Small and mid-sized businesses worried after recent Equifax data breach

By now, almost everyone has heard or read about the recent data breach of Equifax, one of the three large credit reporting companies in the U.S. According to Equifax, as many as 143 million consumer records were compromised, with the potential for identity theft and other fraudulent actions.

Companies of all sizes are risk of cyberattack

Equifax is a large company, with over $3 billion in revenue in 2016. Usually, news reports focus on cyberattacks against large companies like Equifax, Target, Home Depot. This can lull small and mid-sized companies into thinking that they are not at risk from cyberattacks, that hackers are only after large targets. This is not true, however: smaller companies are increasingly targeted. Because they believe themselves not to be at risk, they often fail to invest in preventive measures, which include both IT fixes but also processes, procedures and training,

Equifax data breach a wakeup call for all businesses

The Denver Post recently reported on several smaller companies that suffered damaging cyberattacks. These include:

• Grabresults.com, a California web design company, had all of its files encrypted after an employee clicked on an attachment to an email. This kind of attack, called “phishing,” has increased sharply in recent years. The attachment will load “ransomware” onto the victim’s network, which holds their data “hostage” until a ransom is paid. Fortunately, Grabresults routinely backed up all of its data using a secure outside service and was able to recover its data without paying the ransom.

• In 2016 Hyannis Whale Watcher Cruises in Massachusetts found a form of malicious software had infected its website, making it impossible for users to book tours, which is how the company sold 90 percent of its tickets. It took two days for a security company to remove the malware so that users could book tickets again, but it took six weeks for volume to return to normal. The company observed that because the attack took place several months before the peak season, the financial damage was not nearly as great as if it had occurred during the summer.

• An employee at Boomsourcing, based in Utah, tried to get access to company data without authorization, but because the company used software that monitored for this, it was able to prevent the unauthorized access. It now tracks user activity more closely using specialized software.

How can small and mid-sized companies protect against hackers?

It’s difficult to say if these companies could have prevented these breaches, but there are steps that any company can take to lower the risk of a cyberattack. These include training on how to spot phishing emails, keeping software, including—anti-malware and anti-virus programs—updated, and restricting access to sensitive data. Having good password practices and other procedures also help. Developing an incident response plan before can also limit the damage, costs, and legal exposure if an attack does occur.

Businesses of every size are more at risk than ever from hackers and cyberattacks. And while small and mid-sized companies don’t have the resources to devote to cybersecurity that an Equifax or a Target does (and they got attacked anyway), there are steps that such companies can take to lower their risk that are effective and within their budgets.

If you’d like more information on how to lower your risks, please contact Spitz Legal Counsel at mark@spitzlegalcounsel.com or call at 720.575.0440.