Nobody wants to be the next Sony.
Late last year, hackers pillaged the company’s computer system, gaining access to unreleased Sony movies and embarrassing emails between top executives. Then they were put online for all to see. Although no money was directly stolen, Sony suffered significant financial loss, along with broken relationships and damage to its reputation.
While Sony is one of the world’s largest corporations, there are lessons that small businesses can take away from its high-profile hack.
The first one may also be the most difficult to convey to a busy entrepre-neur: Don’t think that a hack can’t happen to you.
“Businesspeople have businesses to run,” said retired FBI agent Jeff Lanza, a nationally known speaker who regularly addresses small businesses. “They just want to make a profit, and they want to market their products. The last thing on their minds is computers and getting hacked. They don’t want to think about it. And because of that, they’re in denial. And when you’re in denial, you don’t take steps to keep yourself safe.”
How can businesses shake free of the denial?
“One day, you just look down the gauntlet,” Lanza said. “You say, ‘We’re going to assess everything to make sure we are not potentially vulnerable to being victimized like Sony—or like the company down the street that had a hundred grand taken out of its bank account. And you say, ‘What do we have to do to make sure that this doesn’t happen?’”
Although myriad threats exist, financial hacking presents the greatest danger to businesses, said Tim Blakley, CEO of Invision, a computer consultancy that serves more than 100 corporate clients in the Kansas City area.
“It’s either for money or for information that they can sell,” Blakley said of the hackers. “Or it’s a disgruntled employee or ex-employee who’s looking to do harm. But all of these hacks in one way or another will cost you, whether somebody takes your money or they infect your system so badly that it’s going to cost money to get it cleaned up.”
The most common way to infiltrate a company’s computer network is through its email system. Hackers send bogus emails to employees, “phishing” for information that will help the bad guys get into bank accounts.
“They’ll send you an attachment that may say, ‘You have a UPS package waiting and click here to check the status,’” Blakley said. “And you click there and you give them information, like a login account and password.”
One of the best defenses against cyberattacks is enforcing password complexity, Blakley said.
“The base complexity says you should have a password that’s eight to 10 characters long and contains at least a number and preferably a symbol, like the pound sign or the ampersand and maybe some capital letters,” he said. “Standard industry practice says to change your password every 90 days. That may be a little too much for some people. But if you did it every six months, you would certainly be better off than a company where the password never changes.”
It’s also crucial for businesses to have a good antivirus security program installed—not only on the computers of individual employees, but throughout the network that the email system flows through—and to comply with antivirus updates in a timely manner.
“What I tell my clients is to not make themselves the low-hanging fruit,” Blakley said.
Another way to accomplish that is to eliminate email accounts for employees who are no longer with the company.
“It’s not unusual for us to go into a new client’s 20-user network and find two or three or four accounts for people that haven’t worked there in years,” Blakley said. “Yet the accounts are still active. The risk there is that, since nobody’s in those accounts, a hacker could have gained access to them and is diving through the system.”
Can businesses take care of cybersecurity on their own? Or should they hire someone who can perform a one-time security audit?
“I’m told that changing the oil in your car is very easy to do,” Blakley said. “But if you put me underneath my car, I wouldn’t have the first clue how to change the oil. An above-average, technically comfortable person might be able to find their way through a computer network, but it really falls into the realm of the IT expert.”
Cover Your Assets
In case of a breach, how vital is it for a small business to protect itself by purchasing the proper cyberinsurance?
“There are arguably more breaches of business information than there are business fires, and everybody buys fire insurance,”
said Damian Caracciolo, vice president of CBIZ Risk and Consulting Services, a national full-service property and casualty brokerage firm. “So on a scale from one to 10, cyberinsurance is certainly a 10.”
Industry statistics point to the validity of Caracciolo’s advice.
“Fifty-five percent of small business owners experience at least one data breach,” he said. “And most of those don’t have the financial wherewithal—particularly the smaller, newer businesses—to even restore their company’s data after a breach.
“Each business has its own inherent risks associated with it, but what they absolutely must have is network security and privacy liability coverage. Network security would cover the cost to restore information on the insured’s computer system. And privacy liability would cover the cost associated with the business notifying its customers that their information may have
Businesses are legally required in 47 states and all U.S. territories to notify customers about the loss of their private records, Caracciolo said, and the cost of doing so can add up quickly.
“The average cost of a breach is $201 per record,” he said. “Let’s say you have the records of 3,000 individuals in your database, whether it’s Social Security numbers, driver’s license numbers, credit card information, email addresses, even health care information. If there’s a breach, you’re legally responsible for notifying all of those people, and you’d have to pay $603,000 to provide notification.”
Caracciolo likes to see the typical small business have at least $1 million in cyberinsurance coverage, which might range from $1,500 to $4,000 in annual premiums. Although it doesn’t cost a fortune to protect yourself from losing a fortune, many entrepreneurs still push back against the need for cyberinsurance “because they don’t think it can happen to them,” Caracciolo said.
“A common objection is, ‘Well, we’re too small,’’’ he said. “Well, with more than half of small businesses being breached, you’re not too small. What you are is an enticing target, because it’s easier than breaching the firewall of a large business that has an IT staff of 15 people.
“No computer network is bulletproof. There are holes in every operating system. And these hackers are pretty smart. They find the holes, they breach them, and they access your information.”
What should a small business say—to customers, employees and the public—once it realizes that a serious hack has occurred and sensitive information is missing or stolen?
React quickly and transparently, said Laurie Roberts, chief operating officer at Parris Communications in Kansas City.
“The most important thing is to start talking,” said Roberts, who leads her PR firm’s crisis communications practice group. “A lot of companies have a tendency to take a sort of bunker mentality and gather their executives, legal counsel and communicators and hole up for several hours. When, in essence, the public is demanding to know more about it.
“The company should come out immediately and say, ‘We have been the victim of a hack. We are looking into the situation. And we will share further details as we learn them.’ But it shouldn’t be another day or two until they communicate again. They should continue to roll out whatever information is safe to share.”
A company’s post-hack messaging should appear on its website and all of its social media platforms.
“Offer an explanation of what went wrong,” Roberts said. “And the company needs to take this opportunity to share its expression of concern for the impact that the situation has on customers, on employees and on the general public—whoever was affected the most—and to apologize for it.
“Demonstrate that you’re moving forward, that you have integrity and let your actions from that point forward speak volumes about your character. For example, if there was something embarrassing in an email that went public that you, as a company executive, had something to do with, own it and don’t let the transgression linger. Show that you’re sorry for what happened and that you’re going to be a better person.”
Especially wrap your arms around your employees, Roberts said.
“It’s most essential,” she said. “Your employees are your customer-facing ambassadors. They will need to respond to questions and concerns from your customers, so they need to feel good about your leadership.
“They need to feel good about the company’s email security or whatever the operational aspects of the breach were. And they need to feel good about themselves before they can honestly go to customers and say that they should also feel good about it.”