Data breaches have a way of being much worse than they initially seem. The infamous theft of customer information from T.J.Maxx in the 2000s turned out to be far more extensive than originally reported, involving more than 45 million credit and debit cards. More recently, the purloining of more than 450,000 user names and passwords from Yahoo in July also exposed the e-mail addresses of Gmail, AOL, Hotmail, Comcast, MSN, and several other services. If subscribers to the breached Yahoo service used the same passwords for their e-mail accounts, then those passwords are also in the possession of the hacking group that breached Yahoo and posted the names and passwords online.
Not surprisingly, Yahoo came under fire for its security practices and for not informing its customers of the breach faster than it did. At the end of July, a Yahoo user filed a lawsuit (and is seeking class-action status) against the company for failing to safeguard users’ personal information.
But data breaches aren’t just a problem for large outfits like T.J.Maxx and Yahoo. Nearly 72% of breaches in 2011 involved organizations with 100 or fewer employees, according to Verizon’s 2012 Data Breach Investigations Report. For small and midsize businesses that experienced downtime after a breach, the median cost was $12,500 a day, according to a 2011 survey by security provider Symantec.
Unlike large companies, smaller businesses have fewer resources to deal with cybercrime, making them an “ideal target” for “money-driven, risk-averse cybercriminals,” says the Verizon report. What’s more, “small and midsize companies can lose as many records as large ones,” says Larry Ponemon, chairman of the Ponemon Institute, a privacy and data protection research group.
Insurance: Available but Expensive
How can smaller companies protect themselves from cyber loss? Insurance is one way, but historically it’s been costly. “You can always get insurance for anything,” says Ponemon. “But if you go to a specialty insurer, the premiums are high, as it’s difficult to model exposure” in the cyberworld, he says. And that makes underwriting difficult. In particular, the tough part for an underwriter “is finding out where the risk is,” says Steve Vallone, a broker at Worldwide Facilities, a wholesale specialty insurance brokerage.
Some carriers figure out how to charge based on a company’s revenue, says Vallone, “but that doesn’t bring in the whole picture: how sophisticated your IT is, how up-to-date your systems are, what information you keep on those systems, and whether you keep customer information on file or you give it to third parties.” Still, it is getting cheaper to buy coverage as insurers become more familiar with IT security best practices, he adds.
Insurers that offer breach-response services in addition to liability coverage can help prevent small companies from making costly mistakes in responding to data breaches, contends Jamie Orye, who manages an underwriting team at Beazly, a specialty insurer. For instance, after becoming aware of a data breach, companies are often in a rush to send out letters to their affected customers, he says. But “the law identifies what can and can’t be put in a letter,” he notes. “The letters themselves present a risk of violating regulations.”
Without insurance that includes response assistance, says Vallone, “if you [have] a breach, you [have] to hire lawyers; maybe hire an IT consultant to figure out what went wrong and how to fix it. That’s a lot of work. Then you have to consider hiring a PR firm. What do you do? There’s a lot of uncertainty.” Vallone believes cyber- and breach insurance, especially in the small and midsize business space, will become as prominent as employment practices liability insurance, which used to be elective and is now almost universal.
When looking for data-breach insurance in particular, Ponemon suggests asking insurers how many breaches they have handled, whether they have dealt with breaches in the company’s industry, who their vendors are, and whether they insure for third-party data loss.
An Ounce of Prevention
There are also simple steps that small and midsize companies can take to ward off data breaches. According to the Verizon report, 79% of the hacking attacks included were opportunistic rather than targeted. Among the largest companies — those with at least 1,000 employees — that percentage dropped to 35%. In other words, many smaller companies are getting cyberburgled because they’ve left their front doors wide open. “Targets of opportunity are breached not because of who they are but because of what they’ve presented to the attacker — an open door, a weakness, or a vulnerability that can be easily exploited,” says Marc Spitler, security principal at Verizon and co-author of the report.
For the most part, “the attackers don’t even know who these small businesses are or what they do,” Spitler says. “They’re going after things like payment cards, and it’s really no concern to them where they get them, as long as they get them from somebody.”
Hacking accounted for 81% of data breaches in the Verizon report, and more than half of those breaches were achieved because firms used default or guessable credentials. Thus, one of the simplest ways to avoid an opportunistic data breach is to create stronger passwords (a combination of numbers and upper- and lowercase letters) and change the default credentials and administrative passwords that come with point-of-sale (POS) systems and other devices that access the Internet.
The Verizon report also suggests that companies implement a firewall or access control list on remote access services, avoid using POS systems to browse the Internet, and make sure their POS systems are PCI DSS compliant. “These tips may seem simple,” the report adds, “but all the evidence at our disposal suggests a huge chunk of the problem for smaller businesses would be knocked out if they were widely adopted.”