The message coming out of a Technology Forum of Delaware roundtable this week on cybersecurity was clear – small and mid-sized businesses are more vulnerable than larger enterprises.
Panelists said that despite the headlines involving large organizations, like Target and Home Depot, small businesses may be more tempting targets, due to the lack of procedures and technologies aimed at protecting information.
Many businesses have progressed beyond common passwords for each computer and often have antivirus software and firewalls.
That may not be enough.
Moderator Greg Gurev, president of information technology services company MySherpa, Wilmington, said attacks are not limited to overseas criminals, but can also come from disgruntled former employees or burglars breaking into offices.
My Sherpa information security consultant James Sproat said cybersecurity procedures often center on “yesterday’s threats” and not on the the more frightening “elephant graveyard” of current and future cyber attacks.
Such attacks can include hackers shutting down a computer network and demanding “ransom” in return for access. It can also be as simple as an official looking letter or E mail message asking for a bank routing number.
All panelists urged businesses to have clear policies and to have continuing employee education efforts in place, even if it means a 15-minute-a-month briefing. It is also important to know the types of information that are actually housed within computers and file services.
Policies should clearly spell out designated leaders and decision makers in the event of a cyber attack or data breaches as well as available legal, IT, insurance and other resources.
Sproat said accountants and consultants need to know the types of information that might be in their files from clients. He pointed to the example of an information technology audit finding an accounting firm unknowingly had credit card information from a client.
IT audits are increasingly focusing on mobile devices that are essentially computers capable of storing large amounts of information, Sproat added.
Panelist Robert F. Sabol, vice president and risk management advisor for Lyons Companies, Wilmington, stressed that insurance is available, taking note of the $150-plus per customer cost of dealing with a data breach.
Companies do not need a full security regimen in place, according to Sabol. More often than not, companies cannot answer yes to all questions in the coverage questionnaire. In many cases, companies agree to have policies, technologies and procedures in place within a year.
Carl N. Kunz, III of the law firm of Morris James said businesses are becoming more serious about cyber threats, since they face laws “with teeth” in regard to privacy protection and compromised data.
For example, nearly all states have laws requiring notification of data breaches to those affected. However, the laws are all different, Kunz noted.
The Technology Forum of Delaware provides educational events and networking opportunities. To join or learn more about future events, click here.
