In December of 2013, it was discovered that the major American retailer Target was, aptly enough, the target of a major hacking event that resulted in the breach of personal information for anywhere from 70 million to 110 million customers. Although credit card information was not obtained in each case, it does make nearly 100 million people more susceptible to identity theft.
The cyber attack was accomplished by hacking into Target’s point-of-sale devices to install a program that records data from credit cards swiped through an infected device. This information is then sent to a remote server so others can access the data. And Target isn’t the only major corporation to deal with a recent hacking scandal; in recent days, luxury retail company Neiman Marcus announced that they were dealing with a very similar situation involving the theft of customer information.
Statistics show that hacking activities across the globe have been ramping up at a feverish clip the past few years, and we’re seeing plenty of evidence that small and mid-sized businesses have to be on their guard more than ever to prevent an attack. Still, a survey conducted by Ernst & Young found that 96% of executives don’t believe their business is prepared to handle a cyber attack. Appreciation of vulnerability is, of course, an important first step, but what can you do to prevent an attack? What should you do when an attack has occurred? Every business needs to think through these issues before there is a problem.
Small Business Risks
In 2010, two magazine stores owned by Chicago-based City Newsstand, Inc., were the targets of a cyber attack on the company’s financial accounts. Thieves visited both stores and installed a piece of software onto the store’s registers that sent customer credit card information to a server in Russia. The ordeal, and the financial investigation ordered by Mastercard at City Newsstand’s expense, cost the Chicago company about $22,000. According to owner Joe Angelastri, that amount is roughly half of the company’s total annual profit.
The prevailing attitude shared by many business owners in the technology age is that larger corporations are generally at more risk of cyber attacks than smaller ones. However, the reality bears out a much different picture. The U.S. Secret Service, in conjunction with Verizon Communication’s forensic analysis unit, investigated 761 data breach events in 2010, more than 60 percent of which targeted businesses with fewer than 100 employees.
When a small business does experience a hacking event, it’s often a death knell for that company. Statistics collected by the National Cyber Security Alliance and reported by PCWorld indicate that 20 percent of small businesses experience a cyber attack every year. Of those businesses that experience this criminal activity, 60 percent close their doors and stop operating within six months. The stakes couldn’t be higher, which is why businesses of all sizes need to be vigilant.
The New Playing Field
Once upon a time multinational corporations were the major target for hackers because of the size of their coffers. But times have changed and it’s become much easier to reap the same rewards by casting a much wider net. Indeed, Brian Finch a partner at Dickstein Shapiro LLP who represents FireEye and McAfee recently wrote: “Small businesses are in fact ripe targets for cyberattack, and indeed have been under siege for some time, whether they realize it or not.” It is time for businesses of all sizes to understand that they are at risk.
Two words continue to come up when experts describe the methods and targets of identity thieves: automation and vulnerability. When automation meets vulnerability a lot of damage can be done.
Pop culture has given us an image of the hacker as an individual or small group cloistered away among a mass of wires and computers, working feverishly to get past the digital security of a multibillion dollar corporation. The reality is that many hacking programs created today are automated and scour the Internet for new prey without any work on behalf of the program creators.
These automated hacking programs have themselves tilted the field in favor of large corporations. Even though major corporate targets of hackers make news headlines a few times every year, these business typically have extensive protections in place against identity theft. The automated programs developed by hackers work by discovering vulnerabilities within a system and exploiting those, leaving small businesses with any online data activity at risk.
When an attack happens, a small business owner often has few avenues through which they can try to redress their loss. In March 2010, Los Angeles-based Village View Escrow lost $465,000 over the course of two days to hackers who had accessed their financial accounts. As owner Michelle Marsico found out the hard way, online banking accounts for businesses sometimes have fewer hacking protections than personal savings and checking accounts. According to cybersecurity expert Bryan Krebs, interviewed for the Marketplace.org article linked above, these online business banking services are being offered with digital security infrastructures that haven’t been upgraded in response to new hacking threats.
Village View Escrow was able to reach a settlement with their bank, but that’s an exception far more than a rule. Banking institutions are much more powerful than small businesses they service and do well in the courtroom against any litigation. Furthermore, actual cyber attackers are often too difficult to find to be able to file any meaningful criminal charges. In many, if not most cases, there can be little redress available after the fact.
While large businesses are still a prime target, small and mid-size businesses are not far behind. In 2012, 93% of large businesses reported a cyber attack, while 87% of small and mid-size businesses also reported suffering an attack. Yet, amazingly only 44% of respondents believing security is a top priority. It is time for the business community to wake up. Cyber attacks are a problem for everyone.
Responding to a Cyber Attack
Businesses that are attacked need to act swiftly. Indeed, the best weapon a company has when it realizes its been victimized by an attack is a quick response. Of course, an unfocused response can do more damage than good. Businesses need to understand the risks they are facing, the reality that their customers are now also facing a real risk of identity theft and siphoning of accounts. While it may feel right act like a victim, there is more at stake for your customers. How you handle the immediate aftermath is critical for both your brand and your customers because one of the biggest concerns facing a business that’s been compromised is maintaining customer confidence. If consumers, whether they are actual customers or potential future customers, stay away in the future because of financial security concerns everything you have worked for will erode, which is what happens to so many businesses in this situation.
