Phone: 630-495-2282 Fax: 630-495-2260 Map/Directions

Best defense against cyber attacks: A good offense

November 20, 2015
In the not-too-distant past, consumers probably gave little thought about the security of their credit or debit card information in the hands of retailers. But that changed about two years ago, when Target reported that 40 million card numbers had been stolen during the year-end holiday shopping season.
That would be followed by data breaches at businesses as varied Home Depot; Michaels, the nation’s largest arts and crafts chain; casinos in four states; and sandwich shop chain Jimmy John’s. All told, data breaches would be the top story that haunted the card industry throughout 2014.
Since then, larger enterprises have become better defended, so cybercriminals are moving down the business food chain. Jason Healey, director of the Cyber Statecraft Initiative of the Atlantic Council, said that, "smaller companies are generally more vulnerable, as only the best companies can afford the best defenses." 
Indeed, 71 percent of cyber-attacks now occur at businesses with fewer than 100 employees. Among the weaknesses that make small and midsize businesses attractive to criminals, cited by multiple experts are: 
• Lack of time, budget and expertise to implement comprehensive security defenses.
• No dedicated IT security specialist on the payroll.
• Lack of risk awareness.
• Lack of employee training.
• Failure to keep security defenses updated.
• Outsourcing security to unqualified contractors or system administrators
• Failure to secure endpoints.
Hackers use a variety of methods to try to breach company data, such as with phishing, an email scam that attackers use to trick people into clicking links or volunteering sensitive information. A single phishing email could severely impact the company’s privacy and security.
Many states require companies to notify all of their customers if a breach is even suspected and to take necessary steps to correct the situation — a cost estimated at up to $30 or more per customer. Add to that the potential loss of confidence in an affected company by its customers and potential customers.
It is not realistic or even fair to require smaller businesses to have the same complex controls and monitors that large enterprises leverage. However, it should be expected that they have basic controls. 
It also is important to note that automobile dealers, unlike the retailers cited earlier, have a legal responsibility under Gramm Leach Bliley to protect their customers’ non-public information — a responsibility that currently represents a giant hole in many of their privacy and safeguards plans.
Experts say small businesses can act on several recommendations to improve security without costing big bucks, including:
• Update security software. This can frequently be automated. Also, there are vendors that will enable a free system check.
• Limit access to sensitive information.
• Educate employees, especially about the risks of social media.
• Insist on rigorous passwords.
• Screen apps before allowing them to be downloaded.
Remember that compliance is a process, and companies which do not continually assess and improve may quickly fall out of compliance.
In introductory remarks in a speech about best practices, Tom Farley, the president of the New York Stock Exchange, said: "No issue today has created more concern within corporate C-suites and boardrooms than cybersecurity risk.
"It is important that companies remain vigilant, taking steps to proactively and intelligently address cybersecurity risk within their organizations. Beyond the technological solutions developed to defend and combat breaches, we can accomplish even more through better training, awareness, and insight on human behavior. 
"Confidence, after all, is not a measure of technological systems, but of the people who are entrusted to manage them."