Q&A with cyber crime expert Tim Francis

May 3, 2013

Timothy C. Francis is Second Vice President for Travelers Bond & Financial Products in Hartford, CT. Francis leads Travelers’ Business Insurance Management and Professional Liability initiatives and serves as Enterprise lead for Cyber Insurance. Reuters spoke with him about what small businesses need to know about cyber crime. 

Small business owners hear a lot about the dangers of cyber crime and how they should fear it, but what exactly should they be afraid of? What are some examples of how small businesses can be affected by cyber crime?

To put it simply, small business owners should be concerned about the potential for loss and exposure of confidential data, commonly known as a data breach, as a result of a cyber attack. Confidential data can pertain to customers, employees and the business and typically includes items like company account records, contact and address information, purchasing history, credit card and Social Security numbers and medical data.

Data breaches can have serious consequences for the person whose data is breached, as well as the company that collects and holds that data. Nearly all 50 states have laws governing notification if/when a customer’s data is breached, and notification can be costly. Actual costs will vary depending on how many records are involved, but generally speaking it costs about $200 total per record. This total amount combines the actual cost of investigating and alleviating the situation, potential liability and potential loss of future business to competitors.
Why are small businesses often more likely to be victimized than larger businesses? Is it simply a lack of resources devoted to cyber security?

A small business’s lack of resources is certainly part of the problem. While a large corporation may be able to invest heavily in sophisticated security strategies, with 25-person IT teams to ensure that every office computer is protected, small businesses simply do not have the money or the manpower. This unfortunately leaves a small business not only vulnerable to an attack, but also allows crimes to continue unchecked until they’re detected or exposed – at which time the losses can already be significant.

In addition, small businesses are sometimes used as a stepping stone for cybercriminals. Because small businesses often have contracts with large businesses, they can be targeted as an access point to the larger organization.

Verizon and Symantec have both recently released reports detailing findings about cyber security and small business. What are some of the main points that small businesses should be aware of?

Small business should be aware not only of the increasing pervasiveness of cybercrime, but also the most common types of cyber attacks that are taking place. For example, cybersecurity firm Symantec recently released a study noting that half of all targeted attacks in 2012 hit companies with fewer than 2,500 employees, and overall, targeted cyber attacks jumped 42 percent in 2012. Of that 42 percent, nearly one-third (31 percent) were aimed at businesses with fewer than 250 people, up from 18 percent the prior year.

In terms of attack methods, Verizon’s 2013 Data Breach Investigations Report (DBIR) report revealed that hacking was the number one way breaches occurred and was a factor in 52 percent of data breaches. Common network intrusion methods included: weak or stolen credentials, such as a user name/password; malware use, such as malicious software, script or code; physical attacks, such as ATM skimming; and social tactics, such as phishing.

What kind of small businesses are especially vulnerable?

Retailers are targeted more by cyber criminals than others. To be competitive in the marketplace today most retailers have to reach customers through various channels and online portals, including websites, social media and blogs, among others. Many are also trying to gather information about their customers and potential customers. This creates a huge opportunity for cybercriminals who have many ways to access confidential business and customer information.

It’s important to note, however, that it’s not just the online businesses or brick-and-mortar stores that face threats to cyber attacks – any small business with a credit card machine, computer or tablet device is at risk. For example, each customer’s swipe of a credit card in a store provides data that is attractive to people who want to commit identity fraud.

The Verizon report breaks down the attackers into three categories — activists, criminals and spies. Can you elaborate on these groups and their motives?

For activists, their aim is to maximize disruption and embarrass victims. The methods used are quite basic and are more opportunistic in that they are not targeted at a specific individual or company.

For criminals, their actions are motivated by financial gain. They are more sophisticated and calculated in how they select targets, often using more complex hacking techniques than activists.

For spies, actions are often state-sponsored and a form of espionage. These types of incidents have received heightened media attention, in part because of the sophisticated tools spies use to commit the most targeted attacks. The motivations and goals behind specific attacks include obtaining intellectual property, financial data or insider information.

What are some basic things small businesses can do to avoid being attacked?

When it comes to cybercrime, the best offense is a good defense. As cyber risks continue to arise through new technologies, it is important to have the right protections in place before an incident occurs. For small business owners, this includes working with their insurance agent and broker to make sure all exposures that can be managed are covered and that employees are exhibiting behaviors that limit cyber risks.

Specific risk management strategies include: 1) Training employees to protect sensitive information, 2) Ensuring systems have appropriate firewall and antivirus technology and that security software patches are updated in a timely fashion, 3) Monitoring use of mobile devices and public Wi-Fi access for employees, and 4) Having a plan in place to manage a cyber event if one takes place – sort of like a fire drill.

Social media sites like Twitter and Facebook have been great tools for small businesses to help in marketing etc. Are they also creating openings for cyber criminals to attack companies?

Social media sites like Twitter and Facebook are being used more and more by small businesses to increase awareness of their business and its products/services. While they are often safe for marketing purposes, these social utilities should be used with the same caution and strategic risk management that applies to a small business’s website or other technological devices.

If, for example, a cyber criminal gains access to a small business’s Twitter handle or Facebook account, the business is at risk of dealing with reputational issues by customers. As we have seen with the AP’s most recent Twitter hack (an “activist” method), the effect of a cyber attack can create a visceral negative reaction among the public, so it’s important to have quick action plans in place to deal with an attack if/when it occurs.

Cyber crime isn’t going away. What are the areas you see that are of increased concern? Is mobile a growing exposure?

Mobile – and the increased use of Wi-Fi on mobile devices – presents particular cyber risks for small businesses because they are vulnerable to loss and/or theft. As businesses increasingly offer opportunities for employees and clients to access their services from a mobile device, the cyber risk in the event a device is lost or stolen also grows. Considering that hackers added malicious code to 58 Android apps, infecting 250,000 phones earlier this year, cyber risk is a serious threat.

In addition to business apps, people almost always add personal apps to their devices. In a world filled with this type of mobile technology, it is more important than ever that small businesses manage associated risks by making sure their employees’ devices have safeguards, such as password protection and tracking capabilities, so they can be located if they’re lost or stolen. It is also important to monitor whether the apps being downloaded on their mobile devices are malware and virus free.

The bottom line for small businesses is this: Hackers are getting more sophisticated every day, sometimes forming syndicates of like-minded criminals to share information and new techniques. Small businesses are increasingly in their crosshairs and they need to use every protection available to fight the growing cyber threat.


Image: A man types on a computer keyboard in Warsaw in this February 28, 2013 illustration file picture. One of the largest ever cyber attacks is slowing global internet services after an organisation blocking “spam” content became a target, with some experts saying the disruption could get worse. To match INTERNET-ATTACK/ REUTERS/Kacper Pempel/Files

One comment

We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/

Great points made above regarding the data of others.

As important though is the small businesses own data, and bank accounts. Little known fact- Banks are not liable for business bank accounts if they get hacked, only personal accounts- ‘Regulation E’.

Sole proprietors, not-for-profits, and small businesses may apply for CyberHeist insurance at http://www.cdiaus.com for as little as $100 per year.

Your choices:

1) Beg your banker for your money back
2) Sue your banker for your money back
3) Get your money back from CDIA

Posted by MScholl | Report as abusive