Connecticut's IT Blog for Growing Businesses | NSI

If It Can Happen to Verizon, It Can Happen to Your Connecticut Small Business

Written by Tom McDonald | Sep 20, 2017 1:00:00 PM

Every Connecticut small business needs to take data security extremely seriously. You need to be on continuous watch for malware and data leaks. A data leak can be disastrous for any business, but small businesses are especially vulnerable, because they typically don’t have the hardened data security of large corporations or the resources to deal with a data breach once it occurs. Connecticut small businesses suffer double jeopardy, because, in addition to dealing with the data breach itself, Connecticut’s data breach notification law requires businesses to notify those affected and provide two years of identity theft and credit monitoring.

The problem that all small businesses struggle with is that a data breach can come from any number of unexpected places. No matter how prepared you are, you can’t think of everything or completely protect your data.

A Breach Can Come from Anywhere

To illustrate how vulnerable any company can be to a data breach, consider the recent customer records leak at Verizon. The personal records of as many as 14 million U.S. Verizon customers, including names, addresses, account details, and PINs, were exposed because of an error by NICE Systems, a Verizon partner. NICE Systems provides technology to track customer experience and even support state-sponsored surveillance. However, NICE engineers failed to properly secure customer data in the cloud by leaving access to an Amazon S3 server open.

As with most data breaches, the Verizon leak was discovered by a third party. UpGuard, a cybersecurity company, discovered the misconfigured server and reported millions of exposed customer records. Access to customer PINs was of particular concern, because PINs are used to authorize accounts. With a PIN, scammers can pose as customers and access Verizon accounts. Because two-factor authentication uses SMS messages sent to cell numbers, having access to cell customer PINs increases the potential for fraud.

The Risk to Connecticut Small Businesses

In the case of the reported Verizon leak, exposure of customer records was solely due to human error. In fact, more than half of data breaches are caused by human error, either inside the company or, as in the case of Verizon, by a trusted partner. If this data breach took place in Connecticut, there could be substantial costs; how many millions of dollars would it take to provide identity theft monitoring for all those customers?

Any company of any size can find itself in a similar situation. No matter how many fail-safes you put in place, people make mistakes, and those mistakes can be costly.

Consider the case of Hartford Hospital, which had to pay $90,000 in damages following a data theft incident in 2012. The data breach was the result of the theft of a laptop from the home of an EMC Corporation employee. EMC is a Hartford Hospital contractor, and the stolen laptop contained patient information for 8,883 Connecticut residents. As with the Verizon incident, this was a case of human error made by an employee at a company partner—something over which you have no control.

To give you another example, 10 Connecticut Holiday Inn hotels may have been affected by a data breach at InterContinental Hotels Group, Holiday Inn’s parent company. Malware in the central credit card processing system exposed customer transaction data, including customer names, credit card numbers, expiration dates, and verification codes.

Data breaches can affect any company of any size. Even a small Connecticut business can fall victim to a data breach from a supplier, bank, or business partner. The best data security in the world can’t prevent third-party data breaches that can affect your business.

An MSP Can Help Protect Your Business Data

While prevention is still the best way to protect yourself from a data breach, there are additional steps you can take to secure your Connecticut small business, starting with finding the right managed services provider (MSP) to assist you with system monitoring and data security. An MSP can provide a variety of services that can protect you from a data breach, whether it’s caused by human error or malware.

An MSP can provide external systems monitoring to detect unusual data traffic and track network transactions looking for malware. It’s useful to have a third-party data security watchdog. Most companies don’t detect a data breach for six months or longer, and usually the problem is detected by a third party rather than in-house IT staff. Monitoring from outside can prevent a breach or uncover problems sooner.

An MSP also can provide on-site security support, including installing anti-virus software and hardening system servers and devices against attack. An MSP also can help train the IT staff and employees to make them aware of security concerns and show them what to look for—91 percent of data breaches start with a phishing attack.

Your MSP also should provider data backup and restoration services so that you always have an uncorrupted copy of company data. In the event of a ransomware attack, for example, it may be easier to roll back to a clean copy of network applications and data rather than trying to isolate and fix the corrupted systems.

When it comes to cybersecurity, you have too much at risk to go it alone. Using an MSP with security expertise can relieve you of the burden of monitoring your systems for a data breach and can help you develop strategies to keep corporate data secure.