CHICAGO (Reuters.com) - A couple years ago a crippling cyber attack on one of Nanette Lepore's haute couture boutiques served as a wake up call for the fashion retailer to get serious about its online security.
In 2007, Nanette's Las Vegas store had its router hacked by a cyber criminal and confidential point-of-sale information was accessed, potentially impacting hundreds of the company's well-heeled patrons. The sensitive data was then transferred to Italy, where it was used to create phony credit cards that were subsequently distributed in Spain.
After a meeting with FBI and local crime officials, the Caesars Palace store was shut down during crucial Saturday shopping hours, but the company gained a valuable lesson about protecting its data.
"If they can gain access to your network routers, you're pretty much an open book," said Jose Cruz, Nanette Lepore's director of information technology, who has since developed a Fort Knox-like security protocol for the confidential information flowing through the company's 10 boutiques and its New York headquarters. "The first thing I did was lock it all down."
Unfortunately Nanette Lepore is not alone among small and medium-sized businesses for its lack of planning for a cyber attack. A new study issued by the National Cyber Security Alliance and software company Symantec confirmed that small businesses are among the most vulnerable to Internet crime due to their unstructured approach to online security.
The study found only 28 percent of small businesses have formal Internet security policies, despite the fact they store valuable data such as credit card information, financial records, intellectual property and other sensitive content online. Only 35 percent of the small businesses polled provided any training to employees about Internet safety and security, according to the study, which surveyed 1,500 firms across the United States. At the same time, 86 percent of respondents had no single individual focused on IT issues.
"Small businesses are increasingly vulnerable to cyber attacks," said Michael Kaiser, executive director for the National Cyber Security Alliance. "We know from evidence we hear when we talk to people in law enforcement and others about cyber crime that small businesses are pretty robust targets."
Kaiser said he was particularly concerned about the study's disclosure of the lack of Internet protocol and employee training on the part of small companies, a trend that could be exacerbated in a recessionary environment, where budgets are strapped.
"If you're not engaging your employees, saying this is how you protect the data you have, how you protect your customers, the employees that work here, our important financial information, it creates a pretty significant vulnerability," he said. "That's the one that jumped out at me."
Beyond attacks that steal confidential data, is the increasing threat of malware - software programs that infiltrate a computer unbeknownst to the user and perform illegal tasks such as sending out spam email or crashing a network, noted Kaiser.
PREVENTIVE STEPS
Kaiser pointed to simple, preventive steps that small companies could take with little additional cost to their bottom line. These include regularly updating the software already purchased, ensuring that virus protection programs are installed, and keeping Web browsers current.
In addition, Kaiser urged management to talk to employees about changing their passwords on a regular basis and making them more complex. Internet service providers (ISPs) as well are becoming more concerned about protecting their small business clients' data and can serve as a valuable resource.
"We obviously want to see a more proactive approach," said Kaiser, whose organization is a public-private alliance between the Department of Homeland Security and technology companies such as Cisco and Microsoft. It operates a Web site (www.staysafeonline.org) that includes Internet security resources for small companies.
Douglas A. Brush, a computer forensic investigator in New York, said many small businesses fall into Nanette Lepore's ranks, overlooking important data security safeguards until a harmful event forces them to react.
"Unfortunately so much in the small to mid-sized market is how do we put out the fire, rather than how do we fireproof the house," he said. "It's scary the amount of information I come across - people just leave too much sensitive information out in the open."
In down times data protection often takes a back seat to more urgent matters, such as meeting payroll and finding new business, experts said. Businesses are also exposed to additional threats, such as exiting employees who may have an axe to grind, said Mike Spinney, a senior privacy analyst with the Ponemon Institute, a Michigan-based research firm specializing in data security.
"People are being laid off, walking out the door with information," he said.
Since 2005, when the Privacy Rights Clearinghouse began tracking data-breach incidents, more than 250 million customer records have been lost or stolen, according to a January 2009 Ponemon report. The average cost of each stolen record, including legal fees and related expenses, is about $202, but Spinney said small companies tend to have higher costs, because they don't have economies of scale. Spinney added cyber attacks on small companies don't get the attention by law enforcement that big breaches, such as the 2007 theft of more than 40 million T.J. Maxx and Marshalls credit cards, brings.
It's all enough to keep IT watchdogs like Cruz on his toes, who said Nanette Lepore has tripled up on its security: "We literally have three layers of firewalls to come through before you can get on the network."
