While data breaches at giant retailers like Target and TJ Maxx grab the spotlight, it's just as realistic a scenario for small businesses – and the attacks at that level can prove far more devastating. Experts say small business owners who don't make protecting customers' personal information a top priority could soon find themselves out of operation.
"I don't know how small and medium-sized businesses can survive something of that magnitude," Will Pelgrin, president and CEO for the Center for Internet Security, told Business News Daily.
Jefff Kosc, a partner with the law firm Benesch, Friedlander, Coplan & Aronoff LLP, said businesses that compromise customers' personal data, such as credit card and Social Security numbers, face a multitude of costs, not all of which have an exact dollar amount attached.
One of the largest costs comes from the credit and debit card companies, which, Kosc said, have broad powers and rights in data breach situations, especially if it was discovered that the business wasn't complying with payment card industry (PCI) regulations. PCI regulations govern the specific security measures that must be adhered to by businesses that accept credit and debit cards.
"If there is a breach of PCI, they have rights to level fines on merchants," Kosc said of the credit and debit card companies. "They are also entitled under those agreements to chargeback any fraudulent charges that take place on anyone's card as a result of the data breach."
In addition to paying back the credit card companies, businesses incur costs associated with alerting consumers of the breach, paying for their credit monitoring services, investigating how the breach occurred and taking additional steps to ensure it doesn't happen again.
Recent research from the Ponemon Institute and Symantec estimates that it costs businesses $188 per record lost.
Kosc said many businesses in these situations also face a loss in productivity because employees are more focused on cleaning up the mess than they are on normal day-to-day responsibilities.
"You are pulling everyone away from their regular job duties to deal with a data breach," he said.
Depending on the scope of the breach, Kosc said businesses also face potential fines from the Federal Trade Commission. He pointed to TJ Maxx as an example, which was forced to pay out more than $9 million in fines to more than 40 different attorneys general following its breach in 2007.
In addition to the hard costs, businesses also suffer potentially priceless damage to their reputation and trust.
"There is a community of people who have a trusted relationship with you and that can be jeopardized," Pelgrin said. "How you recover from all of that can be very difficult."
Protecting Your Business
One problem is that many think that because of their size, small businesses aren't a target of cybercriminals.
"We tend to think that it won't happen to us because we are too small and that they are really looking at the larger (companies), and that's not the case," he said. "Everyone is under constant attack at this point."
Since cybercriminals have become so effective in recent years, Pelgrin said that even with the best security measures in place, there are no guarantees businesses will be safe.
"There isn't a silver bullet out there," Pelgrin said. "The best you can do is to be as diligent and vigilant as possible to ensure you have done everything in your power to be as secure as you can be."
To protect consumer data as much as possible, Pelgrin advises businesses to take several steps:
- Know your environment: This means taking inventory of all the hardware and software that you have, as well as what version each is running. In order to protect yourself, you need to know exactly what you own. "What are your assets, what's your infrastructure look like, what's your network look like?" Pelgrin said. "There may be a known vulnerability and you might not even think it is within your infrastructure and unbeknownst to you it may be totally enabled throughout your infrastructure and therefore making you very vulnerable to an attack."
- Secure your environment: Bring your hardware, software, and network up to the highest level of security. Pelgrin said when small businesses buy new hardware and software, they don't always have the latest security measures on them. He said it is critical that businesses check each piece of equipment and download all the latest security patches. In addition, he said all the security settings should be turned up as far as they can be without hindering operations.
- Control your environment: Pelgrin said it is imperative that businesses don't give all their employees total access to their network and data. He said employees shouldn't have access to higher levels of administration than they need and shouldn't be allowed to download anything they want from anywhere they want. "Most of your employees should not have complete administrative access to their machines," Pelgrin said. "That administrative access should be limited to very few trusted individuals." In addition, businesses want to ensure the companies and vendors they are working with also have stringent levels of security. Pelgrin said it is critical to have documentation from the organizations you outsource parts of your business to on exactly what security measures they have in place. "It needs to meet the standards of what you would employ internally," he said.
- Monitor your environment: This involves constantly self-diagnosing the systems and network to ensure they are acting and performing as they should be. "You don't have to be a cyber expert to know something is wrong," Pelgrin said. "Your gut is a great first sign that something may be wrong, and then you need to reach out to those that have the expertise to help diagnose whether in fact you have been a victim of a cyber incident."
Pelgrin also encourages businesses to dedicate time each month to train employees on the importance of cybersecurity and how they can make sure they aren't contributing to leaks.
"You want to make it real for employees and the only way to do that is to talk about it and practice it," he said.
Kosc believes a key step in keeping is having some in the organization whose main responsibility is security.
"It needs to be something that is on someone's mind every day because that's their job," he said.
Mitigating the Damage
Kosc said businesses should have a clear strategy on how to deal with a breach since many experts believe it's not a matter of if – but when – one will happen.
"You want to have a plan in place before something like this happens," Kosc said. "So when an event does happen, you know what to do and how to limit liability as much as possible."
Part of that plan is knowing whom to call for help. Pelgrin said in times of crisis, you don't want to have to spend time figuring out who can assist you.
"You want to have those relationships upfront and in place," Pelgrin said.
Insurance providers are a relatively new source of help for businesses. Within the last several years, many have started offering data breach insurance.
Lynn LaGram, assistant vice president of small commercial underwriting at The Hartford, said they have been offering data breach insurance since 2011, and their coverage comes in two parts.
The first covers the response expense and can pay for things such as notifying customers after a breach occurs, setting up credit monitoring for affected customers, hiring a public relations firm to help repair reputational damage and hiring legal and forensic experts to assess whether a breach did occur and where it came from.
LaGram said through The Hartford, businesses can get between $10,000 and $100,00 worth of response coverage.
The second part covers expenses small businesses may face should any lawsuits be brought against them by consumers who had information stolen.
"This covers civil awards, settlements or judgments that the small business owner would become legally obligated to pay as a result of a data breach," LaGram said.
Kosc said most civil lawsuits brought against businesses that lost data have been ineffective at this point because in many of these situations consumers can't prove that the thieves have used their stolen information in any way.
"There haven't been many so far that have been successful, because they have to be able to show an actual harm," Kosc said. "Until you can provide an actual injury has been suffered, (a court) can't award you damages."
While small businesses were originally slow to adopt data breach insurance, LaGram said more of them – especially in light of last year's high profile cases -- have been adding it to their protection arsenal.
"Data breach is one of our highest-selling optional coverages," she said.
For businesses to begin repairing their reputation and rebuilding trust following a data breach, Pelgrin said it is imperative they are upfront with customers when it happens, regardless of what state laws may dictate.
"I am a big believer in it's not if bad things happen, but how you react when bad things happen," he said. "That shows the quality of the company and that shows the quality of the individuals that work for that company."
Pelgrin said the last thing a business wants to have happen is for word of the breach to get out six months after it occurred and have customers think they did nothing about it because they didn't have to.
"Then you are in a position of trying to justify why you held on to that information," Pelgrin said.
The key is alerting customers as quickly as the information on the breach is concrete.
"You don't want to put fear into people," Pelgrin said. "You really need to know what happened so when you give the information, it is very clear this is what we know, this is what happened and this is what we recommend how to mitigate it."
LaGram said small businesses must understand that this undoubtedly could happen to them.
"Small business owners are targeted at a much higher pace than larger operations because they are easier to penetrate," she said. "It is very easy for it to happen in a small business setting."