Businesses are still coping with cyber-related data theft. The breaches at luxury retailer Neiman Marcus and discount retailer Target Corp. are now chapters in modern business archives. Financial services giant J.P. Morgan, office supplier Staples, and retailers Kmart and Home Depot are the latest to join the ranks of prominent data breach victims.
Smaller Businesses Are Also Hacker Targets
Just as critical, but less well publicized, is the number of small and mid-sized businesses that are quickly becoming targets for data theft. Thieves breached customer information at a popular family-owned seafood shack in Maine. According to IPWatchdog, Inc., “The prevailing attitude shared by many business owners in the technology age is that larger corporations are generally at more risk of cyber-attacks than smaller ones. However, the reality bears out a much different picture. The U.S. Secret Service, in conjunction with Verizon Communication’s forensic analysis unit, investigated 761 data breach events in 2010, more than 60 percent of which targeted businesses with fewer than 100 employees.” Since the 2010 investigation, the number of small and mid-sized businesses that came under cyber-attack has grown.
Businesses must realize that, regardless of size and profit margins, they are as vulnerable to cyber theft as they are to traditional robbery. While the presence of non-cyber security personnel and surveillance systems may deter physical theft, it does not protect a business from data breaches.
Resources for a Cyber Attack
A cyber-attack can unleash from either a physical or cyber resource: a card reader or “skimmer” attached to a cash register or bank ATM, a stolen desktop or mobile device, a stolen credit/debit card or check, clues from search engines results, downloaded malware, printouts of personal and financial records, information-gathering online forms, social engineering (deception in verbal, visual, or text form), and social media. Data on physical media can quickly be converted into digital files for use in original or automated algorithms.
The Employee Connection
Although a breach can take place anytime, anywhere, and in many formats, “It is more likely to originate through a company employee instead of an interested outsider,” according to cyber security expert Ray Friedman, the CEO of Mile2. “We are uncovering more instances of employees who commit security breaches, whether through accident, ignorance, or malicious intent.” This nullifies the popular assumption that the hacker is typically a foreign-based or foreign-born non-employee.
“With weak access controls and poor policies the malware, wherever it comes from, works aggressively to quietly contaminate the entire corporate network,” Friedman pointed out. “Often, compromised data is discovered much later because the executable files and codes are designed to remain dormant until released at a specific date and time. This makes it more difficult to do forensic tracing back to the original perpetrators.”
Company and Government Responses to Hacker Invasion
Companies typically respond to hacker attacks by temporarily disabling their websites and mobilizing IT groups to eliminate the malware, “patch” the networks, and examine data bases for signs of stolen information. Then companies notify clients of the breach with assurances that all is well. Too often, company action is too late. “Credibility is lost and customers shop elsewhere,” commented Friedman.
Statistically, very few companies take decisive measures to prevent hacking from happening, although they may have been hacked before.
Unfortunately, government agencies are no safer from hackers than the private sector. If critical data, often social security numbers, is stolen, the public is completely unaware until citizens themselves notice something is wrong and file complaints.
Protecting Businesses through Tips and Training
IPWatchdog, Inc. offers some sound tips to keep businesses safe from cyber-attacks, such as identifying weak systemic links and recognizing “phishing” and social engineering tricks. But Friedman adds that companies need more than a few good tips; they need training. “Ordinary end users can certainly benefit from some level of cyber security training,” he acknowledged. “But the best training candidates are programmers, web masters, database managers, IT security personnel, and anyone involved in software development or administration. Giving them up-to-the-minute training on the latest preventive technologies benefits a company.”
“Companies with IT departments should evaluate the anti-hacking methods of their IT employees and consider formal training with certification,” Friedman continued. “This is what Mile2 is about. It’s an organization dedicated to cyber security training where IT professionals who successfully complete a program become certified. Many classes were created around specific standards for different industries and government. ”