Target. Home Depot. Anthem.
These companies and many more have made headlines in recent years after suffering massive data breaches. Each of these incidents put customers’ data at risk—and put a serious dent in the companies’ bottom lines and reputations.
Of course, big corporations aren’t the only ones at risk of a data breach: For every large company that’s the victim of a data breach, many other small businesses fall prey as well.
David Kennedy closely follows these kinds of developments. That’s because he is the founder and senior principal security consultant of TrustedSec, a security services company that counts many of America’s largest companies among its clients. As a recognized thought leader in the security field, David has presented at more than 300 conferences around the world and makes regular appearances on high-profile news outlets such as CNN, Fox News, the BBC and Bloomberg Business.
He recently took time to answer a few questions about one of today’s biggest business threats and to offer trusted cybersecurity tips for small businesses.
With regard to business security, do you think things are getting better or worse?
Worse. There have been huge increases in data loss—especially with respect to credit cards and health care information. Today, you’re increasingly seeing countries hacking into big corporations. They seek competitive information that lets them compete against American businesses at half the cost. Iran is just one country that has been getting very good at this kind of cyber warfare over the years. You also see organized crime syndicates doing the same thing.
Ransom situations are also on the rise. In them, ransomware will take over a company’s information, encrypt it and hold it hostage until the company pays a large sum of money to get it back. This often happens over an extended period of time. CryptoLocker was a ransomware trojan that targeted computers using Windows back in 2013. It extorted millions of dollars from its victims.
Are there any positive developments you see happening?
It’s a bumpy road, and the United States is behind the times compared to European countries. You don’t see these kinds of large-scale breaches overseas.
I’ve testified in front of Congress twice about cybersecurity. One positive development is President Obama’s new executive order that asserts that malicious “cyber-enabled activities” are a national threat. It also establishes sanctions and other consequences for individuals and entities who engage in these activities.
Do you think small businesses are becoming more of a target for security breaches?
Absolutely. For every large data breach that you hear about in the news, there are dozens of breaches affecting small businesses. Small business data breaches are especially damaging; while Target has the resources to withstand a hit to its bottom line, a smaller company or business could potentially be forced to close its doors if the breach is severe enough.
What are your top security suggestions for small businesses?
First, make sure your employees are aware of what phishing schemes look like and train them to avoid them. Individuals are increasingly being targeted with more personalized messages that contain malicious links. This is one of the most common and easiest ways to gain access to a system.
Second, practice good security around passwords. Don’t use the same password from one system to another—that gives hackers access to everything if they guess right once. Consider using a two-factor authentication; if your password is compromised, the second method to log in keeps you protected. Also consider using “pass phrases” that contain spaces. Most online web pages (as well as Windows) support sentences. For example “I like walking down to the lake!” is a complex password and easy to remember.
My final security suggestion is to make sure someone on your staff has a good understanding of the latest security threats and defenses. It doesn’t necessarily have to be someone’s full-time job—instead, it could be performed part-time or by a contractor. The important thing is that someone is staying on top of protecting the business.
What are some resources you’d recommend for business owners looking to learn more about security?
There’s always my website, trustedsec.com, and the TrustedSec Security Podcast. I also like the Social-Engineer.org podcast. For books, authors Bill Gardner and Valerie Thomas are really good.
In your experience, do you think most businesses have proper data security insurance coverage in place?
I don’t. This is not something businesses have had to consider for very long, but it’s becoming the new norm. No matter the business or its size, it’s only becoming more critical to have data security coverage in place.
Erie Insurance offers a range of business insurance coverage options to help businesses overcome a data breach. To learn more and to get a free quote, contact your CNR Insurance Agent.