Source: Reuteres
In 2007, Nanette's Las Vegas store had its router hacked by a cyber criminal and confidential point-of-sale information was accessed, potentially impacting hundreds of the company's well-heeled patrons. The sensitive data was then transferred to Italy, where it was used to create phony credit cards that were subsequently distributed in Spain.
After a meeting with FBI and local crime officials, the Caesars Palace store was shut down during crucial Saturday shopping hours, but the company gained a valuable lesson about protecting its data.
"If they can gain access to your network routers, you're pretty much an open book," said Jose Cruz, Nanette Lepore's director of information technology, who has since developed a Fort Knox-like security protocol for the confidential information flowing through the company's 10 boutiques and its New York headquarters. "The first thing I did was lock it all down."
Unfortunately Nanette Lepore is not alone among small and medium-sized businesses for its lack of planning for a cyber attack. A new study issued by the National Cyber Security Alliance and software company Symantec confirmed that small businesses are among the most vulnerable to Internet crime due to their unstructured approach to online security.
The study found only 28 percent of small businesses have formal Internet security policies, despite the fact they store valuable data such as credit card information, financial records, intellectual property and other sensitive content online. Only 35 percent of the small businesses polled provided any training to employees about Internet safety and security, according to the study, which surveyed 1,500 firms across the United States. At the same time, 86 percent of respondents had no single individual focused on IT issues.
"Small businesses are increasingly vulnerable to cyber attacks," said Michael Kaiser, executive director for the National Cyber Security Alliance. "We know from evidence we hear when we talk to people in law enforcement and others about cyber crime that small businesses are pretty robust targets."
Kaiser said he was particularly concerned about the study's disclosure of the lack of Internet protocol and employee training on the part of small companies, a trend that could be exacerbated in a recessionary environment, where budgets are strapped.
"If you're not engaging your employees, saying this is how you protect the data you have, how you protect your customers, the employees that work here, our important financial information, it creates a pretty significant vulnerability," he said. "That's the one that jumped out at me."
Beyond attacks that steal confidential data, is the increasing threat of malware - software programs that infiltrate a computer unbeknownst to the user and perform illegal tasks such as sending out spam email or crashing a network, noted Kaiser.
PREVENTIVE STEPS
Kaiser pointed to simple, preventive steps that small companies could take with little additional cost to their bottom line. These include regularly updating the software already purchased, ensuring that virus protection programs are installed, and keeping Web browsers current.
In addition, Kaiser urged management to talk to employees about changing their passwords on a regular basis and making them more complex. Internet service providers (ISPs) as well are becoming more concerned about protecting their small business clients' data and can serve as a valuable resource.
"We obviously want to see a more proactive approach," said Kaiser, whose organization is a public-private alliance between the Department of Homeland Security and technology companies such as Cisco and Microsoft. It operates a Web site (www.staysafeonline.org) that includes Internet security resources for small companies.
Douglas A. Brush, a computer forensic investigator in New York, said many small businesses fall into Nanette Lepore's ranks, overlooking important data security safeguards until a harmful event forces them to react.
"Unfortunately so much in the small to mid-sized market is how do we put out the fire, rather than how do we fireproof the house," he said. "It's scary the amount of information I come across - people just leave too much sensitive information out in the open."
In down times data protection often takes a back seat to more urgent matters, such as meeting payroll and finding new business, experts said. Businesses are also exposed to additional threats, such as exiting employees who may have an axe to grind, said Mike Spinney, a senior privacy analyst with the Ponemon Institute, a Michigan-based research firm specializing in data security.
"People are being laid off, walking out the door with information," he said.
Since 2005, when the Privacy Rights Clearinghouse began tracking data-breach incidents, more than 250 million customer records have been lost or stolen, according to a January 2009 Ponemon report. The average cost of each stolen record, including legal fees and related expenses, is about $202, but Spinney said small companies tend to have higher costs, because they don't have economies of scale. Spinney added cyber attacks on small companies don't get the attention by law enforcement that big breaches, such as the 2007 theft of more than 40 million T.J. Maxx and Marshalls credit cards, brings.
It's all enough to keep IT watchdogs like Cruz on his toes, who said Nanette Lepore has tripled up on its security: "We literally have three layers of firewalls to come through before you can get on the network."
Source: Reuteres
No comments:
Post a Comment