[BreachExchange] Small Business Should Be Concerned About Cyber Security: Now More Than Ever

Audrey McNeil audrey at riskbasedsecurity.com
Wed Apr 25 21:14:26 EDT 2018


https://newsblaze.com/business/small-business/small-
business-concerned-cyber-security-now-ever_130585/

Data Breaches are a daily occurrence in today’s business climate. They are
now so common most large corporations have caught on to the fact they need
to take this threat seriously. This was not the case even 5 or 10 years ago.

Because of the fact that big business has upped their attention in the
realm of cyber security, individuals and small businesses are becoming more
of a target for cyber criminals looking for access to sensitive financial
information. For this reason, small businesses should be concerned about
cyber security now more than ever.

Many small businesses have vendor partnerships with large corporations.
Through these partnerships, small businesses need access to the computer
databases of much larger corporations. When a small business is
compromised, this can allow the cyber criminals access to the much larger
computer data base of the partner corporation.

Two of the largest data breaches in history, Target and Home Depot, started
just this way. In the case of Target, it was an HVAC Company that worked on
a few of their locations in the Pittsburgh Area. For Home Depot, the
partner company was a company that provided the hardware for credit and
debit card transactions at their self-checkout registers.

In both cases, the small business had been compromised for several months
without knowing it. The criminals waited until they found access to the
much bigger databases before they did their damage.

According to the National Cybersecurity Institute, nearly 87% of people
from their survey said they would be unlikely to do business with a company
that has suffered a data breach involving credit or debit card information.
A similar Experian Survey showed that depending on the type of breach, the
value of your company’s brand will decrease between 17-31%. These are
damaging effects most businesses would have a difficult time recovering
from.

There are several things small businesses can do to prevent and limit the
damage of a data breach. Some of those things include properly training
your employees, requiring adequate passwords, shredding all sensitive paper
documents, and securing adequate commercial insurance for a data breach.

Train Employees

Preventing Data Breaches starts with every new hire a business makes. Any
employee who uses a computer needs to be properly trained on how to prevent
cyber-attacks. This should apply to all employees regardless if they are a
receptionist or the CEO. It is important to never assume anything about
employees and their previous training. There are many people who may be
more than capable of doing their job, but are not properly prepared to
combat data breaches.

Many employees may be very capable of doing their job, this does not mean
they are computer savvy. This does not mean they are properly trained to
protect the business from hackers. Just a little bit of time and effort can
properly prepare employees to defend the business against hackers.

When developing cyber security training for employees, the training should
include protecting a work space, what an adequate password looks like, and
examples of phishing emails. Many businesses send out fake phishing emails
once a month to see which employees click on the fake email. If an employee
clicks on the fake phishing scam there needs to be a conversation with that
employee. If they continue to fall for the scams they need to go through
additional training.

<img class="gmail-aligncenter gmail-size-full gmail-wp-image-130593" src="
https://newsblaze.com/wp-content/uploads/2018/04/cyber-security.jpg"
alt="cyber security." width="800" height="540" title="cyber security."
style="box-sizing: border-box; border: 0px; max-width: 100%; height: auto;
text-align: center; clear: both; display: block; margin: 6px auto 21px;
opacity: 0;" />

Require Long Passwords

A small business should have strict guidelines for what a password should
and should not look like. There needs to be a bare minimum of length with a
combination of lower case, upper case, numbers and special characters. Give
employees concrete examples of what a good password looks like and what it
does not look like. Here are some examples of good and bad passwords.

6h3il,W3r_27

This would be an example of a password that is extremely secure.

Ba53bA11_2388!2345

This would be an example of a password that is a little less secure, but
easier to remember.

JoeSmith or password

These are examples of terrible passwords that should never be used.

The first example is the most secure, but might be difficult to remember.
It may not be advisable for employees to use this type of a password
because it is difficult to memorize. When employees use this type of a
password they may be tempted to write it down and leave it out on a post it
note on their desk.

The second example might be best for most employees. The first eight
characters are a take on the word baseball. Employees can change this to
some take on football in the Fall or hockey in the Winter. The next four
numbers after a special character can be the numbers an employee wore when
they played high school athletics.

When required to reset their password they can simply change the middle
special character. In this case it is a !. This is also on the keyboard by
pushing shift one. When they need to reset the password they can change
just this special character to @ which is shift two. The final two examples
of passwords are much too simple and must never be used by any employee.

Shred Everything

At this point in time there is no reason for small businesses not to be
shredding every piece of sensitive information that is ever disposed of by
the business. In many cases, there is no need to print any type of
sensitive information. Some industries like banking or healthcare have
state or federal laws that require printing and storage of some documents.
If this is the case for your business then adequate measures need to be
taken to secure that information and to properly dispose of the information
when it is no longer required to record. There are many types of machines
that can aid in this process and there are even businesses that specialize
in the removal of sensitive records. Taking this aspect of the business
seriously is an important part of cyber security strategy.

Purchase Adequate Data Breach Insurance

The longer a business exists, the likelihood of an accident taking place
goes up continually. It is not a matter of if, but when the business will
face an insurance claim. This fact is especially true in relation to data
breaches.

Data breaches are no longer only a problem for major corporations and now
is the time for most small businesses to speak long and honestly with their
independent insurance agent about cyber insurance. There are three main
types of small business insurance that deal with data breaches.

The two main types of insurance are called Cyber Liability and Data Breach
Insurance. The third type of policy is called Technology Errors and
Omissions. The first two types of coverage are usually sold in tandem.

Data Breach Coverage deals with the first party damage a business faces.
This damage can include hiring a forensic expert to determine the source of
the breach and fix it. It also can include the costs to notify all people
who had their information compromised and offer credit monitoring services
for up to one year.

The regulations in response to a data breach are dealt with at the state
level. Each state has different laws, but most of these immediate response
costs are required by law for businesses after a data breach.

Cyber Liability Coverage deals with the liability a business faces to third
parties damaged by a data breach. This policy covers the insured’s
liability for damages resulting from a data breach. These costs are
typically legal fees and lost time spent defending the reputation of the
business.

Technology Errors and Omissions Insurance is the final type of insurance
that deals with cyber security. This coverage is a form of liability policy
that protects businesses that provide or sell technology services and
products. It prevents businesses from bearing the full cost of defending
against a negligence claim made by a client, and damages awarded in a civil
lawsuit.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180425/b5f362fb/attachment.html>


More information about the BreachExchange mailing list