The Wall Street Journal
Photo: Getty Images
How Small Businesses Can Fend Off Hackers
Seventy-one percent of cyberattacks hit companies with fewer than 100 employees.
If you wanted to hack a business, which one would you pick: A Fortune 500 company with a large digital-security budget and a team dedicated to protecting its cyberassets? Or a small enterprise that doesn’t employ a single IT security specialist? Of course hackers are equal-opportunity criminals, but you get my point.
Security breaches at big companies such as J.P. Morgan , Sony and Home Depot dominate the headlines, but safety measures are crucial for organizations of all shapes and sizes. According to the 2012 Verizon Data Breach Report, 71% of cyberattacks occur at businesses with fewer than 100 employees. The average cost of a data breach for those small businesses is $36,000.
We can no longer assume that hackers are solitary figures sitting in basements fiddling with their laptops. They may be members of organized-crime groups or employed by nation states, and they have resources that can destabilize entire companies and countries. These hackers constantly look for Internet vulnerabilities. They break through firewalls, infect machines, and use phishing schemes to gain access through emails to people’s passwords and Social Security numbers. They can then leverage weaknesses in applications to cause a database to output its contents.
So what can the owner of a small business do to defend himself? Here are some tips.
Think like a bad guy. Ask yourself: Who are my adversaries? Are they after my intellectual property and trade secrets? Do they want my customers’ credit-card information? Or do they view my business as the weak link in some larger application? This exercise can help you see where your vulnerabilities lie and also help you understand which measures you can take to protect your software.
Make sure your code is clean. Many commercial applications use open-source code as components. The National Institute of Standards and Technology’s National Vulnerability Database discloses more than 4,000 vulnerabilities in these components. Security software companies (such as Black Duck Software, of which I am president), can help you identify and fix any problems with your applications’ source code.
Outsource your security operation. While most small organizations can’t afford to build sophisticated IT security systems, there are many service companies that have the scale and know-how to protect your operations and sensitive data.
Nevertheless, you must still do due diligence to make sure the company you outsource to has all the capabilities you require. But hiring a security company does not relieve you of all responsibilities.
Earlier this year, Columbia Casualty, a division of insurance-industry giant CNA, sued Cottage Healthcare Systems, a former client, to recover a claim in excess of $4 million after a security breach that disclosed the personal information of thousands of Cottage’s patients. The suit claimed that Cottage, which outsourced its IT, hadn’t ensured that its service provider met the “minimum required practices” required by the policy, which included checking for security patches from software and hardware vendors, and installing those patches within 30 days.
Buy cyberinsurance. In addition to outsourcing your cybersecurity and avoiding any internal negligence, cyberinsurance policies can also protect you after the fact. These policies, offered by more than 70 carriers according to a Gartner Research report in March, include liability coverage for exposing confidential information, paying to notify customers of a breach and providing them with credit-monitoring services.
Insurance policies also reimburse a company for costs that result from a business interruption caused by service attacks. The Cottage Healthcare Systems case, however, is a reminder that insurance does not relieve a company of the responsibility for ensuring that its service providers can meet the requirements of its insurance policy.
To beat the bad guys, you need to think like them. And then take all the necessary actions to outsmart them, outmaneuver them, and protect your company.