Organization size by number of breaches
Source: Verizon 2012 Data Breach Investigations Report
Small and mid-sized businesses have become easy targets for hackers, according to local information security experts, and a new report indicates that data breaches are on the rise at smaller organizations.
Virtually all companies doing business online are potential targets for cyber-criminals, regardless of their size. Smaller businesses may be especially vulnerable to online crime because they have limited budgets for web security and few if any technology experts on staff, officials said.
“The hacker community is smart. They have realized that this group of small and medium-sized businesses don’t have the capabilities that some of the larger organizations have and they become very easy targets,” said Vikram Sethi, director of the Wright State Institute of Defense Studies and Education.
In May, hackers reportedly drained $1.2 million in just hours from the bank accounts of a small Brooklyn, N.Y., company.
“One bad situation can be lethal for a very small business,” particularly one with a protected clientele, said Earl Gregorich, director of Wright State University’s Small Business Development Center.
Sethi said he was aware of Dayton-area organizations that have lost financial data after falling prey to “phishing” scams or data break-ins. “A couple of them acted quickly to cut off access to credit cards and so on, and some of them simply don’t know what the depth of loss has been,” he said.
Small businesses in the Miami Valley “are being exploited,” said Jack Gerbs, president and chief executive of Quanexus, a Clearcreek Twp.-based information technology consulting company.
Several local businesses currently are facing breach issues, but Gerbs declined to name them. Compromised companies rarely come forward out of fear for their reputations, which leads other small businesses to believe they are safe, he said.
Nearly 72 percent of the 855 global data breaches analyzed last year by Verizon Communications Inc.’s forensic analysis unit were at companies with 100 or fewer employees, according to the company’s 2012 Data Breach Investigations Report, produced in conjunction with the U.S. Secret Service and several international agencies. That’s up from 63 percent of the 761 data breaches it analyzed in 2010.
The average U.S. data breach last year cost companies $194 per compromised record, according to the 2011 Cost of a Data Breach Study: United States released by the Poneman Institute, a Michigan-based privacy research center.
The total cost of a data breach for a small company with no formal information security controls or response plans in place can range from $25,000 to more than $250,000, not including federal regulatory fines, said Ryan Sevey, Information Security services manager for Quanexus.
“Just by the very nature of a lot of these attacks, they go after the low-hanging fruit,” Sevey said.
Target selection is based more on opportunity than choice, according to the Verizon report. Nearly 80 percent of victims last year fell prey because they were found to possess an exploitable weakness, rather than because they were pre-identified for attack.
The Verizon report found that 96 percent of the attacks studied were not difficult to achieve and 97 percent were avoidable “without difficult or expensive countermeasures.”
Organized criminals were behind the majority of breaches in 2011, with some form of hacking or malicious software being used in most cases. Increasingly, cyber-criminals are automating their method of “high-volume, low-risk attacks against weaker targets,” the report said.
Gerbs said many breaches come into play as exploits in the programs that companies use. “Having a properly patched system with a current anti-virus definition is critical,” he said.
Smaller organizations can take steps to protect themselves by providing firewall security for the Internet connection; using anti-virus and anti-spyware software on every computer used in their business; downloading and installing software updates for their operating systems and applications as they become available; and regularly changing passwords.
Gregorich said the cost for a company to recover from a data breach is probably greater than the expense of protecting their information from attack. Some organizations hire outside firms to manage their information security, he said.
“Small businesses have a tough time keeping up with the complexity of this environment,” Sethi said.