Smaller businesses are at risk of ID-theft, but only a small percentage of them have policies and procedures in place to protect against online intrusions. Here are some tips to be prepared.
If a data breach can take down Target's CEO and cost Target tens of millions of dollars (so far) and the bad guys can crack into eBay's data as they did just days ago, isn't this a big red flag of data danger to America's backbone: small business? Hopefully, the answer is a resounding "yes," because Symantec's sobering "Internet Security Threat Report 2014" makes clear that the situation is fraught with danger. Symantec wrote, "Cybercrime remains prevalent as damaging threats from cyber-criminals continue to loom over businesses and consumers." When we think of data-breach events, we often think of outside hackers. The Symantec Report said that "hacking was the leading source for reported identities exposed in 2013," causing 34 percent of data breaches.
This means 66 percent of all data breaches were not related to hacking, with other causes of data breaches reported as accidental release of information (29 percent), theft and/or loss of computers and drives (27 percent), insider theft (6 ercent), unknown (2 percent), and fraud (2 percent). Data breaches are a growing risk-management issue — maybe as, or more important, than traditional risk areas. Small- to medium-size businesses are at risk, just as large organizations are, with an ever-increasing volume of customer, employee, and proprietary information acquired and all very desirable to ID-theft criminals.
Yet only a small percentage of companies with fewer than 250 employees have policies and procedures in place to protect against online intrusions, according to a Symantec survey report released in 2013. Earlier this month, I spoke at the Police Officers' Credit Union Conference in Las Vegas. In my remarks, I said that "no one company can ever prevent itself from experiencing a data breach and that education is the number one tool for protecting data."
Here are my plan recommendations for the data breach that none of us wants:
1. Breach source. Determine the source and make sure the data compromise is isolated and access is closed. If you cannot determine the source of the breach, you should engage a forensic-investigation company, preferably one that is already familiar with your network topology and information-security and governance policies and procedures.
2. Breach assessment. Determine the scope of the data breach and the privacy and data-security regulatory requirements associated with the type of records for the states in which you conduct business.
3. Response plan. Include internal employee education and talking points, public-relations news releases, customer education and resources; the small business or consumer solution(s) to be considered; and the content and timely release of notification letters.
4. Protection plan. Include the small-business or consumer-protection services to be offered to the compromised record group and the confirmation of professional call-center and recovery-advocate support services.
5. Breach victim resolution plan. Provide access to professional certified identity fraud-recovery advocates that will work on behalf of the victims to mitigate and resolve the issues caused by breach.
Mark's most important: Get serious about an advance plan for ID theft or a data breach or be prepared for fines, penalties, class-action lawsuits, brand damage and/or loss of revenue that may put your business seriously at risk.
This article was originally published on AZcentral.com and republished with the author's permission.