Small businesses present profitable frontier for hackers
While hackers have shown they can breach the security of major retailers such as Target and Home Depot, those most vulnerable to cybersecurity attacks are smaller companies that may not have the most advanced technology or insurance to protect themselves.
“The theft industry is turning their attention away from larger companies and turning to small to medium-sized businesses because their firewalls aren”™t as sophisticated, and they”™re easier to hack,” said Michael Kaplan, senior vice president of Shoff Darby, a Norwalk-based insurance agency that serves clients who face cyberthreats.
Many small to midsize companies don”™t update their firewalls because they think it”™s too expensive, but having upgraded software systems is what makes the difference, said Brian Doyle, vice president of cloud strategy at Trumbull-based Corserva. Forty percent of cyber attacks happen against companies with fewer than 500 employees, Doyle said. Forty-seven percent of business owners think if they get breached, it”™s an isolated incident that will never occur again, he said. But a lot of times, hackers share information about the weakest areas to target for a future breach.
The Norwalk Chamber of Commerce, in an effort to educate small businesses about their risks, hosted a panel of cybersecurity experts in technology, insurance and the law to discuss ways to prevent damage to their reputations as well as to control liability costs.
The event was held at the Even Hotel in Norwalk. In addition to Doyle, the panelists were John Grise, vice president and partner at The Keating Group, and Steven J. Bonafonte, an attorney and partner at Pullman and Comley L.L.C. Kaplan from Shoff Darby helped organize the panel.
In the last 15 years, cyberthreats have become a widespread problem in the U.S. In the early 2000s, PCs became more advanced and popular, and companies began to give employees more remote access to their centralized computer systems, which further opened doors to intruders, Doyle said.
“Now hackers are looking for guys who sit at Starbucks on a PC, and the hacker could be sitting on that open network,” Doyle said. “If their PC is not protected, it”™s possible for the hacker to get onto their PC. Many people have network connections to their offices, and hackers can use this as a secure link that leverages access to corporate headquarters.”
As corporations give their employees remote access to their secure networks, this creates a passage for hackers to bypass companies”™ firewalls. For that reason, employers are seeking options to secure their networks and insurance policies that ensure protection from data breaches that happen outside the company walls.
Corserva, a company that once specialized in hardware systems, now focuses on software that enables it to monitor clients”™ activities on their company servers and PCs at all times. The company also has a team of information technology and security professionals that take alerts from client sites and stop problems before they grow.
Practical tips for companies include blocking social media websites such as Facebook, YouTube and Twitter, which are potential entryways for hackers, and making sure personal laptops are encrypted or carefully monitored. Companies should also install Web-filtering software to block certain websites.
Once a data breach occurs, companies must understand their costs and liabilities, Grise said. Insurance firms deal specifically with taking up the liability of people who are suing businesses that have leaked personal information. The Keating Group, a wholesale brokerage firm that works with retailers who have relationships with businesses, has access to a number of insurance companies. Through collaborating with the retailers, the firm connects businesses to insurance policies.
In any cybersecurity issue, lawyers must help businesses provide a proper response to their clients and to their state and federal authorities. In Connecticut, businesses are required to notify everyone whose personal information could have been leaked, whether through hackers infiltrating computer systems or files gone missing. They must also report to the state attorney”™s office through a written letter about what happened. Lawyers can then hire a third-party security technology firm that examines companies”™ computer systems and identifies what kinds of data have been compromised.
“The company must retain an IT firm to do a forensic review,” Bonafonte said. “We recommend that companies obtain that through legal counsel so they won”™t be subject to disclosure of data to third parties. From a legal service standpoint, we provide proactive counseling to react and respond to the data breach and how to effectively manage that.”
The standard protocol is for companies to provide free credit monitoring for their clients and pay for the cost of examining how each document was breached, which could mean spending an average of $194 per file, Kaplan said. These costs quickly add up for small and midsize companies but could determine whether they survive.
In most cases, companies that are sued for leaking personal information can prove they haven”™t neglected their standard of care and acted proportionally to the measure of risk. There are discussions about passing statutes in states where people are guaranteed statutory harm as a victim of a data breach.
“We can control the standard of care and say we have been responsible and invested in prevention,” Bonafonte said. “But let”™s say you have a massive data breach and potentially risk litigation. If these statutes are passed that provide compensation for statutory harm because people feel they should be compensated for their inconvenience, that”™s a really big deal. Companies have to work harder to manage their own risks internally and make sure their insurance providers invest in breach avoidance.”