| 
High-profile data breaches of the Home Depot flavor may grab headlines, but smaller businesses are an increasingly attractive target for cybercriminals – and the shrapnel from those attacks hits their banking institutions.
In a report Symantec released last year, the firm found that attacks on businesses with less than 250 employees had risen over the past five years. The company found that 43 percent of spear-phishing attacks targeted small businesses, although Symantec did also clarify that those attacks were focused on a smaller cohort of that segment.
Kevin Powers, director of the cybersecurity policy and governance graduate program at Boston College, said small businesses are also be especially susceptible to ransomware attacks. That’s because they probably haven’t invested as much into cyber defenses as their larger counterparts or because they may not be aware of best practices.
In a recent talk at Boston College, FBI Director James Comey advised health care providers in particular to never pay the ransom, yet many small business owners do. They may not have backed up all their data, they need it back and the attacker is likely asking for something in the range of $1,500. That can seem like a small price to pay to get your data back, but Powers warns that even if they do pay the ransom and get it back, that data may well be corrupted with even more malware.
It’s easy to see how cyberattacks can get costly, too. A Ponemon Institute Research Report, sponsored by IBM, found that data breaches cost U.S. companies an average of $221 per compromised record – and most of that in indirect costs, like customer turnover and reputational loss.
In a particularly high-profile case, Home Depot recently agreed to pay around $27 million in damages to banks and credit unions affected by its 2014 data breach. Those financial institutions that file valid claims will get a “fixed payment award” of $2 per card without proving their losses, while those that do prove their losses could get additional damages, up to 60 percent of their uncompensated costs.
Damages at small businesses are no doubt smaller than that, but in some instances, they can ultimately prove more costly and damaging. Home Depot will almost certainly survive the fallout from its data breach, but how often can your local mom and pop hardware store afford to cough up the ransom demanded in a malware attack?
Healing More Important Than Blame?
The issue can be a source of friction for the banking industry. Though breaches happen more frequently at retailers and other types of small businesses, it’s often banks that wind up responsible for replacing compromised debit cards, monitoring customer accounts – and reporting it to the state Office of Consumer Affairs and Business Regulation (OCABR).
“A lot of small businesses in Massachusetts don’t even realize they have a reporting requirement with the state. That concerns us,” said Bruce Spitzer, spokesman for the Massachusetts Bankers Association. “Everyone needs to know what the rules are how to be compliant and report on a timely basis. Unfortunately, there are a lot of small businesses that don’t realize this and it makes everyone who holds a card more vulnerable.”
State law requires any entity that keeps a customer’s personal information on record to notify the OCABR whenever a Massachusetts resident’s personal information is intentionally or accidentally compromised. If you browse the data breach notification report archives, which are publicly available online, you’ll notice that many of those reporting entities come from the health care and financial services sectors.
Yet nine times out of 10, those breaches are not actually happening at the bank or credit union that’s doing the reporting, said OCABR spokesman Chris Goetcheus.
“A lot of these breach notifications are being made because bank cards are being compromised at retail outlets,” he told Banker & Tradesman. In other words, bankers are simply reporting those breaches when they discover them.
It’s a point of concern for many state-chartered institutions and one the Division of Banks has taken to heart, Goetcheus said.
When banks are the ones regularly cleaning up the mess (or reissuing cards) after a breach, that might look to the general public like it was the bank that had the problem in the first place.
Gerald R. Gagne, member of the Boston-based firm Wolf & Co., said he’s seen banks occasionally just take the loss when a business customer’s account is breached, rather than take the potential reputational hit if they sternly admonish that customer to get their act together. He also said that banks are not reissuing cards as quickly as they might have in the past following a data breach.
Both Gagne and Powers also emphasized the importance of vendor management and due diligence, particularly with respect to especially small outfits. Powers suggested evaluating the kind of server they use, and how they back up their data, for instance.
Even that might not be enough; there’s always the human factor to consider: “You might be doing everything completely right, but who are you hiring?” he said.
