Large companies get most of the headlines for security breaches. This is in part due to the fact that big retail and financial institutions store extensive amounts of personal information such as credit card numbers and social security numbers.
In a recent security breach, Kmart’s store payment systems were infected with malware. Customers and users of California-based esignature vendor DocuSign were targeted by phishing attacks in mid-2017.
Small businesses are by definition, smaller targets for would-be hackers. However, small business are by no means exempt from various forms of digital and physical intrusion.
Because most data security breaches are criminal actions, here in California, the department of justice has been active in both educating business owners and in taking steps to prosecute hackers when security breaches do occur.
We’ll start with some high level information on the main types of data security breaches. We’ll then cover how to mitigate the various types of threats.
“Despite generally having less data than larger businesses, small businesses were still a significant breach risk and represented 15 percent of all breaches reported.”- California Department of Justice
Phishing
Phishing occurs when someone tricks an employee into divulging personal, financial or other account information. Posing as a well-known company, a thief will send out emails asking the recipient to reply. The thief may direct the recipient to a fraudulent web page. The page asks the employee to key in personal information, such as a credit card number, Social Security number or account password.
Phishing attempts directed at specific individuals or companies are known as spear phishing. Attackers often gather personal information about their targets to increase their probability of success. Spear fishing is a highly successful malicious tactic and therefore accounts for over 90% of attacks.
Malware
Malware, short for malicious software, is a catch-all term used to refer to a variety of forms of hostile or intrusive software, including:
- Viruses
- Worms
- Trojan horses
- Ransomware
- Spyware
Ransomware is malicious software that blocks a victim’s access to their data. It then threatens to publish or delete the data until a ransom is paid.
The May 2017 WannaCry ransomware attack was the worst global cyber disaster in years. It was reported to have infected more than 230,000 computers in over 150 countries. Update: since we first published this post, a new variant of the ransomware Petya, attacked computers worldwide beginning on June 27, 2017. This ransomware is based on the same exploit as WannaCry.
Physical Security Breaches
Physical security is the protection of hardware, software, networks and data from physical actions and events that could cause data loss for a small business. This includes protection from fire, flood, natural disasters, theft and vandalism.
While theft and vandalism can be digitally mitigated to some degree through precautions such as video surveillance, the main role that digital plays with physical security breaches and other forms of physical data loss is to make sure that lost data can be restored.
Small Business Susceptibility to Security Breaches
In recent years, The California Department of Justice has been active in raising awareness about potential threats to businesses.
The California Data Breach Report for 2016 stated, “Despite generally having less data than larger businesses, small businesses were still a significant breach risk and represented 15 percent of all breaches reported. They were most susceptible to hacking and malware attacks, but also experienced physical breaches at a greater rate than larger businesses.”
Approaching 4 million, California has more small businesses than 40% of states, including Oklahoma and Connecticut, have people.
The California DOJ also published an extensive guide for small business in called Cybersecurity in the Golden State. While several years old, this document still provides some good, common sense advice about how businesses can defend themselves from attackers.
Strengthening Small Business Data Security
What can a California small business owner or manager do to strengthen security? Here are some important defenses.
- A up-to-date and properly configured firewall
- Regular data backups, preferably both onsite and offsite
- Anti-virus software installed on all desktops, laptops and servers
- Email security software installed on all desktops and laptops
- Ensure that the latest patches and updates are installed on all devices
- Check that administrative rights are not assigned too liberally
- Properly secured wireless access points (including wireless printers)
- An ongoing security awareness program for employees
- Regular health checks on any system that contains business critical data
- A plan to recover from any incidents that may occur despite best efforts
For a small business owner or manager, it’s difficult to keep up with all the potential security breaches and how to defend against them. Protecting a business against malicious events is not a “set it and forget it” proposition.
The ongoing maintenance components are essential for making sure that all the latest protections are in place and that no hard drives or servers are at imminent risk of failure.
