More than 70 percent of data breaches target small businesses and more than half occur in companies with fewer than 1,000 employees, University of Texas officials with the Center for Identity said Friday.
But such businesses often do not have the information technology and management teams in place to handle cyberattacks or guidelines that would allow them to quickly respond should the personal information they keep on customers or employees be lost or stolen. That lack of proactive practices, identity theft experts said, could unwittingly harm a company’s reputation and lead to serious legal repercussions.
“Big businesses have their own security teams, they have human resource personnel in place, and they have chief information security officers,” Center for Identity spokeswoman Anna Griffin said. “But I think it’s important for all business owners to be able to ask the right questions about their business practices … what data they are holding and how well their employees take care of that data.”
Providing small-business owners with the resources to take on those questions was among the main objectives of a data breach workshop Friday at the center. UT officials and FBI and U.S. Secret Service agents walked more than two dozen small-business owners through a simulated data breach and trained them on the best policies and communication techniques to prevent data loss and report hacks.
Thomas Edwards, resident agent in charge of the Austin office for the U.S. Secret Service, said most cyberattacks against companies in Austin and nationwide come from Eastern Europe and Asia. For merchants around the world, he said, their point-of-sales systems — where the credit card is swiped or the retail transaction is completed — are constantly targeted.
Hackers can capture credit card information, often by ZIP code, and traffic the data on the dark Web — “the red light district of the Internet,” Edwards said. Business owners must work with their IT providers to make sure their firewalls are up to date, he said. They need to establish a response team and should not hesitate to notify law enforcement, beginning with the local police department, he said.
“No system is impermeable,” Edwards said. “So you have to make sure you are always on top of data security.”
Having good legal advice also is important, he and UT officials said. Disclosure laws on when companies are required to notify law enforcement and consumers can be convoluted, varying widely between the state and federal levels and from state to state.
According to statistics compiled by the Center for Identity, a recent survey of U.S. companies found that 55 percent of those that responded have had an electronic data breach. But a third did not report it to their customers, even as 46 states mandate that people be notified when their private information is compromised.
In Austin, the geopolitical think tank Stratfor was the first to cause waves over stolen customer information after being hacked in December 2011. Major retailers such as Target and Home Depot have been under fire over the past two years for failure to protect sensitive consumer information amid rising security breaches and cyberattacks.
Many such breaches are instigated by employees, experts said. At a federal court in Austin this year, former Home Depot employee and Round Rock resident Daniel Marquadt said he had been struggling with financial hardship and a painkiller addiction when he stole thousands of customers’ credit card numbers and attempted to sell them on an online black market.
Small-business owners are increasingly concerned about protecting not only their customer information but their intellectual property and trade secrets as well, said Amanda Steinbrecher, who attended the Friday workshop and works as an account executive for Time Warner Cable.
“There are so many things we can control that don’t cost money, and it’s about being prepared and educating yourself,” she said.
What are typical causes?
29 percent — Hacking
15.1 percent — Third-party vendors
12.5 percent — Physical theft
11.5 percent — Accidental exposure of data
10.9 percent — Employee negligence
10.2 percent — Insider theft
7.9 percent — Data in transit