K-Mart, Target, JP Morgan Chase, Apple, AT&T. What do all of these companies have in common? In the last year, all of these businesses have been victim to severe cyber attacks. Whether you’re in-house counsel of a corporation or simply an active consumer, data security breaches should be a top concern as it is now more likely than ever that your personal information might become compromised.
One thing that’s clear from past incidents is that no industry is immune. One major target has been retail. Last Friday, Sears Holding announced a detected data breach at its K-Mart stores hinode, last month Home Depot announced an attack which compromised over 56 million credit cards, and the Target breach last holiday season generated significant media attention. Even the most technologically savvy companies are at risk. Apple’s iCloud hack leaked hundreds of stolen naked celebrity photos. Forbes’ Data Breach Bulletin published last week illuminated the broad range of targeted companies, from JP Morgan Chase to Dairy Queen, even educational institutions such as the North Dakota State College of Science.
Companies of all sizes are also at risk. According to data security specialist Andrew Bargin, founder and CEO of My Digital Shield, any business that takes more than a thousand credit cards in a month is vulnerable to an attack hinode Statistics from cyber attacks last year support this. In 2013, attacks aimed at small businesses with up to 250 employees accounted for 30% of all attacks boulevard monde. Small businesses are good targets because they still retain important financial information that hackers want, while often being easier to infiltrate. Small businesses may be at more risk than larger companies because they don’t always follow best practices and can’t afford as robust of a security system as larger companies.
The media is flooded with articles on the issue; nearly everyday news outlets highlight new breaches and writers offer recommendations on what companies can do to protect themselves from attacks. Below I’ve highlighted some suggestions from writers featured on the Huffington Post and the New York Times and share my own thoughts on what can be some of the most effective tools for companies to employ to avoid and manage cyber attacks.
One of the more novel approaches comes from Blogger Adam Levin from the Huffington Post , who argues for a “Data Breach Disclosure Box.” Levin believes the consumer and privacy issues around data breaches call for a paradigm shift that produces tools enabling consumers to make informed decisions to allow for containment strategies. Levin advocates for a disclosure box, like the Schumer Box disclaimer for credit terms and conditions, which would require businesses to make certain disclosures to inform consumers about breaches. What would a company be required to disclose? Levin suggests companies should be required to disclose some variation on the following:
- How many times has this company been breached within the past five years?
- If breached, what kind(s) of information was exposed?
- Does this company encrypt all consumer and employee data?
- Does this company have a breach notification policy?
- What did the company offer affected consumers?
- What type(s) of information are customers obligated, or not obligated to provide?
Required corporate disclosures regarding security breaches would do a lot to help improve transparency. Whether or not it would be impactful would depend on the context in which the requirement is implemented and who is responsible for regulating. From a consumer perspective, the way in which one would gain access to this type of information would certainly influence its ability to have a meaningful impact on behavior and awareness. Would it be readily accessible in a company’s terms and conditions, prior to engaging with a company, or would the information simply be available after the fact. Lots of similar information about what a company does with your data is already available in Privacy Policies and yet most consumers rarely read them, and often only once they feel their privacy is under attack. One of the greatest benefits to a required disclosure is that knowing a company would be held publicly accountable to report this type of information, the company would be more proactive to put thorough systems in place to prevent and minimize these types of security threats.
One of the best things a company can do to protect itself from a data security attack is to be proactive. For example, those close to the Home Depot incident say the company was repeatedly warned of the risk that their systems were susceptible to hackers, but that management did not act appropriately. Former employees said the company responded slowly to threats, took delayed action, and used outdated software to protect their systems and network. Additionally, credit card industry security rules require large retailers like Home Depot to conduct vulnerability scans at least once a quarter, using technologies approved by the Payment Card Industry Security Standards Council. Home Depot performed these scans irregularly in only a few of their stores and on only a small number of systems.
What can we learn from the Home Depot breach? Most importantly, companies should take their security very seriously, and put legitimate systems in place to protect their data. Companies should make sure their malware systems are current and that they are being as proactive as possible to scan their systems.
Eileen Zimmerman recently wrote a post on the NY Times providing recommendations to small business owners regarding how they can protect their companies from data breaches. Here are a few key takeaways:
- Use your point-of-sale system for customer transactions only and dedicate one computer for the company’s purchasing, banking, and confidential financial business.
- Keep your hardware, operating system, software and apps up to date and update antivirus software.
- Be skeptical when buying from unknown online vendors.
- Plug leaky apps.
- Clean house frequently.
Many of these recommendations are useful and apply not only to small business owners but also to individuals. Keeping antivirus software up to date is critical, and it’s also important to monitor your third party apps. Last week hackers accessed at least 100,000 Snapchat photos through a third party client app that allowed users to save their photos, rather than by gaining access directly into Snapchat’s system.
Potential cyber attacks are a real concern for today’s modern businesses and a risk that should not be treated lightly. With the right level of proaction and systems in place to communicate risks openly, businesses can hopefully stay one step ahead of hackers. Still worried your personal financial information may be at risk? Follow these 10 steps to prevent yourself from future attacks!