Due to the large number of data breaches, 2014 came to be known as the Year of the Breach. The number of high-profile data breach cases making their way into the news serves to underscore that no business, large or small, is immune to the risk of such a breach. This is particularly true as criminals have developed more sophisticated methods for taking advantage of vulnerabilities inherent to payment systems.
Studies reveal that small and medium businesses are particularly vulnerable to becoming victims of data breaches. Biz Journals reported that approximately 20 percent of cyberattacks are conducted against small businesses that have less than 250 employees. Furthermore, the lost business and other repercussions of a data breach can be even more catastrophic to a small business.
Data breaches are a continual risk for companies of all sizes that must maintain customer data, so much so that the situation has now evolved into a question of not if a business will become the victim of a data breach, but when and how many times it will happen. As more such breaches are reported in the news, what has become clearer is the tremendous risk and exposure related to them. Inside Counsel reported that the average cost of a data breach for companies in the United States increased to $5.85 million per breach in 2014. Each breached consumer record had a cost of $201. Calculate that cost across a large breach, and it becomes clear how devastating a breach could be.
Along with the costs associated with a breach, businesses must also worry about the number of customers that could be potentially lost as a result. Inside Counsel reported that the rate of loss increased by 15 percent in 2014 year over year. Among the most widely publicized of the breaches was the Target breach, which resulted in exposing the debit and credit card data of approximately 40 million customers, according to Forbes. Since then, Target has spent nearly $150 million on costs related to the breach, including customer reimbursements and legal fees. Home Depot is yet another major retailer to be hit by a data breach. In that instance, some 56 million customers are believed to have had their payment information stolen during an attack that spanned a period of around five months. Data breaches can be expensive not only in terms of a company’s bottom line, but also to its reputation.
In spite of such risks, it is not uncommon for small business owners to feel a false sense of security, believing that only major financial institutions and retailers are at risk. Given that the Heartbleed Bug, which made headlines in April of 2014, resulted in almost half a million servers being left vulnerable to attack — including thousands of small business owners — the risk is very much a reality for businesses of all sizes.
How Data Breaches Occur
While the effects of a breach can be significant, there are steps that businesses can take to safeguard their most sensitive data while reducing the risk of a data breach. One of the most important steps that a business owner can take to reduce the risk of a data breach is to understand how such a vulnerability can occur.
During a transaction, payment card data make their way through several systems and parties as part of the payment process. There are actually two points during the process at which sensitive data may become vulnerable to exposure. First is the preauthorization, in which the merchant captures the payment data and then transmits them for authorization. The second is the post-authorization, in which data are transmitted back to the merchant and then placed in storage.
Is Your Business at Risk for a Data Breach?
The first question you should ask in order to determine whether your business is at risk of a data breach is whether your company maintains sensitive data related to customer credit or debit card information. Additionally, you should consider whether your business maintains financial information, company records, operational reports, budgets, or other data related to business associates or suppliers. It is not uncommon for businesses to maintain at least some sensitive data. If your firm is not taking steps to protect such information, you could be at risk.
Additionally, it must be understood that hackers are not the only actual threat to your company’s data security. There are also various other threats. Among those potential risks is a natural disaster. Regardless of where your business may be located, there is always the risk of a natural disaster. From hurricanes and tornadoes to floods, fires, and earthquakes, any type of natural disaster could cause your location to become damaged and result in the destruction of your physical records.
Equipment breakdown and human error can also result in a data breach risk. The simple fact is that everyone makes mistakes from time to time. Even so, such mistakes can place your company at risk. A broken electronic device, deleting the wrong file, equipment being left unattended, or transmitting sensitive information via email to the wrong people can all result in vulnerabilities.
You must also consider how well you know your employees. An internal attack is very much a potential reality. Internal controls and proper safeguards can also prove to be beneficial in determining whether sensitive information may have been accessed without your authorization.
Finally, you must keep in mind that malicious data attacks are not typically targeted. So, even if you think that your company’s data are not valuable enough for hackers to target them, it is important to be aware that hackers operate by transmitting what are known as feelers in order to identify potentially vulnerable systems. They may send out millions of such feelers at a time. Additionally, not all hackers are trying to steal your information for financial gain. For some hackers, it is enough to know that they can hack into your system and disrupt your business’ operations.
