Scan the headlines and it’s easy to believe that hackers only go after the “big fish”. While high profile breaches make the news more often, cyber criminals are always on the lookout for the prospect of “low hanging fruit” posed by what they see as comparatively lax IT security at smaller organizations.
Hackers and social engineers target small businesses that have a rich data environment (personal identifiable information, protected health information, authentication credentials, etc.), and they seem to be following the path of least resistance and most output in doing so. In 2009, businesses with 100 or fewer employees accounted for 27 percent of the 141 cases of data breach included in a study by Verizon and the U.S. Secret Service. By 2010, such small businesses accounted for 63 percent of the 761 cases in the study.
According to mid-year intelligence report by Internet security provider Symantec, more than a third of targeted attacks on businesses in the first half of 2012 were aimed at companies with fewer than 250 employees. That amounted to twice the percentage of attacks aimed at similar sized companies at the end of the previous year, Symantec said. In terms of the number of targeted attacks, the company said it blocked an average of 58 each day aimed at small businesses in the first half of 2012.
Not only are they increasingly becoming targets for data breaches, small businesses stand to lose more when they are breached because the costs they incur in legal fees, notification, mitigation, fines, and the loss of goodwill all represent a much higher share of their revenues. The average cost per record breached by a hacker or lost as a result of the loss or theft of laptops, USB drivers, and other mobile devices is $214. And rarely does a breach or attack involve the theft of a single record. To use a more realistic figure, a breach of “only” 1,000 records could cost a small business almost a quarter of a million dollars. Few small businesses can withstand such a punishing blow to their bottom lines.
According to a 2012 Cost of Data Breach Study by the Ponemon Institute, 60% of small businesses that experience a data breach close permanently within a year of discovering the breach, while 90% close within two years.
Limited budgets are often cited as the reason for lapses in security, but it is much less costly to prevent a breach than to fix one. Fortunately, there is much a small business can do to keep from falling victim. The FCC offers the following tips for starters.
- Train employees in security principles. Not all IT threats are online: Social engineering attacks are almost always more effective when used against small businesses. Owners and employees must be trained to identify such attacks and made aware of the dangers of opening suspicious emails, inserting “found” USB drives into their computers, and interacting with potential social engineers over the telephone or in person.
- Keep up-to-date with the latest security software, web browser, and operating systems.
- Provide firewall security for your entire Internet infrastructure.
- Create a mobile device action plan that requires users to password protect their devices, encrypt their data, and install security apps to prevent criminals from stealing information while the phone is on public networks. Make sure to set reporting procedures for lost or stolen equipment.
- Make backup copies of important business data and information automatically, if possible, and at least weekly, storing them offsite or in the cloud.
- Control physical access to laptops and other company-owned mobile electronic devices.
- Secure Wi-Fi networks. If your company uses a Wi-Fi network, make sure it is secure, encrypted, and hidden.
- Limit employee access to data and information and limit authority to install software.
- Use strong passwords and authentication measures. Require employees to use unique passwords and change them regularly. Consider implementing multi-factor authentication that requires additional information beyond a password to allow entry.