Small Businesses at Big Risk for Data Breaches

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.nacsonline.com/News/Daily/Pages/ND0708143.aspx#.U7wt65RX-uY

An article this weekend in the Los Angeles Times detailed numerous examples
of Southern California businesses that became victims of data breaches, in
spite of what they thought were their best efforts to secure their data.
The lesson? According to one business owner: "It's not a question of if
you're going to have identity theft. It's a question of when — and are you
prepared to deal with it?"

While the big data breaches make headlines — such as last year’s Target
breach — for every high-profile case, there are dozens of threats to
confidential data held by everyday enterprises: retail shops, doctor’s
offices, colleges and countless small-business owners.

The crimes are committed not only by omnipresent hackers, but by thieves
who snatch office computers, disgruntled vendors who use purloined data to
slander businesses and poach employees, and ex-employees who turn traitor
for profit.

Many small firms know little or nothing about cybersecurity, according to
the National Small Business Association, despite the prevalence of data
thefts. The trade group reported that 44% of respondents to a survey last
year had been victims of at least one cyberattack, with an average
$8,699.48 cost for each breach.

According to the LA Times article, California's size and wealth make its
businesses a popular target, according to experts. "We are absolutely
facing an epidemic of attacks on our nation's infrastructure and attempts
to gain access to information," said Jason Oxman, chief executive of the
Electronic Transactions Association. "But smaller merchants tend to be
easier and more attractive targets for cyber criminals."

One example in the article was Rosenthal Wine Bar & Patio, a Malibu wine
tasting room. Earlier this year, the business discovered malicious software
on computer systems used to process credit card transactions at the wine
shop.

Names, addresses, card account numbers, expiration dates and security codes
may have been compromised, the company said in a March notification to
customers. The reaction was immediate. Wine shop customers started using
cash instead of credit cards. And though the business’s wine club was safe
from the hack, some members canceled subscriptions. The incident resulted
in numerous bad reviews on Yelp, even though only a handful of customers
were affected by the breach.

Companies that process, store or transmit credit and debit card data are
expected by card companies and payment processors to abide by the Payment
Card Industry Data Security Standard, a checklist of protocols known as
PCI. But it's not a federal requirement, and not all states mandate
compliance. Many of the 8 million U.S. businesses that accept credit and
debit cards don't bother. Investigators usually conduct audits only after a
breach, to determine whether the company is liable for the fallout.
Otherwise, proactive companies have to pay a fee for voluntary checkups.

Small-business owners may unknowingly leave themselves vulnerable to
breaches by browsing social media or messaging friends on the same computer
used to process financials. Others allow employees to log in to company
networks remotely using easily stolen passwords or credentials. Many don't
use anti-virus software because it seems costly or bothersome, and may not
realize they've been breached until a payment card company notifies them of
suspicious transactions.

One recommendation to avoid and address security issues: businesses should
hire security consultants to search for weak spots in data protection.
Then, develop a plan for exactly how to notify and help protect anyone
whose data is stolen.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!