The average cost to a U.S. business of a lost or stolen record containing customer information is $201, according to the 2014 Cost of Data Breach Study conducted by the Ponemon Institute for IBM. The most expensive incidents are due to malicious attacks, not to human error or process failure. That’s a problem for your business.
Mega-retailer Target may have had to pay cash to counter its late-2013 data hack, which reportedly affected up to 110 million customers, but it was lucky. Similar breaches have resulted in the destruction of companies.
“If you get it wrong, your business can be erased,” says Ken Ammon, chief strategy officer at Xceedium Inc. in Herndon, Va. Xceedium sells platforms used by government and major corporate customers to manage access privileges on information systems. Ammon urges startups, even those in their early stages, to pay extra attention to the security of data. We asked him to tell us more.
The Target breach apparently came about through an HVAC contractor. How can companies protect themselves?
Ask more questions and take a harder look at your suppliers. Target’s HVAC providers should have had limited access to the company’s system. Can your system be walled off to limit access based on a user’s role? Platforms create a stronger authentication system, with two-factor authentication and a single sign-on, and small businesses can often get access to them through their IT providers. Many of our clients are major systems integrators that sell our service to their small-business clients.
What if you’re the vendor working with a larger company? How can you assure your client that you won’t cause problems for them?
If you’re targeting larger companies, you have to be in touch with what matters on security. No matter the access system, contractors need to show that they are monitoring employees and setting boundaries. You definitely should be looking into tools and processes. A good step is two-factor authentication and password rotation for administrators.
Should businesses be more concerned about someone hacking into their systems from outside or from inside?
In a way, it’s the same. Hackers use techniques that take advantage of an unwitting insider. They can use LinkedIn to find out the names of your administrators and the systems they use, and then send a spear-phishing email to hijack their credentials.
Then you have the Edward Snowden problem—an insider who wants to steal your data. The lower your security defense, the more tempting it will be, [and] the harder it will be to get caught.
What are some basic recommendations for startups?
If you have a “bring your own device” (BYOD) policy, you have to protect yourself before these phones and laptops connect to corporate infrastructure. You have to take a look at endpoint security. Establish a security policy and educate users. Make sure you cover what is allowed and disallowed, and include the penalty for violating the policy.
Security training has a substantial return for reducing risk, so train and support your users.
Use managed or cloud-based services for delivering office automation support platforms such as mail, calendar and office applications. Make sure the provider offers two-factor authentication support for administrators. Don’t let your small-business IT provider sell you antiquated offerings.
There’s an advantage, though. What you save from BYOD and cloud computing, you should put into security.