Consequently, it is vital to ensure that your business is prepared for a data breach. According to Experian, a big data breach is defined as the theft or loss of more than 1,000 confidential or sensitive records, negative public attention, and the loss of business partners or customers. So, what can you do to decrease such a risk and make sure that your business is prepared for the potential of such a breach?
The first and most important step you can take is to plan for a breach before it occurs. When a breach takes place, businesses typically need to ensure they make the most of the time available to them to comply with notice obligations, complete the necessary forensic analysis, and mitigate the exposure that has taken place. By ensuring that you have a formal incident response plan in place and that you are familiar with it, your company can help to significantly reduce the costs related to a data breach. Given the high costs and tight timeline related to a data breach, such a response plan should include a list of responsibilities that identifies the individuals responsible for each specific task. In addition, the plan should include the necessary training required.
Eliminating Blind Spots
In some of the most widely publicized data breaches, hackers were able to gain access to systems using system vulnerabilities and stolen credentials. While there is no getting around the fact that your business relies on the support of your business partners and vendors, conducting due diligence can help to reduce the risk related to a potential breach resulting from the inferior security of a third party.
Know Your Points of Contact
Retailer breaches often result from criminal or malicious attacks on the retailer’s system. As a result, when such a breach occurs, law enforcement will naturally be involved. Taking the time to identify points of contact within both state and federal law enforcement in advance can help expedite the investigation process in the event that your company should become the victim of a data breach.
Costs related to breaches, especially from a large breach, can often exceed the amount of insurance coverage that a business has. For this reason, it is vital that you review and understand your coverage as it relates to your network security. Find out specifically whether your coverage is adequate and whether there are any limitations, including notice requirements. You may also need to consider whether your business should purchase additional cyber liability insurance.
Vetting Third Parties
Most businesses do perform due diligence prior to transmitting sensitive data to business partners and vendors. Yet, at the same time, it is important to consider whether you are doing enough to vet those partners. Given the amount of risk associated with a data breach, taking a few extra steps to vet the partners with whom you do business can be well worth the effort. This will be increasingly important as more companies opt to use cloud payment services.
Instituting a Dedicated Response Team
Putting a dedicated response team in place can help give your business peace of mind in the event that the worst should happen. Ideally, such a team should be cross-functional in nature and include personnel from a variety of departments.
Engage Outside Vendors
The reality is that you may not be able to protect your business from a data breach on your own and may need outside help. It is expected that breaches will be handled within a timely manner. By establishing partnerships with external vendors, you can gain the specific experience you need to help prevent attacks and expedite the investigation and notification process if a breach does occur.
Understanding Legal Requirements
Staying on top of what federal and state agencies require of your company in the event of a breach is critical. At a minimum, your business should have a process in place that will help you identify and monitor state and federal requirements, including disclosures. If your business does not already have such a process in place, keep in mind that you could be subject to fines if you do not follow certain legal requirements. By making certain that you know how to comply before a breach, you can ensure that your business is prepared.
Update your POS System
Is your point-of-sale system up to date? As an increasing number of markets make the transition toward EMV, a technical standard that ensures that chip-based payment terminals and cards are compatible, it has become necessary to ensure your POS system is upgraded. The use of smart chips makes it possible to take advantage of more advanced cardholder verification, which can protect against fraud in EMV transactions, including the use of stolen cards. Regardless of the size of your business, this is a step that you simply cannot afford not to take.
Tokenization and Encryption
The layering of tokenization and encryption along with POS and EMV-compatible systems make it possible for merchants to reduce security weaknesses while also addressing relevant authorization vulnerabilities. Keep in mind that there are two areas in the transaction process in which data could be vulnerable to a data breach: the preauthorization and post-authorization points. Tokenization and encryption help protect cardholder data once consumer and payment data are validated. Additionally, tokenized and encrypted data are of absolutely no value to a hacker, as they are simply meaningless strings of characters that cannot be used.
Finally, it is important to consider eliminating the practice of BYOD (bring your own device) to your place of business without any type of security testing in place.
Data breach preparedness can be complex. If your business is not prepared, the result of a data breach could be catastrophic. Taking the time now to prepare for a data breach and understanding best practice solutions can help you reduce the risk of such a breach and ensure you are prepared in the event that one does occur.