National news headlines routinely feature high-profile data breaches and hacking events, with large corporations working around the clock to contain the damage to their business, their customers and their reputations. But research shows that cyber criminals and hackers are also attacking smaller “Main Street” companies who are often less prepared to prevent and respond to an attack.
The Symantec Internet Security Threat Report found that 60% of all targeted attacks struck small- to mid-sized companies. These relatively small breaches can still affect a significant amount of records and be a catastrophic event for unprepared small- to mid-sized businesses, says Tim Francis, Travelers’ Cyber Insurance Lead.
“Large companies have increasingly begun to think about cyber hacks and to have a plan in place to deal with them,” explains Francis. “Meanwhile, small- and mid-sized businesses often lack access to cyber security expertise, including others that can help them secure their systems or help with a breach should it occur.”
In the world of cyber security, it is not if but when a company will experience a data breach. “But if you know how and why, you can do things to mitigate those risks,” Francis says. “You need a plan in place to deal with it effectively.”
Here is a look at how small- to mid-sized companies are vulnerable, what is at stake, and methods to help protect against hacking and data breaches.
Using hacking kits available online, cyber criminals target small- to mid-sized businesses to exploit known weaknesses in the software in which their databases or websites are built, extract valuable data, and demand payment to restore a company’s website or database. The thieves are in search of Personally Identifiable Information (PII), Protected Health Information (PHI), and Payment Card Industry Information (PCI), all of which can be bought and sold on the black market.
Regulations geared at consumer protection are helping to increase the cost of a breach response and to raise public awareness of risks, says Mark Greisiger, President of NetDiligence, which provides data breach crisis services. When this sensitive data is exposed, companies face growing costs from forensics, legal counsel, notification and credit monitoring, according to the 2014 NetDiligence Claims Study. The average per-record cost increased from $307 in the 2013 NetDiligence study to $956 in 2014, with an average breach claim of $733,000.
In an age of “point-and-click computer hacking,” cyber thieves are no longer necessarily part of sophisticated crime units, says Francis. One of the more popular attacks is the SQL injection, which was rated the #1 attack in 2013¹ and still accounts for a significant number of data breaches. It exploits vulnerabilities in an application’s software, when user inputs (i.e., fields for user name and password) are incorrectly filtered, allowing a hacker to execute commands.
Following an attack, companies are responding to data breaches by turning to a breach coach to walk them through their response and to retain experts, such as a forensics team, to investigate how and when the breach happened, what was accessed, whether or not the data was encrypted or protected, and who it affected.
After a breach involving PII, PHI, or PCI, there are strict timelines for notifying customers, including those issued by state, federal and other organizations. Companies can face potential litigation from government entities and class action lawsuits. There are also public relations concerns, as a breach can threaten a company’s brand and reputation.
“Risk Managers need to accept that their company’s network or data is never 100% secure,” says Greisiger of NetDiligence, who advises developing a response in advance and protecting against known vulnerabilities. Here are four common weak spots that can lead to a data breach:
- Overly Relying on IDS or ‘Intrusion Detection Software’ – These systems are intended to alert companies to attempted cyber attacks, but Greisiger warns that frequent “false alarms” may result in IT staff failing to recognize an actual attack.
- Failure to Encrypt Private Data – In the event of a data breach, encryption can provide an extra layer of protection, making it harder for a criminal to use or sell.
- Poor Patch Management – All networks and databases require constant updates to patch vulnerabilities that cyber criminals can exploit to access data.
- Vendor Mismanagement – Third-party vendors are often in care, custody and control of systems or data, sometimes with little oversight.
“What we find is the more that companies can prepare for the potential that an event may take place, the better off they will be when that event takes place,” Francis explains. Francis adds that cyber insurance can protect companies before an event takes place by helping supply them with risk management tools and advice and access to other professionals in the data security community that can help with their information security.
In addition to preventive measures, companies can benefit from performing a table top exercise to help plan their response to a data breach.