While data breaches and hacking incidents make headlines when billion-dollar corporations or government organizations are involved, similar incidents at smaller companies rarely make the news. It takes an average of 240 days, or 6 months to discover that network intrusions or data breaches have occurred, according to Thomas Ryan, an enterprise security expert at Hewlett Packard.
In January 2015, President Obama encouraged new laws which would mandate companies to reveal and disclose details of when they’ve been hacked, with several cybersecurity-related bills presently pending.
The President’s statement came soon after the data breach of 56 million customer credit card details at Home Depot.
Cybersecurity for Smaller Businesses
Cybersecurity consultant and expert Karl Kispert addressed the concerns of small and medium business owners at a cybersecurity conference, highlighting the potential liabilities and risks for smaller companies. The fact that cybersecurity threats facing smaller companies are real and growing was stressed, in addition to the need of business owners having to be prepared for cyber-attacks.
“If I’m a hacker, the weakest link is a vendor with few, if any, controls around their IT environment,” Kispert said. “Small to midsized companies are as at risk as any of the companies you read about in the newspaper.”
A significant hack stemming from a small business
Kispert used the example of the infamous Target data breach of 2013 in noting how small businesses are susceptible to be targeted by attackers. Here’s how the hack occurred:
- Employees at Fazio Mechanical Services, a small refrigeration company from Pittsburg were working for Target.
- One or more of Fazio’s employees had access to Target’s network which contained data about electronic billing, project management and contract submissions, as is routine with the work they did for Target.
- The employee(s) allegedly accessed a malware-infected email from an outside hacker, going by established and published reports.
- This led to the hack of 40 million Target customers’ credit and bank cards.
Earlier this year, Target said that its 2013 data breach would eventually cost the company an estimated $252 million. Significantly, the company expects insurance to cover only about $90 million.
Most publicized data breaches are incidents involving Fortune 500 companies and big corporations. Smaller companies aren’t always insured and cyberattacks aren’t covered by general liability insurance.
This is changing, according to Carol Gabel, a consultant of a risk management firm. “Cyber insurance is becoming one of those essential products, it will become more affordable and more available,” she said.
Services like a Compromise Test and a Threat Assessment Test are significant features on offer at modern cybersecurity and digital forensics firms which can help businesses of all sizes in today’s world where cyber-attacks are a real threat.