Data breaches targeting large companies have, unfortunately, become so commonplace that consumers in the latter half of 2014 are almost resigned to the probability of having their accounts hacked. Forty million credit and debit card numbers were stolen during the Target breach, along with seventy million personal information records. Target wasn't the only sizable target; within months of that breach, other large retailers, such as Neiman Marcus and Home Depot, also succumbed to significant breaches.
With major news stories revolving primarily around these cases, small and medium-sized businesses (SMBs) may be operating under the false impression that they are more secure from attack simply because they are less likely to be pursued. After all, it seems intuitive: The bigger the company, the greater the potential pay-off. The fact is, however, small businesses are increasingly under fire as well, though perhaps not for the same reasons. In the case of the Target attack, for instance, the main breach evolved via access to a smaller company's systems; hackers gained access to Target's payment systems using credentials stolen from the retailer's HVAC services supplier.
Once the attackers gained entry using the stolen credentials, they were able to leverage a variety of failings in the Target security system. An identical tactic was used for the massive Home Depot breach that occurred in the first half of 2014. One of Home Depot's numerous supplier companies was breached, giving the attackers that vendor's credentials for the Home Depot system. In both the Target and Home Depot cases, smaller companies served as the entry vectors for the attackers.
While some SMBs may serve as access points to the larger organizations they serve, others are simply indirect victims, in the line of fire after an attack actually occurs. A data breach at a large company can produce an equally large knock-on effect for small companies. When a security breach occurs, consumers are often forced to cancel credit cards and obtain new ones, a disruption that can be painfully apparent to small businesses that count on every transaction. As an example, many smaller companies, such as fitness centers, rely on recurring monthly charges. Any card involved in a large company's data breach will naturally trigger an acceptance error after the card has been canceled. Multiple cancellations then cause the small business delays in payment, as well as costs incurred from having to contact customers so that their payment information can be renewed.
Understanding the legal risks
For large and small businesses alike, there is no shortage of reasons to act swiftly and wisely to implement robust data protection that meets or exceeds the industry standard. Most immediately, of course, preventing a security breach will avoid a direct financial loss to the company and its customers. Business data, bank account information, and personal information for individual customers are all at risk when security measures are not up to the task.
But there are specific and potentially costly legal risks involved as well. Large companies like Yahoo, Amazon, Sony, and Blizzard have all been sued for claims related to online security breaches. Even the South Carolina Department of Revenue is not immune to such claims. As of January 2013, South Carolina has spent more than $20 million fixing a breach that allowed hackers to access data for 6.4 million consumers and businesses.
Even if the court dismisses a case against an organization that has suffered a breach, the litigation costs alone can be devastating. For small businesses, the costs could easily result in insolvency. And, if the court does determine that actual damage has occurred as a result of a security breach (i.e.: the "no harm, no foul" rule applied in a recent LinkedIn case that was dismissed) then the outcome could be even more troubling for the bottom line.
Proper planning is clearly key to avoiding costly security intrusions and the legal challenges they introduce. While small businesses won't have the same data security resources as a big retailers, such as Home Depot, they must be no less committed to the cause, and there are resources available to help mitigate risks and vulnerabilities. For SMBs that handle most of their transactions online, for instance, there are several online fraud protection services, such as Forter or Neteller, that will run all operations through a robust set of security tools.
Training for SMB employees is also essential. For both the Target and Home Depot suppliers, the culprit most likely to have been responsible for the theft of vendor credentials was a successful phishing attack. Employee training in how to spot phishing emails is essential for any size business. SMBs can also lessen their security risks by having a workable incident response plan in place.
Finally, organizations should establish a response plan for compromised data. In the end, the financial and legal risks demand that every company, regardless of size, understand the threat and plan accordingly.