Part of:

Why Small Businesses Need to Learn from High-Profile Data Breaches


Small- to medium-sized businesses often don't take security as seriously as they need to.

In a recent report, McAfee declared 2014 "the year of the breach," and it’s easy to see why. Several high-profile companies and corporations have suffered crippling data breaches since January, from more than 50 million people at Home Depot to 70 million plus at JPMorgan. Meanwhile, Staples, PF Chang’s, Goodwill and a slew of other have all fallen prey to cybercrime.

According to SafeNet’s Breach Level Index for the third quarter of 2014, there were 320 reported data breaches between July and September, 46% of which involved identity theft.

Bubbling under the surface of these major breach notifications is a flurry of lower-profile data breaches happening every week that you’re less likely to hear about. A target like Home Depot provides an opportunity for a massive payday, but it’s also higher risk, and involves a great of deal planning. So, it isn’t that surprising to see some hackers going for low-hanging fruit like small businesses (SMBs). These will yield smaller paydays, but can be bountiful if several are pulled off in succession.

All the while, cyber criminals are using new tools to target SMBs, says Trend Micro in one of its latest reports on keyloggers, which hackers can use to siphon off company data.

"SMBs have this false sense of security, thinking that such an attack will never happen to them," says Gary Davis, chief consumer security evangelist at McAfee. "Security threats don’t discriminate by organizational size and for SMBs whose employees use multiple devices it’s getting more crucial to have bes- in-class security solutions."

You need not dig too far to find examples of small- to medium-sized breaches. The Houstonian Hotel in Houston, Texas, saw 10,000 customers’ credit card details exposed during a security breach earlier this year. On a smaller scale but no less serious, the outdoor sports equipment store Backcountry Gear, based in Oregon, which ships goods across the U.S., discovered malware on its system in July 2014 that may have compromised customer data.


"The problem is that so many of these companies just don’t regard security as something they need to do, but rather something they have to do," says Marcus Ranum, chief security officer at Tenable Network Security. "Being candid, they often take a bare minimum approach at best, and outsource and try to defer liability."

Adopting the Right Attitudes

Security works best when it’s treated as a "core business process," according SMB Security Guide, a site that advises small businesses on best practices for security.

Some basic foundational training is needed for any small business in protecting its digital assets. Employees need to be trained in using unique and difficult passwords, Davis said, and business owners need to know their data inside and out, where everything is stored, and who exactly has access to it. Having an open book on data among employees is likely to lead to a data leakage, whether deliberate or accidental.

Elsewhere, business owners need to ensure that their apps and operating systems are updated too, but cyber security is multi-faceted and can take on a physical presence too. Who has access to rooms where hard drives are stored, for example?

"Don’t let strangers wander the halls and limit physical access with locked doors and managed entry systems," says Davis. "Be sure to conduct thorough background and reference checks before hiring new employees."

Bring Your Own Device … or Bring Your Own Data Breach?

Experian’s 2014/2015 Data Breach Response Guide and the Ponemon Institute make the case for developing a rigid breach response policy. Effective policies across the board will help any business better deal with their data breaches, especially in the case of companies with BYOD practices, which create more and more avenues for breaches to occur.

BYOD in the office is becoming inevitable, says F-Secure security adviser Sean Sullivan.

"From a user’s standpoint, BYOD is a great idea, but from a security standpoint, it’s a terrible idea," he says. "You’re playing the bad luck lottery; odds are small, but first prize is a substantial loss of money."

The device belongs to the individual and this raises issues around responsibility, which is why devising an iron-clad policy is vital and must complement training your employees in security protocols.

"We recommend that organizations give their employees additional training around the physical devices themselves," adds Sullivan. "By offering employees a great user experience, company guidelines relating to security are less likely to be disregarded [or] breached."

SMBs Can Be Left Behind

Small businesses are encouraged to take a proactive approach to security and adopt the mentalities of big companies, as no one else will look out for you.

"In reality, the security industry has let small and medium sized businesses down," says Paul Lipman, CEO of iSheriff, a cloud security firm based out of Redwood City, California. SMBs can get lost in the conversation and aren’t getting the same attention when it comes to security, oftentimes leaving them to fend for themselves.

SMBs may not have as much to offer a cybercriminal as a Home Depot or a Target, but companies still have much to lose.

"[Hackers] aren’t interested in stealing secrets or intellectual property like the hackers targeting larger enterprises," says Lipman, but where there’s a business, there’s money, and cyber criminals will target anything they know they can penetrate.

Some businesses are becoming more and more tech-savvy but the crucial part is that SMBs cannot take their time with this. Technology – and cyber threats – are evolving at a startling pace.

Bank of America’s Small Business Owner Report states that 80% of small businesses have incorporated "some type of digital method" into their business, but this can include social media as well as security. Just how much attention is being paid to bolstering security as is being paid to expanding social media reach?

Security firm BitSight published new research in November 2014 that corroborates many concerns over businesses’ security, especially retail, and notes that security integrity has declined in these businesses.

"While it’s encouraging that a majority of the breached retailers have improved their security effectiveness, there is more work to be done, especially in the area of vendor risk management," said BitSight’s CTO Stephen Boyer when announcing the research.

It raises several questions. If you’re a small business owner, have you audited your company’s security practices and evaluated where security stands on your hierarchy? As cyber threats evolve, small businesses will need to do the same.


Related Reading