Why you should care
Marriott and Equifax make headlines. But it’s smaller businesses that might be a bigger threat.
It was a cautionary tale. In 2016, once mighty internet company Yahoo revealed it had suffered two data breaches in 2013 and 2014, the latter compromising 500 million usernames, email addresses and telephone numbers, the former 3 billion users’ data. Yahoo had already negotiated its own sale to Verizon — but the damage to its reputation dropped that price by $350 million.
It’s an extreme example, but data security breaches don’t just hit major companies. In fact, breaches at small and midsize businesses — only 60 percent of which say they have a plan in case of such an incident — could hit their customers even harder.
In 2018, 67 percent of small and midsize companies reported being hacked within the past year, compared to 55 percent in 2016.
That’s according to a yearly study by the Ponemon Institute and IBM Security on small-business cybersecurity in the U.S. and U.K. By comparison, a Thales survey of midsize to large companies in 2019 found that 30 percent in the U.K. and 36 percent in the U.S. had been hacked during the past 12 months. Research suggests that 60 percent of small businesses go out of business within six months of a cyber attack. The Ponemon Institute study found that from 2016 to 2018, the average cost to small and midsize businesses from damage or theft of IT assets went up 62 percent, to $1.4 million.
Media coverage over the past few years may have made people more aware of cybersecurity and the precarious protection of data, but that coverage often focuses on massive breaches by giants like Marriott or Equifax. Emory Roane, policy counsel for Privacy Rights Clearinghouse (PRC) — a U.S.-based organization that has been collecting information about data breaches since 2005 — says a closer look at the records reveals that small businesses may be a bigger threat to user data. While a breach at a small business would expose less than 100,000 records at a time, and millions of records at a large company, “that small mom-and-pop CPA will have exposed your entire financial account history, your social security and tax filings,” says Roane.
The average number of records lost in data breaches to small and medium businesses more than doubled between 2016 and 2018 — it now stands at more than 10,000. But consumers are becoming better armed against hackers. In the past, says British computer scientist and activist Lauri Love, data breaches weren’t disclosed as readily as they are today, which means more people are becoming aware of encryption and those skills are becoming ingrained. While cryptography is “still a young science or young art,” says Love, the public is now realizing they should have long passwords, change their passwords often and use tools like a password manager and two-factor authentication.
In terms of solutions, Love — who successfully fought extradition to the U.S. after he was accused of hacking the U.S. government — mentions his own vulnerability research, where he found flaws detrimental to an organization’s cybersecurity and alerted them to it. “You used to get a bounty for finding fugitives,” Love explains; with a “bug bounty,” he says, “you find something wrong in the system, you tell the company and they say, ‘Thank you very much’ or ‘No, we already knew about that.’” The company may reward the hacker financially.
Such bounties are becoming increasingly important, and as such, they’re more organized than in the past: A setup called HackerOne has said that one of its hackers made $1 million through the method, reporting more than 1,600 security flaws to Twitter, Verizon and other companies. Many big tech companies, including Apple and GitHub, have bug bounty programs. Jeffrey Massimilla, vice president of global cybersecurity at General Motors, has called hackers “an essential part of our security ecosystem.”
Roane points to a need for better regulation. He says the U.S. would benefit from copying the European model of the General Data Protection Regulation, which obliges companies to disclose every touchpoint where they may be using or storing personal information. “[It] gives users real control, real choice, over their information,” says Roane, and prevents the hoarding of data left vulnerable when a breach occurs.
The Breach Level Index, an online database run by security company Gemalto, found that while data breaches are becoming more numerous worldwide, the number in the U.S. is actually falling. The first half of 2018 saw more than three billion records compromised, compared to just 550 million in the first half of 2016. But the number of breaches (a step beyond compromise) in the U.S. fell from 728 in the first half of 2016 to 540 in the first half of 2018. Fifty-nine percent of all attacks in the database were still located in North America, but that was down from 79 percent. Meanwhile, PRC’s database of data breaches showed a dip of 4 percent in the number of incidents between 2017 and 2018. While not quite a trend just yet, it could be an indication that one thing Americans have realized is that it’s time to get more cyber-savvy.