Small businesses should be just as concerned about cyber crime as big businesses. No business is safe. To that end, I just read a recent article by Reuters entrpenerial blogger John Peabody that was very informative. I thought I'd share it with you.
Peabody interviewed Timothy C. Francis, second vice president for CBIA member Travelers Bond & Financial Products here in Hartford, CT. Francis leads Travelers' Business Insurance Management and Professional Liability initiatives and serves as Enterprise lead for Cyber Insurance. Reuters spoke with him last week about what small businesses need to know about cyber crime.
Here's part of the interview.
Small business owners hear a lot about the dangers of cyber crime and how they should fear it, but what exactly should they be afraid of? What are some examples of how small businesses can be affected by cyber crime?
To put it simply, small business owners should be concerned about the potential for loss and exposure of confidential data, commonly known as a data breach, as a result of a cyber attack. Confidential data can pertain to customers, employees and the business and typically includes items like company account records, contact and address information, purchasing history, credit card and Social Security numbers and medical data.
Data breaches can have serious consequences for the person whose data is breached, as well as the company that collects and holds that data. Nearly all 50 states have laws governing notification if/when a customer's data is breached, and notification can be costly. Actual costs will vary depending on how many records are involved, but generally speaking it costs about $200 total per record. This total amount combines the actual cost of investigating and alleviating the situation, potential liability and potential loss of future business to competitors.
Why are small businesses often more likely to be victimized than larger businesses? Is it simply a lack of resources devoted to cyber security?
A small business's lack of resources is certainly part of the problem. While a large corporation may be able to invest heavily in sophisticated security strategies, with 25-person IT teams to ensure that every office computer is protected, small businesses simply do not have the money or the manpower. This unfortunately leaves a small business not only vulnerable to an attack, but also allows crimes to continue unchecked until they're detected or exposedat which time the losses can already be significant.
In addition, small businesses are sometimes used as a stepping stone for cybercriminals. Because small businesses often have contracts with large businesses, they can be targeted as an access point to the larger organization.
Verizon and Symantec have both recently released reports detailing findings about cyber security and small business. What are some of the main points that small businesses should be aware of?
Small business should be aware not only of the increasing pervasiveness of cybercrime, but also the most common types of cyber attacks that are taking place. For example, cybersecurity firm Symantec recently released a study noting that half of all targeted attacks in 2012 hit companies with fewer than 2,500 employees, and overall, targeted cyber attacks jumped 42 percent in 2012. Of that 42 percent, nearly one-third (31 percent) were aimed at businesses with fewer than 250 people, up from 18 percent the prior year.
In terms of attack methods, Verizon's 2013 Data Breach Investigations Report (DBIR) report revealed that hacking was the number one way breaches occurred and was a factor in 52 percent of data breaches. Common network intrusion methods included: weak or stolen credentials, such as a user name/password; malware use, such as malicious software, script or code; physical attacks, such as ATM skimming; and social tactics, such as phishing.
What kind of small businesses are especially vulnerable?
Retailers are targeted more by cyber criminals than others. To be competitive in the marketplace today most retailers have to reach customers through various channels and online portals, including websites, social media and blogs, among others. Many are also trying to gather information about their customers and potential customers. This creates a huge opportunity for cybercriminals who have many ways to access confidential business and customer information.
It's important to note, however, that it's not just the online businesses or brick-and-mortar stores that face threats to cyber attacksany small business with a credit card machine, computer or tablet device is at risk. For example, each customer's swipe of a credit card in a store provides data that is attractive to people who want to commit identity fraud.
The Verizon report breaks down the attackers into three categories: activists, criminals and spies. Can you elaborate on these groups and their motives?
For activists, their aim is to maximize disruption and embarrass victims. The methods used are quite basic and are more opportunistic in that they are not targeted at a specific individual or company.
For criminals, their actions are motivated by financial gain. They are more sophisticated and calculated in how they select targets, often using more complex hacking techniques than activists.
For spies, actions are often state-sponsored and a form of espionage. These types of incidents have received heightened media attention, in part because of the sophisticated tools spies use to commit the most targeted attacks. The motivations and goals behind specific attacks include obtaining intellectual property, financial data or insider information.
What are some basic things small businesses can do to avoid being attacked?
When it comes to cybercrime, the best offense is a good defense. As cyber risks continue to arise through new technologies, it is important to have the right protections in place before an incident occurs. For small business owners, this includes working with their insurance agent and broker to make sure all exposures that can be managed are covered and that employees are exhibiting behaviors that limit cyber risks.
Specific risk management strategies include: 1) Training employees to protect sensitive information, 2) Ensuring systems have appropriate firewall and antivirus technology and that security software patches are updated in a timely fashion, 3) Monitoring use of mobile devices and public Wi-Fi access for employees, and 4) Having a plan in place to manage a cyber event if one takes placesort of like a fire drill.
To read the rest of the interview, visit http://blogs.reuters.com/small-business/2013/05/03/qa-with-cyber-crime-expert-tim-francis/