No one is too small to hack

Smaller companies shouldn't be complacent in the thought that cyberattackers have bigger game in their sights.

As the White House and Congress consider new cybersecurity legislation, some middle-market companies may still be questioning whether the cybersecurity crisis is a real threat for their businesses.

The notion that a business might be too small or too boring for a cyber breach is a comforting fiction. The reality is that most cyber breaches are not the work of international criminal gangs or foreign intelligence operatives; they are attributable to the company's own employees. Mere negligence by even a well-intentioned employee can trigger substantial investigation and response costs, and an employee who is leaving to join a competitor or who simply carries a grudge against her boss can cause substantial competitive or reputational injury. But even a company that is lucky enough to avoid ever having an actual breach may be required as a condition of doing business to provide its commercial partners assurances of adequate data security. Thus, for even the rare company that can be confident it will never attract the attention of external cyberthreats, cybersecurity is still an essential part of risk management.

For some companies, cybersecurity compliance is expressly mandated by industry-specific regulations. For example, HIPAA's Data Security Rule is generally applicable to most healthcare providers and insurers, and the Gramm-Leach-Bliley Act imposes security standards on financial institutions. More broadly, the Payment Card Industry Data Security Standards are, by contract, binding on most companies that regularly accept payment by credit card. There are, however, many middle-market companies that are not subject to any industry-specific regulations and that do not regularly accept payment cards and may be led to the false conclusion that they are exempt from any requirements.

One of the most important lessons from the Target breach -- which has been attributed at least in part to lax security by a single HVAC vendor -- is that effective cybersecurity requires commercial partners with effective cybersecurity. Major public companies have responded by implementing or expanding data security requirements for their vendors and service providers. In the current environment, for many companies, cybersecurity is not just risk management; it is responsive customer service.

Another problem with the "too obscure to hack" theory is that cyberthreats sometimes are not specifically targeted to any particular business. For example, ransomware -- a malware designed to shut down a computer network unless a "ransom" is paid -- may be distributed broadly in the hope of finding vulnerable targets. Such malware does not discriminate based on the size or public profile of the affected business. Business disruption due to a cyberattack presents uncertain and potentially broad liability. The liability of a commercial party that breaches a customer contract because a computer virus shuts down the company's operations has not yet been extensively litigated, but a company that has not taken reasonable efforts to prevent such an attack will be a far less sympathetic defendant for the court and the jury.

The reality is that any company that maintains electronic employee job applications and personnel files or that routinely collects and processes consumer credit applications is in possession of personally identifiable information (PII), whose unauthorized disclosure may trigger state breach-notification laws. As recently highlighted by the White House, the current state breach-notification laws can impose substantial complexity and expense. Even the most innocuous breach can require investigation and response costs and draw the scrutiny of state and federal regulators. A classic example is the laptop computer containing unencrypted personnel files that is left in the back of a taxicab. The likelihood that the data on the computer will ever be used for identity theft or other financial fraud may be relatively low, but in most instances that will not excuse the company from providing notice to the affected employees and, in many states, the state attorney general. Notice of the "breach" may then result in broader inquiry by regulators into the company's cybersecurity generally. The cost of simply investigating and giving notice can be significant. The White House proposal to have a single national standard is a step in the right direction but will reduce these costs only at the margins. Most of these costs are driven by the basic policy decision that a breach threatening the security of individuals' PII should be publicly disclosed and subject to investigation in the discretion of the state and federal regulators. Unless and until that basic determination changes, even minor breaches can cause big disruptions.

In short, cybersecurity is a real concern for almost all businesses. Some of these issues may be driven by overbroad government regulations, or by overcautious commercial partners, rather than the reality of a company's actual security requirements. Admittedly, the expense and disruption of implementing these cybersecurity standards may be frustrating for cost-conscious executives, but the downside risk in litigation, business disruption and loss of competitive position for most companies will at least in the aggregate far outweigh the burden of compliance.

Matthew F. Prewitt is a partner at law firm Schiff Hardin. He is chair of the firm's Cybersecurity and Data Privacy Team, co-chair of the firm's Trade Secrets and Employee Mobility Team, and a member of the firm's e-Discovery Committee.

Join the CSO newsletter!

Error: Please check your email address.

Tags white housesecurity

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By Matthew F. Prewitt

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place