Novice to Advanced Marketing Systems, a provider of marketing training courses and materials, including online seminars, lost $75,000 in the effort to overhaul its computer systems in response to a malicious attack. The business dealt with a very high-profile situation, as the hacker posted a personal message to owner David Perdrew on the business’s website, threatening to expose their customer database if the hackers didn’t receive money. While this can easily be understood to be extortion it brings the type of attention, and questions, that no business wants.
The first step taken by the company, after taking the website down, was to make sure that current customers had all of their orders fulfilled. Then, technology staff at the company scoured their networked servers to find any malicious files, which they were able to get rid of within 10 hours, and then discovered why the attack was successful. Before returning all of the company’s 70,000 digital files to the original system, after they had been transferred to another computer, new security software and password protections were installed to prevent a similar attack. The playbook you follow needs to be to pull the plug to stop the attack, identify what from a technical standpoint that allowed malicious access, fix the technical glitch, make sure that no latent vulnerabilities exist, and improve security before considering going back online. They did everything correct.
But then came the difficult work of reaching out to customers. As hard as it may be and as unhappy as many customers will be, proactively reaching out to customers is essential. Again, Novice to Advanced Marketing Systems did all they could. Anyone affected by the hacking activity and subsequent website shutdown was offered discounts on services, and the company even went so far as to create new services that were available after the website returned. Out of 2,000 prior customers, Perdrew believes that the company lost 15 customers because of the hacking event.
Even if you do everything correctly there is going to be damage done. That is why it is essential to be as reasonably proactive as possible. An ounce of prevention is certainly worth at least a pound of cure!
Keeping Your Business Safe
There is no better way to make sure that your business will survive a cyber attack then by having the best protective measures in place. If you own your own business or you are responsible for the cyber security of your company, here are some things to keep in mind to ensure the safety of your business operations.
1. The Weakest Link. Make sure that every single device connecting to your network is secured against common hacking threats. Many workplaces today allow employees to use their own mobile electronic device on a company’s network, which has the potential to allow risky, unsecured communication. Smartphones and tablets used on a business network should have an anti-malware app installed. Always remember that your network is only as secure as the weakest point of access.
2. Phishing and Social Engineering. Phishing, or misrepresenting your identity through e-mail to gain access to account passwords or other information, is another form of attack that frequently leads to identity theft. It may not be as technical as most hacking attacks, but it can be just as damaging to a business that accidentally gives its financial account information to a malevolent party. Unless you are absolutely sure of the identity of the person e-mailing you, don’t give away password information across the Internet, period. Truthfully, you shouldn’t give any sensitive information at all without verification. Kevin Mitnick, once dubbed the world’s most dangerous hacker, used social engineering techniques to gain information that would allow him to hack. Most companies do have anti-phishing policies in place where they promise not to ask for password or account information over e-mail or via telephone, but make sure your customers know that they won’t be asked for such information and if they are to be suspicious.
3. Business Level Security. Overall, the malware protection on all of your computers should be of the business-grade or enterprise variety. Basic computer security programs available through Norton, McAfee and others are designed for home computers, not servers dealing with delicate pieces of financial data. Staying up-to-date on security upgrades for these programs is also crucial, as many times these upgrades contain patches that can protect against new viruses currently going around the Internet.
4. Encryption. Make sure data encryption technologies are enabled on your computers is a simple step, but one that many small businesses can miss. Many of these technologies are standard on most computers; Windows PCs have a file called BitLocker, while Mac systems use a feature called FileVault. Although this won’t stop malware from entering a network while a computer is running, it can keep hackers from obtaining any useful identity information.
5. Good Digital Hygiene. Keep your employees educated on how their computer activities could put the entire company at risk. Adopting a formal Internet use policy at the workplace can be a very effective tool for making sure employees are on the same page about which web services can and cannot be accessed at work. Maintaining good “digital hygiene,” such as logging out of accounts before closing browser windows or using different passwords for different accounts, is another way to make sure your employees are working towards cyber security. In this day and age anyone using “password” or “1234” as a password is nearly unbelievable, but it does happen. Whatever you can do to have your employees use stronger passwords and change them periodically is well worth the effort.
6. Stay Vigilant. Finally, keep yourself educated on how your business needs to improve network safety by having a security audit performed at your business. An audit can help you find any holes in your current security that can be addressed by current technologies. Heeding these tips as soon as you get them will make sure that you stay ahead of the technological curve. Although you should be doing this anyways, check your financial accounts daily, or at the very least periodically, to make sure that there’s no unexplained activity.
Protecting yourself against identity theft and cyber attacks from hackers is a tall order these days. For more information on this topic please see: