Small Business Data Breach: Mitigating the Damage

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.businessnewsdaily.com/6156-small-business-data-breach-protection.html

While data breaches at giant retailers like Target and TJ Maxx grab the
spotlight, it's just as realistic a scenario for small businesses - and the
attacks at that level can prove far more devastating. Experts say small
business owners who don't make protecting customers' personal information a
top priority could soon find themselves out of operation.

"I don't know how small and medium-sized businesses can survive something
of that magnitude," Will Pelgrin, president and CEO for the Center for
Internet Security, told Business News Daily.

Jefff Kosc, a partner with the law firm Benesch, Friedlander, Coplan &
Aronoff LLP, said businesses that compromise customers' personal data, such
as credit card and Social Security numbers, face a multitude of costs, not
all of which have an exact dollar amount attached.

One of the largest costs comes from the credit and debit card companies,
which, Kosc said, have broad powers and rights in data breach situations,
especially if it was discovered that the business wasn't complying with
payment card industry (PCI) regulations. PCI regulations govern the
specific security measures that must be adhered to by businesses that
accept credit and debit cards.

"If there is a breach of PCI, they have rights to level fines on
merchants," Kosc said of the credit and debit card companies. "They are
also entitled under those agreements to chargeback any fraudulent charges
that take place on anyone's card as a result of the data breach."

In addition to paying back the credit card companies, businesses incur
costs associated with alerting consumers of the breach, paying for their
credit monitoring services, investigating how the breach occurred and
taking additional steps to ensure it doesn't happen again.

Recent research from the Ponemon Institute and Symantec estimates that it
costs businesses $188 per record lost.

Kosc said many businesses in these situations also face a loss in
productivity because employees are more focused on cleaning up the mess
than they are on normal day-to-day responsibilities.

"You are pulling everyone away from their regular job duties to deal with a
data breach," he said.

Depending on the scope of the breach, Kosc said businesses also face
potential fines from the Federal Trade Commission. He pointed to TJ Maxx as
an example, which was forced to pay out more than $9 million in fines to
more than 40 different attorneys general following its breach in 2007.

In addition to the hard costs, businesses also suffer potentially priceless
damage to their reputation and trust.

"There is a community of people who have a trusted relationship with you
and that can be jeopardized," Pelgrin said. "How you recover from all of
that can be very difficult."

Protecting Your Business

One problem is that many think that because of their size, small businesses
aren't a target of cybercriminals.

"We tend to think that it won't happen to us because we are too small, and
that they are really looking at the larger (companies), and that's not the
case," he said. "Everyone is under constant attack at this point."

Since cybercriminals have become so effective in recent years, Pelgrin said
that even with the best security measures in place, there are no guarantees
businesses will be safe.

"There isn't a silver bullet out there," Pelgrin said. "The best you can do
is to be as diligent and vigilant as possible to ensure you have done
everything in your power to be as secure as you can be."

To protect consumer data as much as possible, Pelgrin advises businesses to
take several steps:

- Know your environment: This means taking inventory of all the hardware
and software that you have, as well as what version each is running. In
order to protect yourself, you need to know exactly what you own. "What are
your assets, what's your infrastructure look like, what's your network look
like?" Pelgrin said. "There may be a known vulnerability and you might not
even think it is within your infrastructure and unbeknownst to you it may
be totally enabled throughout your infrastructure and therefor making you
very vulnerable to an attack."
- Secure your environment: Bring your hardware, software and network up to
the highest level of security. Pelgrin said when small businesses buy new
hardware and software, they don't always have the latest security measures
on them. He said it is critical that businesses check each piece of
equipment and download all the latest security patches. In addition, he
said all the security settings should be turned up as far as they can be
without hindering operations.
- Control your environment: Pelgrin said it is imperative that businesses
don't give all their employees total access to their network and data. He
said employees shouldn't have access to higher levels of administration
then they need and shouldn't be allowed to download anything they want from
anywhere they want. "Most of your employees should not have complete
administrative access to their machines," Pelgrin said. "That
administrative access should be limited to very few trusted individuals."
In addition, businesses want to ensure the companies and vendors they are
working with also have stringent levels of security. Pelgrin said it is
critical to have documentation from the organizations you outsource parts
of your business to on exactly what security measures they have in place.
"It needs to meet the standards of what you would employ internally," he
said.
- Monitor your environment: This involves constantly self-diagnosing the
systems and network to ensure they are acting and performing as they should
be. "You don't have to be a cyber expert to know something is wrong,"
Pelgrin said. "Your gut is a great first sign that something may be wrong,
and then you need to reach out to those that have expertise to help
diagnose whether in fact you have been a victim of a cyber incident."

