Data breaches are today's bogeyman. In the days of yore, the mythical, sack-carrying creature was a device used to scare children into good behavior. If you skim the headlines after a data breach hits yet another corporate giant (hi, Target, UPS, Home Depot, JP Morgan, and Sony!), you get the sneaking suspicion that these instances are their own kind of cautionary tales. Better not do X, Y, and Z, or the data breach monsters will get you!
Maybe that's why many small-business owners have a hard time distinguishing the hype from the facts when it comes to data breaches. So let's set the record straight. Here are eight common misconceptions even tech-savvy business owners may have about data breaches.
- Hackers hit their target directly. You may think that hackers simply beat down a point-of-sales system until it breaks, but cyber attackers often infiltrate POS systems via contractors. When Target was hit, hackers first infiltrated the air-conditioning company that serviced Target's corporate headquarters. Because the contractors had access to Target's network, the hackers used that entryway to get inside the retailer's firewall.
- Big businesses are prime targets for data breaches. Bad news, small-business owners. While big-business breaches make headlines, 71 percent of cyber attacks target small businesses because they don't have the resources to fend off an attack. According to a 2013 National Small Business Association survey, 44 percent of small-business respondents were victims of at least one cyber attack. The average cost of each breach? About $8,699. Given that the Ponemon Institute's 2014 Cost of Data Breach Study shows that the cost of data breaches increased this past year by about $13 per stolen record (from $188 to $201 for each breached record), that number is probably even higher today. Plus, that number doesn't account for the cost of interrupted service or reputational damage, which can be the heft of data breach expenses. Read more about that here: "'No Business Too Small' to Be Hacked, Says Security Expert."
- Hackers and identity thieves are one in the same. Contrary to popular belief, hackers don't commit identity theft themselves. Instead, they break into a company's system, download credit card information, and sell that data for about $5 to $20 apiece on underground sites frequented by identity thieves. There is such a thing as the online black market, and it's called the Tor network. This hidden, anonymous part of the web can only be accessed via specialized browsers.
- The breached business knows about the hit right away. Unfortunately, the attacked business is often the last to know that it's been breached. It's only after banks discover fraudulent charges that businesses hear about a suspected hack.
- Cyber mayhem comes in one form. You may think all cyber hacks are alike, but the truth is that hackers are endlessly creative in their strategies and approaches. According to the Verizon 2014 Data Breach Investigations Report, there are nine common types of cyber hacks. One of the most popular ways to access data is by exploiting vulnerabilities in web applications, such as content management systems (CMS) or ecommerce platforms. In 2013, these types of attacks accounted for 35 percent of all data breaches. However, POS intrusions, denial of service attacks, and insider misuse are also common types of breaches.
- Healthcare's biggest data problem is a mystery. Verizon's 2014 study also shows that 45 percent of all data breaches in the healthcare industry can be attributed to a lost or stolen laptop, USB, tablet, or smartphone. Mystery solved! When you consider that healthcare records sell for about 10 times more on the black market, there's a lot of incentive to target these types of businesses. Read more in the post, "Healthcare Businesses Beware: Medical Data Worth 10x as Much as Credit Card Numbers."
- A business can quickly bounce back from a data breach. Think your small business can come through a data breach unscathed? Not so fast. According to a survey by HyTrust, a cloud security company, over 50 percent of the respondents said they would take their business elsewhere if their personal information was leaked.
- Your industry doesn't affect the cost of a breach. Untrue. According to Ponemon's 2014 study, your industry plays a key role in the overall cost of breached data. The average cost per breached record is $316 for healthcare businesses, $236 for financial businesses, $213 for service-based businesses, and $125 for retailers.
6 Ways to Cut Down the Data Malarkey
Now that you have a firm handle on the true nature of data breaches, it's time to step up your security. Be sure to implement the following pointers to ramp up your fortifications:
- Use and update antivirus and antispyware software. Every one of your business's computers, laptops, smartphones, and tablets should have security programs in place. Be sure to update security patches regularly – hackers can use the patches as a roadmap to exploit vulnerabilities in older versions of your protection software.
- Only use POS systems for customer transactions. If your business's iPad doubles as a POS system, be sure you ban employees from surfing the web on it, which can introduce malware to your device.
- Don't buy from shady online vendors. If you don't know anything about the company, don't trust it with your sensitive financial information. Be especially wary of websites that don’t feature an "https" in their address, which is the sign of a secure site.
- Check for leaky web apps. If your small business relies on mobile devices, be sure to install viaProtect, which monitors your smartphone's connections and traffic to identify data-leaking apps.
- Protect your physical data. As we noted above, one common cause of data breaches for healthcare businesses is the loss of physical devices and records. Be sure to lock up your devices, limit out-of-office use for work devices, and shred documents you no longer need.
- Clear your data cache. It's good to keep thorough records, but sometimes, the more data you have on-hand, the costlier you can expect a data breach to be. Make a habit of clearing out files and data, but do work with a legal professional to ensure you don't accidentally delete records you may need later on.
For more data protection tips, check out the post, "One More Way Customers Can Sue You."