We’ve all heard about Target, Home Depot, Equifax, The Office of Personnel Management (OPM) and other large entities being breached over the last five years. Breaches like these often cost large companies $100’s of millions in terms of overall impact. While largescale breaches garner significant headlines across a wide range of media sources, many smaller companies are impacted and nobody hears about it.
In fact, well-known brands seem to fare better in terms of mitigating impact of a data breach than smaller businesses. According to the 2017 Verizon Data Breach Investigations Report, 61% of victims in this year’s assessment were small to medium size businesses with less than 1,000 employees. Although most of the news centers around massive company hacks such as Target and Home Depot, it’s really smaller businesses that seem to suffer the worst. One breach could financially bankrupt a small business, where a larger TJX or eBay can survive.
There are a couple key questions that may help frame how small- to medium-sized businesses can best avoid the dreaded breach. These simple questions can help provide awareness around the issue, but more importantly, help shape behavior.
Who are the bad guys?
Small- to medium-sized businesses (SMBs) are normally targeted by cybercriminals. Often these cybercriminals are large organized groups trying to steal information from companies that they can sell or use to commit fraud. Insiders often do damage to SMBs as well. Disgruntled or just plain sloppy employees can do a lot of damage either on purpose or accidentally. The interesting theme here is that cybercriminals often end up becoming “insiders” so to speak once they get an employee or employees to click on harmful links or attachments in emails.
Why are they targeting you?
You have information they want. The bad guys are looking for information they can sell or use to commit fraud. Credit card numbers, ACH details or financial information of any sort. They also realize you are a potential portal to many other businesses. If they can get into your email, it opens up the potential to target anyone you have corresponded with.
How will they target you?
Social engineering via phishing emails. There is a chance you are targeted over the phone or via walk-up. However, you are much more likely to be targeted via email than any other source. These emails will often look like legitimate emails from known sources. Some great information on social engineering is located here.
Potential Impact
Dealing with a breach of company data is not a load of fun. Depending which state you operate in will often dictate how one responds. What we do know is that a breached company is looking at hard costs. These costs include forensic experts, legal fees, providing free credit monitoring to those impacted, etc. At the rates those types of services charge, costs can escalate pretty easily. There is some recent information around SMB data breaches here. We are looking at an average cost of over $100,000 per breach. The larger the company and more records impacted the higher the average cost.
Summary
SMB’s are targeted by cybercriminals because we have access to data they can sell or use to commit fraud. The data they steal is making them money. The cybercrime industry world-wide produced an estimated $400 to $600 billion in 2016. For perspective, the entire Gross Domestic Product (GDP) of Ireland in 2016 was $294B. The industry is expected to top $2 trillion in annual costs by 2019. SMB’s are often viewed as low-hanging fruit as most don’t have extensive security controls in place to mitigate cybercrime.
Office technology dealers and their customers are no different than any other SMB; the vulnerabilities are ever present. Couple this with the knowledge that the copier/MFP and networked printers have as much data on them as a PC or server—devices that often get forgotten when it comes to data security, and we all have a lot of learning to do. Keypoint Intelligence recently published an article on HP and security issues that stated, “There are hundreds of millions of business printers in the world and less than 2% of them are secure.”
How can we stay out of the way of what appears to be an avalanche? Simply knowing we are being targeted and how is a good start, but not enough. We have to be willing to think about emails we receive and have a plan for those we find suspicious. If you’re not sure, don’t click! Talk about this with your employees and make sure you are all on the same page. Five minutes of prevention is worth avoiding costs associated with a data breach.
