Cybersecurity

March 18, 2016 | Cybersecurity Emily Schettler, Iowa Association of Business and Industry, eschettler@iowaabi.org

Dan Kramer, Senior Vice President of Marketing and Merchant Services, SHAZAM

A cybersecurity breach in 2014 that jeopardized the personal information of up to 70 million Target shoppers was a wake-up call for retailers and financial institutions about the importance of data protection.

However, large companies aren’t the only victims of cyberattacks. In fact, 70 percent of data breaches involve small businesses, according to information provided by Nationwide Mutual Insurance Co.

What’s more, over 78 percent of small to medium-sized businesses experienced a cyberattack in 2014, according to LMC Insurance & Risk Management.

“There are basically two kinds of businesses out there: those that have had a cyberattack and those that will,” said John Moeller, a principal of CliftonLarsonAllen’s Information Services Security Group.

“Companies are used to locking the doors to the business when nobody’s there and securing confidential documents in a locked, fireproof cabinet. They need to do the same thing for information systems online,” Moeller said.

A cybersecurity breach can cost businesses in a number of ways, not just financially. A breach can result in great damage to a company’s reputation, a loss of customers and limited ability to operate for a period of time.

Yet for all the concern, Moeller and others say too few businesses are proactive in addressing the issue – both in terms of protecting themselves from an attack and having a response plan in place to help minimize the damage if an attack occurs.

“When I speak with groups about this topic, we have everyone’s attention and they recognize it’s a serious issue they need to address,” Moeller said. “But what happens is, they leave and go back to business and day-to- day busy life and they end up not doing anything about it.”

There is some good news. The Global State of Information Security Survey 2016 conducted by PricewaterhouseCoopers found that businesses are taking steps to address the issue.

For instance, respondents reported increasing their information security budgets by 25 percent last year. And board members and high-level executives are also taking a more active role in their organizations’ efforts to prevent and respond to cyberattacks.

Federal and state governments are also taking steps to tighten regulations, help raise awareness and provide resources. In 2014, the Commerce Department released a Framework for Improving Critical Infrastructure Cybersecurity, meant to help organizations, regulators and customers create, assess and improve their cybersecurity programs.

Attacks can come in many forms, and the ways in which hackers are trying to access information are constantly changing.

At SHAZAM, ensuring the integrity of its network is a top priority. The Johnston-based financial services company completes approximately 1 billion financial transactions each year. Someone attempts to hack into the company’s network an estimated 500,000 times per day.

“A hacker only has to be right once; we have to be right every time,” said Dan Kramer, senior vice president of marketing and merchant services at SHAZAM. “We have to stand guard every day, all day.”

SHAZAM partners with companies around the country, law enforcement agencies and others to help ensure they are able to stay ahead of savvy hackers keen on obtaining valuable information from their customers.

The company also advises other organizations on how to protect themselves and how to respond once an attack has occurred.

Educating employees on how to prevent a breach is as important as the safeguards on a digital network. As sophisticated as hackers have become, many still gain access through simple means, like sending phishing emails to employees that contain a virus or malware.

Creating a culture of vigilance can go a long way to- ward preventing an attack, Kramer and others agree.

“You have to train your employees that it’s reason- able to be suspicious and to raise questions if something doesn’t look or feel right,” said Drew Larson, an attorney at BrownWinick Law Firm.

Investing in cyber liability insurance is another smart move many businesses overlook. More than 95 percent of all businesses have insurance for fires, but fewer than 40 percent have cyber/data breach insurance, according to LMC.

The cost of adding the coverage is significantly less than that of recovering from a breach. Nationwide estimated it would cost around $400-$500 per year to add cyber liability coverage to an insurance policy.

By contrast, the average cost of a data breach for a small business is $8,700, according to information from the National Small Business Association.

What’s more, according to the National Cyber Security Alliance, 60 percent of small businesses will close within six months of a cybersecurity attack.

In addition to providing valuable coverages, such as forensic investigation, notification expense and crisis management, obtaining cyber liability insurance can also require a company to make needed upgrades to its cybersecurity program, Moeller said.

A building cannot be insured for fires without basic safety measures, like smoke alarms and sprinklers, and a business can’t obtain cyber liability insurance without having certain protections already in place.

A frequent target for hackers is the valuable personal and payment information gathered by companies, and it is important for an organization to know what it’s gathering and have a policy for how and how long it will be stored, said Larson of BrownWinick.

That goes for data stored electronically and in hard copy.

Established privacy policies are important for both the party providing information and the company collecting it to have a clear understanding of how it will be used and who will have access to it.

“It is important to have privacy policies and internal practices in place that are working toward creating a se- cure environment,” Larson said.

It is also critically important for businesses to have a response plan in place for when an attack occurs, Larson said. That includes having established partners who can help determine how the breach occurred and ad- dress vulnerabilities, mitigate reputational and public relations fallout and address legal requirements, such as notifying customers that their personal information has been compromised.

“You have to have a plan in place and have played these scenarios out,” SHAZAM spokesman Patrick Dix said. “Stressful situations are not the time to start making decisions.”

Protecting a company from a cybersecurity breach can seem like a daunting and expensive endeavor. However, experts agree that being proactive in addressing the issue is beneficial in the long run, especially when considering the financial risks of an attack, as well as the potential damage to customer relationships and a company’s reputation.

“There’s no simple solution to any of this, but planning and prevention is cheaper than trying to work backwards once a breach has occurred,” Larson said.

LEARN MORE ABOUT CYBERSECURITY

ABI has two upcoming opportunities for business leaders to learn more about how to protect their companies from a cybersecurity breach. 

Connecting Statewide Leaders
April 7 | Council Bluffs

An expert panel will provide a global perspective on cybersecuirty, as well as information on efforts at the state level and what businesses can do to protect themselves. 

ABI Taking Care of Business Conference
June 14-16 | Sioux City

BrownWinick Law Firm will lead an eduational escape on what to do if your organization has a data breach.