At a January Chamber of Commerce event on cyber security, I asked if anyone in the audience had been a victim of a data breach and several hands went up. Then I asked who in the audience had shopped at Target in November or December and almost every hand went up. Just about everyone has heard that Target Point-of-Sale systems were breached, and many of us were affected as consumers. What many business owners don't know is that Target's initial network breach happened through a small HVAC vendor who had limited remote access to Target's network to remotely manage refrigeration and cooling.
In the context of some common misconceptions, here are the cyber security trends you need to know to protect your intellectual property, customer data, and reputation:
“My business isn't a target, we're too small.”
Trend: 71% of attacks are directed at businesses with less than 100 employees. Criminals use automated tools to scan for web facing servers that aren't patched or configured securely. So in many instances, the business wasn't a target until the opportunity presented itself. Securing your IT systems not only protects your business, but your partners and clients.
“My employees would never do anything to harm the business.”
Trend: Insider threats account for 8-14% of attacks resulting in a breach. Cybercriminals create highly customized phishing emails and websites that look and feel legitimate. Malware and Trojans cause 80% of computer infections, and many are distributed by clicking on a link in an email. An employee may not intend to cause damage, but it's easy to be fooled by targeted attacks.
“We haven't experienced any system downtime, so my network must be secure.”
Trend: Organized crime and hackers-for-hire account for 55% of attacks. Once inside a network, a criminal wants to extract as much data as possible, and that can't happen if the network is down. Many businesses have no idea they've been hacked until they are notified by a bank, payment processor, or law enforcement.
“My business doesn't have to comply with PCI.”
Trend: Over half of retail merchants still aren't familiar with PCI requirements, but if your business takes credit cards you are required to comply with PCI Data Security Standards. Organizations processing large numbers of transactions must have an external audit done by a Qualified Security Assessor.
“My IT staff has it covered.”
Trend: Many small to medium-sized businesses don't have the resources or need for full-time IT staff, and team members may not have specialized expertise in security. Explore your options for part-time information security staff, or Security-as-a-Service.
“An attack is inevitable, so we'll deal with it when it happens.”
Trend: Many businesses have found themselves completely locked out of their data thanks to CryptoLocker, an attack vector that targets all versions of Windows, encrypts files, and demands a ransom for the key to decrypt them. An incident response plan, backup data stored in an offline location, and contingency plan is critical in restoring operations.
Attacks may be inevitable, but preparedness is key. If your business loses consumer data, recovery, liability, and investigations will cost on average $220 PER RECORD. The average organizational loss is $5.5 million, so it's no wonder that 60% of small businesses close their doors permanently within 6 months of a data breach. Liability and negligence claims against businesses that have been hacked are also on the rise, so it may be worth considering cyber insurance. Regardless of trends, take steps now to protect the long-term health of your business.
Heather Engel can be reached at firstname.lastname@example.org. Sera-Brynnspecializes in cyber security, PCI compliance, and risk management and is the only PCI QSA in Hampton Roads.