The data breaches at Target and Neiman Marcus have expanded, as millions of consumers' personal information has been stolen. Large retailers naturally are paying more attention to securing data, but the threat may be heightened for small to midsized businesses.
Smaller ventures are particularly vulnerable because cybercriminals know they likely spend less to protect their digital information and infrastructure. Cheaper security measures also tend to be static, meaning those systems don't evolve to keep up with criminals' newest tricks.
It's not like small businesses haven't already felt the wrath of breaches before. Last year, 31 percent of all attacks were aimed at companies with less than 250 employees, according to Symantec's 2013 Internet Security Threat Report. Data breaches "already are happening among smaller employers. It's not happening with any lower frequency than the Targets you're reading about," said John Rose, a security expert and senior partner at The Boston Consulting Group.
"Security is a dynamic environment," said Pat Calhoun, senior vice president at McAfee, which is part of Intel and offers security solutions. "It's not just a single firewall and you leave it alone." Less ambitious, fixed security measures in turn attract cyberthieves because those stagnant systems allow criminals to more easily nab personal data--then slip away undetected for as long as possible.
So how can upstarts protect themselves against crime? A regular monitoring of online security is a start. Los Angeles-based Art of Tea is a tea importer and wholesaler with a staff of 25 in the U.S., plus additional support in Asia and India. The team includes two people who are dedicated to security as the bulk of its business is done online, said business owner and Chief Executive SteveSchwartz.
Art of Tea's online security system costs roughly $100 a month, plus an additional charge per online transaction, Schwartz said. The system alerts the small business when there's suspicious activity, just the way a consumer is alerted to an odd credit or debit card transaction.
Schwartz said security is a priority because cybercriminals don't discriminate based on business size. "We're just as sensitive and susceptible to what's happening with Neiman Marcus," he said.
Target and Neiman Marcus
Target on Dec. 19 confirmed about 40 million credit and debit card accounts may have been impacted between Nov. 27 and Dec. 15 last year, according to a statement. But there was more. On Jan. 10, Target revealed the data breach was in fact larger. Now up to 70 million consumers have had their personal information stolen including names, mailing addresses, phone numbers or email addresses, according to a statement.
Neiman Marcus last Wednesday said cyberthieves could have attempted to steal data from up to 1.1 million customers from July 16, 2013, to Oct. 30, 2013, Neiman Marcus Group President Karen Katz said in a statement on its website.
A merchant processor in mid-December last year notified the Neiman Marcus Groupof potentially unauthorized payment card activity that occurred after customer purchases at the company's stores including Neiman Marcus and Last Call. There have been no reports of fraudulent activity after purchases at Bergdorf Goodman, a spokeswoman said in an email.
Cyberthieves holy grail
Security experts say pursuing malfeasance undetected for as long as possible is the holy grail among cyberthieves. "When cybercriminals are going after intellectual property and financial data, their goal is to extract data and to do it stealthily," said Calhoun of McAfee.
A white paper from McAfee last July noted attackers who masterminded a major cyberespionage case in South Korea had remained hidden for years prior to the attack last March. The criminals zeroed in on multiple targets including banks and news agencies.
But whether the target is multinationals or mom-and-pops, awareness about cybersecurity is the first step toward a solution.
Roughly 77 percent of small firms believe their company is safe from a cyberattack--even though 83 percent of those firms do not have a written security policy in place, according to the National Cyber Security Alliance and Symantec. And unlike larger firms that could absorb a data breach, the consequences can be much more catastrophic for a smaller venture.
Digital data stewards
Wary consumers, meanwhile, are thinking twice about that next card swipe, maybe even walking a few extra blocks to get cash from a trusted bank. So what's the net effect?
Going forward, the retail data breaches may trigger more public awareness and even activism about the Internet and related issues including the volume of accumulated personal data. Rebecca MacKinnon, an expert on global Internet policy, argues public awareness about Internet liberties will grow in the way once-fringe environmental concerns moved into the mainstream.
Other experts say the retail data breaches and broader concerns about digital privacy--including whose monitoring your email activity--are pushing consumers to place more importance on companies and brands that protect personal data. In other words, customers increasingly are shopping for products and services with an evolving checklist that includes price, product quality--and which company is going to protect your personal data.
And with the proliferation of mobile devices and e-commerce, companies large and small that don't rate high on data stewardship stand to lose business. Said Rose of The Boston Consulting Group, "What's at stake is you will switch retailers, you will switch banks, switch credit card providers."