“Give a man a fish and you feed him for a day. Teach a man to phish and he’ll use your credit card to buy dinner.”
Many people say that they are too small for hackers to bother with them.
Reality is, according to Verizon’s 2012 data breach study, that out of 855 breaches they studied, 71% of them occurred in businesses with less than 100 employees.
While this is a different kind of cyber theft, the Forbes article mentions a three person company in an incubator space that lost three Mac Air computers when someone walked out of the space with them. Of course, they had no backups. That was a three person company.
Small companies often provide services to larger companies. I used to work for an 60 person company that sold to Fortune 50 companies. The large company usually prohibits the smaller company from advertising that the larger company is their customer, even though that would be a great referral for the smaller company. Why? Think of Target. Or Home Depot. Or a bunch of other companies.
If the hackers know that your small company provides services to – pick one – Target – then they might choose to hack you as a way to get into Target (Fazio Mechanical is an HVAC vendor in Pittsburgh that is widely reported as the source of the Target breach. Prior to the Target breach, no one outside of western Pennsylvania and eastern Ohio had heard of them). THAT is the reason that the bigger company doesn’t want anyone to know that you sell to them.
While the article provides a couple of simple tips, the trick is to not be lulled into a false sense of security that if you just do these three things, your cyber security is handled. That is not the case. But there are a number of things that you should do to reduce the odds of you being in the news tomorrow as the newest breach survivor. None of these will be free. They may cost money and, more importantly, they may require you to stop walking out in front of moving cars, so to speak. Changing the habits of your employees is sometimes more difficult than spending money.
According to First Data, the big credit card processing vendor, around 60%-70% of their small business customers that have a breach are out of business within a year, so you are gambling big time if you hope that you are too small to be breached.
Congress may get into the act and try and help you as well. One bill that was recently introduced has a pretty expansive view of personally identifiable information and would cover a breach of just one record (H.R. 4187). It would require the FTC to create new rules covering how you protect personal information and also what breaches that you have to report.
Currently, maybe 10% of the breaches that happen are reported.
There are two reasons for this. The first is that, in many cases, the breached company is not even aware the breach. And this is not limited to small companies. Scottrade, in the news recently for losing information on 4.6 million customers, found out about the breach when the F.B.I. came to visit them. At least the F.B.I. came to visit Scottrade. They likely are not going to come visit a small business at all.
Second, the law does not require most breaches to be disclosed. Lets say your company is hacked and the hacker steals the purchase history of all of your customers MINUS their credit card information. That breach does not need to be disclosed to your customers nor any government agency. Assuming you even know that the hackers were there. Your customer list and purchase history, using the current legal definition of non public personal information, does not constitute something that you need to tell about. And if you don’t have to, why would you. All it will do is tick off your customers. That is what HR 4187 sets out to change.
In fact, many breaches are only disclosed because someone – often inside the company – accidentally or intentionally leaks it.
For those companies that are one of the 71% of hacked businesses in the Verizon report that had less than 100 employees, they learned that they were NOT too small a little too late.
You, however, can learn from their mistake. Or, you can continue to cling to your hope that you are too small to be hacked. The choice is yours.
Information for this post came from Forbes.