The Miami Electronic Crimes Task Force, a U.S. Secret Service, multiagency task force in partnership with the private sector, is at the forefront of the fight against cybercrime in South Florida. This task force recognizes South Florida as an epicenter of cybercrime in the United States. South Florida has been the point of origin for infamous cyber criminals like Alberto Gonzales the mastermind of the TJX and Heartland data breach incidents, some of the largest cybercrimes in history.
Every year, the annual reports of the cyber security giants such as Symantec, Kaspersky, and the like have consistently identified two main sources of vulnerability for small businesses. First, small businesses live in a false sense of security that they are too small to be of interest to cyber criminals. Secondly, the “insider threat,” from untrained, well-meaning or outright malicious employees with network access presents a huge vulnerability for small businesses.
A National Small Business Association study found that 84 percent of small businesses today use laptops, and 74 percent use Smartphones to conduct business.
Approximately 44 percent of these businesses have experienced cyber-attacks. In large part, this can be attributed to a lack of awareness of their vulnerability to cybercrime — which can threaten the life of a small business. On a larger scale, even in a business with the requisite data security resources and necessary awareness, Target stores became the victim of cyber criminals on a massive scale jeopardizing both its brand and reputation.
According to the Trustwave Annual Report for 2013, it is estimated that 60 percent of small businesses, with 1 to 250 employees, that experience a major data breach of customer information will fail within 6 months. This is a sobering statistic that should challenge the false sense of security held by small businesses everywhere. Today more than ever before, cyber security must be a priority at the forefront of business decision making. A very simple, yet effective cyber security protocol a small business should follow is one that they may already be required when a small business extends credit card services as a convenience to its customers.
A consortium of credit card companies (Visa, MasterCard, American Express and Discover) created the Payment Card Industry-Data Security Standard, which was ultimately inserted into credit card service contracts to address the risk of loss from their small business clients handling and storing sensitive data connected to credit card services for the customers of these businesses. The Data Security Standard requires six simple and straightforward, yet critical, steps that all small businesses should take to protect their data:
1. Use updated network firewalls and strict secure password discipline. “Password” is not a good password.
2. Use updated Encryption to transmit and store Personally Identifiable Information (PII).
3. Use updated anti virus and spyware programs making sure to upload all available software patches.
4. PII customer data must be physically as well as electronically secure.
5. Monitor and test these security measures constantly.
6. Write and enforce constantly updated Information Policies.
Following these steps make it more difficult, and therefore, less likely that a cyber criminal will attempt an unauthorized intrusion of that small business. Following this protocol also provides a small business with a default defense to allegations of negligence regarding data security. Routine use and enforcement of this protocol provides a strong basis for the argument that the small business was acting in a reasonable manner in the handling of personally sensitive data.
David Sabot is an associate professor who has specialized in criminal justice and cyber crime at Johnson & Wales University’s College of Business in North Miami. He has also served as Staff Arbitration and Litigation Counsel for the Broward County Police Benevolent Association in Fort Lauderdale and as a practitioner in Orlando.