber Event” hosted by Travelers in Washington, D.C., recently, a panel of experts discussed the impact of cyber crime on small to medium-sized businesses. “One in two companies report being the target of a cyber attack,” stated Tim Francis, enterprise leader for cyber insurance for Travelers. “Sixty percent of attacks last year struck small to medium-sized businesses.” He said there are 34,529 known computer incidents each day and the goal for the bad guys is to “make money as easily as possible.”
All of the information stolen has value on the Dark Web, where names, social security numbers, credit cards and other data are available for sale. Credit cards can be purchased for $10 to $35 per name. Social security numbers are worth significantly more because they can allow users to open bank accounts, credit cards, rent apartments and basically create a new identity.
Purveyors of information on the Dark Web are extremely sophisticated, even providing credit card return policies if the cards purchased don’t work, and customer service to help criminals use their stolen information effectively said Francis. “You can purchase specialized information, like credit card numbers for 30-35-year-olds who live in lower Manhattan,” he added.
Just last week, T-Mobile announced that approximately 15 million customers who had applied for credit with the mobile carrier had their information stolen by hackers who accessed a database run by credit monitoring firm, Experian Plc. Hackers accessed names, addresses and social security numbers.
Commenting on the breach, Francis said, “Cyber threats are increasing, but businesses can take action. Hackers have evolved and are now more sophisticated than ever.”
He said that the industry is seeing more state affiliated hackers coming out of countries like China, North Korea and Russia. And some hackers attack companies because they don’t agree with their ideology or what their business does as in the case with Ashley Madison. “An industry or outspoken CEO can cause a company to become a target,” Francis explained.
Data breaches still cause the largest losses for companies, and frequently the breach is due to vulnerabilities from within the company such as an employee who works from home and has his or her computer hacked, or somehow loses a computer with unencrypted information.
Small businesses are particularly vulnerable because they may not have the resources to prevent an attack or they may believe they would never be a target. Chris Hauser, second vice president with Travelers Investigative Services said that small businesses also may not vet their new employees as carefully as larger companies with more resources and may hire the wrong person such as an employee who skims credit cards.
Hauser said, “Sometimes employees don’t act maliciously, but they may do something wrong unknowingly.” He gave an example involving social engineering, a sophisticated attack where the hacker poses as a company executive who sends an employee what looks like a legitimate email instructing the employee to transfer money from one account to another. The reality is that the wire transfer goes into the hacker’s offshore account and the money will never be recovered.
In another scenario, an employee may click on a link that puts a Trojan program on the server that allows hackers to gain access to the company’s database. Other hacks may allow someone to access a company’s social media credentials so they can take over the firm’s social media sites and post information that will harm the business in some manner.
John Mullen, an attorney with Lewis, Brisbois, Bisgaard and Smith LLP said that many companies post the wrong information on social media or they outsource data to a vendor who doesn’t protect the information being shared. It’s still an issue for the company that outsourced the data management because they are responsible for the information.
When companies reach out to his firm, Mullen said the priority is to get a sense of what transpired. He asks questions such as:
- Was customer information hacked?
- Were employee records impacted?
- When was the last time the company purged the data?
- Did they get into your payment processes and access credit cards?
- How far back do the records go?
He doesn’t expect the company to have all of the answers, but since there are deadlines for federal regulators, understanding what kind of information is in play is critical. “We need to deal with provable facts, bring in a forensic company, develop a scope of work and come up with a plan of attack,” he explained. “We need to know how many records were touched, what burned and what didn’t burn.”
Managing the message
Once the scope of the breach has been identified, the company must develop a plan to share that information with customers, regulators if they are publicly held, the media and the public in general. How the details of the breach are explained and the information conveyed to all of these constituents is vital in repairing the damage to the company’s reputation.
Melanie Dougherty, CEO and managing director at public relations firm, Inform said, “The natural response is to shut the door to the media, but many times you are obliged to respond for legal or regulatory reasons.”
Since many breaches stem from human error, companies need to be prepared for this eventuality and work on messages that will help them recapture their customers and their reputations. “It’s not the breach, it’s the perception of a cover-up that can cost a company,” she added.
“For a small company, a data breach can force them to shut their doors forever,” said Francis. He shared that one Travelers customer spent around $300,000 to find out they didn’t have a breach, but it was still important information for the company to have and it allowed them to see how their processes would work in the event of an actual breach.
Francis identified four common weak spots for companies:
- Intrusion detection software – this raises a red flag when a system has been breached. Francis said it’s important to have someone in the company monitor this and respond immediately when a breach is detected.
- Encryption of private data – encrypting data can turn a lost laptop into a paperweight, although a sticky note with the password on the computer can undo an expensive encryption program
- Patch management – companies have to apply them to patch vulnerabilities in programs and keep software up to date
- Vendor mismanagement – vendors have to be trustworthy and protect the information they are entrusted with for a company
All companies are vulnerable, regardless of their size and insurers are now tailoring policies to meet the needs of all businesses. “Less than 20% of companies have cyber insurance now,” said Francis.
With the reality becoming more of a “when” scenario as opposed to an “if” possibility, companies will need to be proactive in managing this emerging risk. “Once a data breach happens, the biggest problem is that no one knows who to call,” added Francis. “It’s important for businesses to create clear action plans to help manage the data breach.”