Keeping the Bad Guys Out of Your Business

Consider these sobering statistics: Almost 60 percent of data breaches occur at small businesses, and of those impacted, more than half (60 percent) go under within 18 months of the breach.

These facts were shared at a series of luncheons hosted by Zions Bank featuring Dean Sapp of Braintrace, who focused his remarks on current cybersecurity threats and the strategies that businesses and individuals can employ to prevent them.

“Sometimes there’s a hesitation to share things that are very, very real because they instill fear,” Sapp told his Boise audience. “Think of this as just information that you can consume. It’s data. And with data you can make good business decisions.”

In Sapp’s experience, many hacks are carried out by organized crime units: “Crime as a service,” he explained. “These are the folks that make it their business to steal money from American companies, plain and simple.”

He said almost every day Braintrace receives phone calls from clients whose email was hacked. “Maybe they changed the routing instructions to do a closing. And $75,000 went out the door,” Sapp said. “How are the bad guys getting in? Stolen passwords.”

He said the passwords used in a business play an important role in preventing a breach, and noted that passwords of 8 characters or fewer can be cracked in less than 1 second.

“The only true strength of a password is how long it is. Complexity matters not,” Sapp said. “For every new character, you’re adding entropy.”

In addition to outsiders, who account for 73 percent of data breaches, a considerable portion of fraud (28%) occurs inside organizations. Sapp calls these “errors and omissions,” such as an IT professional who was overwhelmed and couldn’t get security patches installed in a timely fashion.

“You need to have a plan to stop the 73% but you also need to think about how you stop your employees from making bad decisions,” Sapp said, noting that the answer is “good technical controls, good policy and procedure, and rotation of duty.”

In addition to sophisticated hacking, Sapp referenced more low-tech “classic” scams that use UPS or FedEx to confer legitimacy. “These are criminals who realize if I spend $25, it’s very likely that person is going to send me a check back for $450,” Sapp said. “Hackers understand business and ROI better than anybody. They know how much they want to spend to get you to give them money.”

Physical security is an important component to consider as well. “Everyone in the room should be thinking about this: Your printers and scanners all have hard drives on them,” Sapp said. “When it’s time for that unit to be sold, make sure you do everything you can to make sure it’s been forensically wiped.”

He said the number-one consumer of used American copier and printer machines is China. “They buy them by the boatload because they’re getting intellectual property for pennies on the dollar,” he explained. “Make sure whoever’s providing you these services are attesting that they are deleting the data. Or have them give you the hard drive and give an intern a hammer and just smash it.”

Sapp advises small businesses to take the following steps to help protect against a potential breach:

In the event of a data breach, Sapp said, “Your first call is your internal counsel. Your second call is the FBI. They have agents in the field…and they have the best chance of getting your money back if someone has stolen it.”

He also recommends talking to your insurance representative (if you have cybersecurity insurance), following an incident response plan, and hiring an incident response firm.

Data breaches are costly, both in dollars and in customer loss. In fact, data breach is the third-most important reason customers abandon an organization, Sapp said, citing research from the Ponemon Institute.

The dollar value of the average data breach in the U.S. is $7.35 million, with breaches at “mom and pop” enterprises around $400,000 to $500,000. “That’s big enough to put a small business out of business,” Sapp said.

Zions Bank’s Business Payments and Technology group offers risk management services that help businesses protect against fraud and losses.

To speak to banker to enroll in a new service, call 866-299-3334 or complete the online form at the bottom of this page.