Pelgrin also encourages businesses to dedicate time each month to train
employees on the importance of cybersecurity and how they can make sure
they aren't contributing to leaks.

"You want to make it real for employees and the only way to do that is to
talk about it and practice it," he said.

Kosc believes a key step in keeping is having some in the organization
whose main responsibility is security.

"It needs to be something that is on someone's mind everyday, because
that's their job," he said.

Mitigating the Damage

 Kosc said businesses should have a clear strategy on how to deal with a
breach, since many experts believe it's not a matter of if - but when - one
will happen.

"You want to have a plan in place before something like this happens," Kosc
said. "So when an event does happen, you know what to do and how to limit
liability as much as possible."

Part of that plan is knowing whom to call for help. Pelgrin said in times
of crisis, you don't want to have to spend time figuring out who can assist
you.

"You want to have those relationships up front and in place," Pelgrin said.

Insurance providers are a relatively new source of help for businesses.
Within the last several years, many have started offering data breach
insurance.

Lynn LaGram, assistant vice president of small commercial underwriting at
The Hartford, said they have been offering data breach insurance since
2011, and their coverage comes in two parts.

The first covers the response expense and can pay for things such as
notifying customers after a breach occurs, setting up credit monitoring for
effected customers, hiring a public relations firm to help repair
reputational damage and hiring legal and forensic experts to asses whether
a breach did occur and where it came from.

LaGram said through The Hartford, businesses can get between $10,000 and
$100,00 worth of response coverage.

The second part covers expenses small businesses may face should any
lawsuits be brought against them by consumers who had information stolen.

"This covers civil awards, settlements or judgments that the small business
owner would become legally obligated to pay as a result of a data breach,"
LaGram said.

Kosc said most civil lawsuits brought against businesses that lost data
have been ineffective at this point because in many of these situations
consumers can't prove that the thieves have used their stolen information
in any way.

"There haven't been many so far that have been successful, because they
have to be able to show an actual harm," Kosc said. "Until you can provide
an actual injury has been suffered, (a court) can't award you damages."

While small businesses were originally slow to adopt data breach insurance,
LaGram said more of them - especially in light of last year's high profile
cases -- have been adding it to their protection arsenal.

"Data breach is one of our highest-selling optional coverages," she said.

Repairing reputation

For businesses to begin repairing their reputation and rebuilding trust
following a data breach, Pelgrin said it is imperative they are upfront
with customers when it happens, regardless of what state laws may dictate.

"I am a big believer in it's not if bad things happen, but how you react
when bad things happen," he said. "That shows the quality of the company
and that shows the quality of the individuals that work for that company."

Pelgrin said the last thing a business wants to have happen is for word of
the breach to get out six months after it occurred and have customers think
they did nothing about it because they didn't have to.

"Then you are in a position of trying to justify why you held on to that
information," Pelgrin said.

The key is alerting customers as quickly as the information on the breach
is concrete.

"You don't want to put fear into people," Pelgrin said. "You really need to
know what happened so when you give the information, it is very clear this
is what we know, this is what happened and this is what we recommend how to
mitigate it."

LaGram said small businesses must understand that this undoubtedly could
happen to them.

"Small business owners are targeted at a much higher pace than larger
operations, because they are easier to penetrate," she said. "It is very
easy for it to happen in a small business setting."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!