Connecticut's IT Blog for Growing Businesses | NSI

What CT Business Owners Can Learn from the 1,800 Data Breaches in 2016

Written by Tom McDonald | Jun 13, 2017 12:00:00 PM

With all the concerns facing CT business owners, cybersecurity does not top the list for most. However, cyber threats and data breaches are on the rise, and hackers and cybercriminals are focusing their attentions on smaller businesses that are less likely to have robust security measures in place. In fact, cybercrime has become so commonplace that the question today is not whether your systems have been breached, but when they were last breached.

Every business needs to protect itself from cyberattacks, and understanding more about the nature of data breaches is the first step.

There were 1,800 known data breaches in 2016, resulting in 1.4 billion compromised data records. This represents an increase of 86 percent over 2015. The data collected in the Gemalto Breach Level Index Report shows that 68 percent of data breaches were perpetrated by external hackers, 9 percent were from malicious insiders, and 19 percent were accidental leaks. 

Hackers Want Your Data

Most cybercriminals are after the same kinds of data. The Gemalto report shows that 59 percent of breaches were for identify theft information, and 30 percent were financial and account data. Hackers typically are looking for types of data that have intrinsic value for a fast sale or immediate exploitation. Credit card information, for example, has immediate value but a short shelf life; criminals can use stolen credit cards to purchase gift cards or for immediate purchases that can be converted to cash equivalents. Stolen identities have more value on the black market, and more sensitive information, such as patient data, is more valuable because it can be used for phony prescriptions. As you can see, even the smallest medical office can be a prime target for hackers. 

Small businesses are becoming more attractive for hackers as well. Forty-three percent of cyberattacks target small businesses, and the number of attacks is increasing. Small businesses have the same kind of juicy, marketing data that other organizations have, but it’s usually not as well protected because smaller businesses don’t have the dedicated cybersecurity resources. Even if a small business has little data worth stealing, hackers still want to break into their systems to use their servers as a platform to launch their next attack. No business is safe.

 The Cost of a Data Breach

The cost of a data breach can be expensive, no matter what sorts of data are stolen. Consider a medical practice or pharmacy that has patient records hacked. This can be especially costly, not only in terms of lost customer or patient confidence and cost of remediation, but regulatory fines as well. Patient data theft is a violation of HIPAA, the law that protects patient confidentiality, and the fines for a HIPAA violation can range from $100 to $50,000 per incident or per record, up to $1.5 million per year. Financial service firms, accountants, and other small businesses are subject to other regulations with similar penalties. 

Connecticut business owners face some unique challenges, and fines, when it comes to data security. The Connecticut legislature passed a law in 2015 imposing new requirements for data breach reporting, including “appropriate identity theft prevention services and, if applicable, identity theft mitigation services. Such service or services shall be provided at no cost to such resident for a period of not less than twelve months.” So not only do Connecticut businesses need to report any data breach, they have to pay to protect customers’ identities for at least one year.

An Ounce of Prevention…

What can Connecticut businesses do to protect themselves from a data breach? There are a number of steps you can take, no matter what the size of your business or the nature of your data:

  1. Access control – Make sure you maintain absolute control over data access. This means not only who has access to sensitive data, but how you secure the data. Change passwords frequently and use strategies such as two-step authentication for added security. Cloud-based services generally offer good built-in security and make it easier to manage and update user credentials.
  2. Secure backups – In the event your data is compromised, you need to have a clean copy available. Note that most data breaches or compromised systems go unnoticed for months, so be sure you have multiple clean backups stretching back over time. Many small businesses are turning to cloud backup systems for convenience and added security.
  3. Maintaining secure systems – Cybercriminals use various techniques to steal your data. Be sure to plug as many holes in systems security as you can. For example:
  • Make sure your systems are automatically locked and require a password to access.
  • Avoid use of flash drives and external data storage devices.
  • Use data encryption to protect information in transit.
  • Use password management software to enforce authentication rules.
  • Keep software up to date with the latest versions, including bug fixes.
  1. Train your staff – Employees are the biggest source of security issues. Be sure your staff understand the basics of data security and identity management and adhere to best practices.

Phishing and spear phishing, for example, are among the most common ways hackers gain access to your systems. Educating your employees can prevent a phishing attack.

One of the best ways to prevent a data breach is by getting help from a security expert, such as an experienced managed services provider (MSP). An external technology consultant can assist you by performing a security audit to identify weaknesses in your enterprise infrastructure, and make recommendations as to where to improve security. Your MSP also can provide other security services such as remote systems monitoring for malware and cyberattacks, secure data backups, and cloud support services.

There is no question that a data breach can be costly, but you can minimize the possibility of a cyberattack with the right pre-emptive measures, including working with the right service provider who knows your operation and can help protect your data.