Small businesses at high risk for data breach

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.latimes.com/business/la-fi-small-data-breaches-20140705-story.html#page=1

To the money managers at Silversage Advisors in Irvine, it seemed like a
no-brainer to store backup computer drives far from the main office to
ensure seamless operations in case of a calamity.

Then professional burglars hit the home where the drives were kept, cracked
open a safe bolted to the floor and made off with the financial records of
hundreds of the firm's affluent clients: names, addresses, Social Security
and driver's license numbers, account information.

The lesson for Silversage and other small businesses is simple, said Daniel
D. Sands, a managing partner at the firm: "It's not a question of if you're
going to have identity theft. It's a question of when — and are you
prepared to deal with it?"

The big data breaches make headlines — such as the millions of consumers
whose financial secrets were exposed by the Target Corp. hack and the
Heartbleed software bug. But for every high-profile case, there are dozens
of threats to confidential data held by everyday enterprises: wine shops,
dentist offices, colleges, gay and lesbian community centers, makers of dog
tags, defense electronics, sports gear.

The examples are culled from a list of breaches maintained by the
California attorney general. They expose an underside of U.S. commerce
populated not only by omnipresent hackers, but by thieves who snatch office
computers, disgruntled vendors who use purloined data to slander businesses
and poach employees, and ex-employees who turn traitor for profit.

All private enterprises and government offices are required to alert
potential fraud victims in such cases. If more than 500 Californians are
affected, the institution must give the attorney general's office a copy of
the advisory letter sent to potential victims. More than 380 of these
letters have been posted since the program began in January 2012 — which
equates to a major breach in the state every 21/2 days.

The consequences can be costly, as 80sTees.com of Pennsylvania discovered
when someone believed to be a former high-ranking employee accessed the
identities of customers all over the country, including in California. The
retro shirt seller stopped accepting credit cards for four months, launched
a new website and blocked all employees from accessing clients' financial
information.

Many small firms know little or nothing about cybersecurity, according to
the National Small Business Assn., despite the prevalence of data thefts.
The trade group reported that 44% of respondents to a survey last year had
been victims of at least one cyberattack, with an average $8,699.48 cost
for each breach.

California's size and wealth make its businesses a popular target,
according to experts.

"We are absolutely facing an epidemic of attacks on our nation's
infrastructure and attempts to gain access to information," said Jason
Oxman, chief executive of the Electronic Transactions Assn. "But smaller
merchants tend to be easier and more attractive targets for cyber
criminals."

At Rosenthal Wine Bar & Patio, a Malibu tasting room across the highway
from the Pacific, small groups in sundresses and shorts lounged in wicker
chairs under palm trees and strings of lights, mellow jazz setting the mood.

This year, the business — part of the Raleigh Enterprises network, which
also includes Raleigh Studios and Hollywood Rentals — discovered malicious
software on computer systems used to process credit card transactions at
the wine shop.

Names, addresses, card account numbers, expiration dates and security codes
may have been compromised, the company said in a March notification to
customers.

The reaction was immediate. Wine shop customers started using cash instead
of credit cards. Though Rosenthal's wine club was safe from the hack, some
members canceled subscriptions.

The incident resulted in tons of bad reviews on Yelp, the online directory,
club manager Heather Ryon said. One commenter on the site said that within
two days of visiting the wine shop, she found fraudulent charges on her
credit card statement from online men's stores.

"We have gone to extreme measures to make sure that this doesn't happen
again," Ryon said. "Customers tend to be like family to us. We'd hate for
anybody to feel like they've been betrayed by us."

Only a handful of customers were affected by the breach, said Katherine
Dimas, operations manager for Rosenthal Estate Wines, which worked with the
FBI and boosted its security protocols in the aftermath.

Dimas encouraged other small businesses to run security scans on their
payment systems and listen to customer complaints for red flags.

"It's an era of fraud," she said.

Companies that process, store or transmit credit and debit card data are
expected by card companies and payment processors to abide by the Payment
Card Industry Data Security Standard, a checklist of protocols known as
PCI. But it's not a federal requirement, and not all states mandate
compliance. Many of the 8 million U.S. businesses that accept credit and
debit cards don't bother.

Investigators usually conduct audits only after a breach, to determine
whether the company is liable for the fallout. Otherwise, proactive
companies have to pay a fee for voluntary checkups.

"No entity has the bandwidth to check up on all of those," Oxman said.
"There's just no way to stay on top of everyone."

Small-business owners often leave themselves vulnerable to breaches by
browsing social media or messaging friends on the same computer used to
process financials, Oxman said. Others allow employees to log in to company
networks remotely using easily stolen passwords or credentials.

Many don't use anti-virus software because it seems costly or bothersome,
and may not realize they've been breached until a payment card company
notifies them of suspicious transactions.

"It's an economic calculation for a small merchant — is it more expensive
to secure the network, or pay for the damages that may result if not?"
Oxman said. "But many don't consider the possible reputational harm. If
you're a small business, you might not be able to withstand the drop in
business that might result from a breach."

At Orange County's Silversage, the alarm over reputation rang loud and
clear.

"We're in the trust business," said firm managing partner Sands.

Fortunately, he said, no clients have reported related fraudulent activity.
Silversage advised all those affected to place fraud alerts on their credit
files, offering them one free year of credit monitoring and identity theft
protection services. And it advised all clients to secure the same
protection for themselves and their children.

"These days, it should be just like having auto insurance," Sands said.

He recommended that businesses hire security consultants to search for weak
spots in data protection. Then, he said, they should plan exactly how they
will notify and help protect anyone whose data are stolen.

"Having that notification plan," Sands said, "is probably just as important
for a business as having a disaster recovery plan for earthquake or fire."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!