“Give a man a fish and you feed him for a day. Teach a man to phish and he’ll use your credit card to buy dinner.”
If you think your business is too small to be an attractive target for cyber criminals or you don’t have anything worth stealing, think again: The 2012 Data Breach Investigations Study by Verizon shows that in 855 data breaches they examined, 71 percent occurred in businesses with fewer than 100 employees. Verizon’s 2013 Report shows attacks on small business increasing in record numbers as well. Ouch!
The report came to my attention via Vikas Bhatia, a New York-based security expert who heads Kalki Consulting, a company that helps organizations to identify and prevent security related risks. His team supports organizations of all sizes, but he reports that the level of unpreparedness and naivety in small businesses, in particular, is an epidemic.
Bhatia works extensively with New York Small Business Services and the Mayor’s office. To address this chronic issue (particularly in the aftermath of Hurricane Sandy, which his team has also played a role in addressing through the NJ Small Business Development Center), his company recently published a How To Guide on Cyber Security for the NYC program that is available to all.
As to the growing and chronic issue of cyber security and small businesses, we had an interesting chat about where entrepreneurial companies are getting tripped up, and the surprisingly simple things they can do that would alleviate or even eliminate the lion’s share of their risks.
As we visited, Bhatia shared some interesting stories. A three-person company being incubated from a shared space in downtown Manhattan recently fell victim to the theft of its three Mac Air computers, when a petty thief managed to walk the three machines out the door. Where was their business data? You guessed it. On the company laptops. No backup. In an instant, the business lost a year and a half of research and development by each of the three.
Other cases emerge where entrepreneurs think their data is safe because it’s been stored “in the cloud”. “Where is the cloud?” Bhatia asks me. “Do they know? Are they paying attention?” He points to a number of recent cases where cloud services for sensitive data such as electronic medical records have been breached.
Another recent incident Bhatia reports: An employee in a small business had taken data she shouldn’t have had access to from the company’s owner. When Bhatia’s team investigated, however, they found something even more alarming: over a three month period there had also been three and a half thousand scurrilous attempts to enter the company’s website from locations all over the world.
“Who is designing and setting up your company’s website?” Bhatia asks. “We see all of these small businesses working with service providers spinning up sites for them on platforms like WordPress, but is the developer of the site or the group helping you protecting you from the risks that exist for these platforms, or are they even aware?”
As Bhatia asks these questions of customers, he says he’s increasingly accustomed to the response he gets in most cases: a blank stare.
“We used to think the primary cybersecurity threats were coming from adult websites,” he said. “But not anymore. Legitimate sites you visit – such as Dr. Smith’s dental practice, to check for opening hours—can be affected with malware that looks for your credit card numbers, social media passwords, Excel files, QuickBooks files—if I’m a bad guy who’s financially motivated (as 70% of cyber criminals are) I’m honed in on how to obtain enough details to open up a credit card in a person or a company’s name.”
Bhatia mentioned another risk most small businesses are entirely naïve to: What do you advertise about the clients you work with?
“It’s common practice for a small business to advertise their client list,” Bhatia tells me. “But what they don’t realize is that cyber criminals are viewing you as a stepping stone into your client’s organization as well. If they find out your company works with ‘Global Investment Bank’, for example, you become a potential target, because the criminal knows you have at least email communication with the people in that organization, and potentially even more.”
In the course of conducting your business do you store client information or intellectual property of any kind? Product designs? Customer lists for campaign fulfillment? All of this information presents a cyber security risk.
No comments:
Post a Comment