The rise in attacks has created problems for small businesses — but opportunities for companies that can protect them.
New federal laws have created business for companies that can help arm small businesses against attackers and for firms that can provide insurance policies to help small businesses manage the fallout.
Todd Morris, CB Insurance vice president commercial division, said cyber criminals are after information, money and control of computer systems to help them commit crimes.
“It’s a new world,” said Morris, who hosts cyber security seminars for local businesses.
Beginning in January, any company that provides technology supplies, services and systems with security requirements for the federal government must have a cyber security plan. That rule affects about 20 percent of the businesses in El Paso County that contract with the government, including the three Air Force installations and Army installation in El Paso County, said Tom Elam, Colorado Procurement Technical Assistance Center director.
“The cyber security plan is a deterrent to keep other guys from getting our information,” Elam said. “(Businesses) look at this as another piece of the puzzle — if they have a contract, they realize they have to do this.”
The rule is a natural progression in protecting government agencies and military installations from Internet terrorists, said Michael Semmens, president and founder of Imprimis, Inc., a Colorado Springs firm that provides technical services, modeling and simulation and training with missile defense to government agencies. Government agencies already have deployed strict cyber security methods within their ranks.
“The bad guys will try to go into small companies that don’t have the best security and get to the big guys through the back door,” he said.
But all small businesses, not just those doing work for the federal government, need iron clad cyber security plans, Semmens said. There already are court rulings on cyber crimes that hold companies liable for information stolen from them.
“The government is forcing this on defense contractors for good reason,” he said. “If every small business understood the potential liability of an attack, they would be alarmed.”
Western Cyber Exchange
If an employer cannot show that they have done everything they could to prevent a cyber attack, then they could be held responsible for the damage caused to a client because of stolen information.
“If I’m sitting here as an employer and someone attacks data, and steals your identity and you suffer damages and I cannot prove that I have done everything to protect that data, I will be responsible for your loss,” Semmens said. “That is huge.”
His company was attacked last year through one its vendors. The hacker used the vendor’s computer to place millions of dollars in orders to be delivered to locations across the country. Imprimis found the phony orders before they were sent or anyone lost money.
“What would I have been responsible for if they had stolen all that stuff — this is real,” he said.
Semmens is part of a local group of business leaders and government officials that formed the Western Cyber Exchange, a nonprofit organization, to help small businesses combat cyber crime and protect themselves should there be a breach.
“One of the problems that all businesses are going to have, particularly small businesses, is they won’t have the money to ramp up this great security plan,” Semmens said. “The idea (of WCX) is to help with information and training and provide technical services.”
The details and finances of WCX are still being worked out but the organization expects to be fully operational in the next few months, said Doug DePeppe, cyber security consultant and cofounder of WCX. DePeppe also is a former attorney-advisor for National Cyber Security Division, Department of Homeland Security.
He said that while telecommunications and Information Technology sectors have more robust cyber security plans, small businesses are new the game.
“Everyone is playing catch up — all defenders are playing catch up to the adversary who has a natural advantage,” DePeppe said.
A cyber security plan should include employee education, outline a response team and assign responsibilities in the case of a breach and detail a remediation strategy.
The top three causes for a data breach are lost or stolen computing devices, third-party snafus and unintended employee action.
“The most important piece is employee education,” Morris said. “Companies take for granted that we know what we should and shouldn’t do.”
The case of liability
Cyber security has been elevated from an IT issue to a business issue, Morris said.
Any company that does business over the Internet has exposure, Morris said. That goes for small businesses that just have a website or email capability. One of the goals of hackers is to control computers, to give it instruction to do things, like place orders or illegally download information.
There are two major exposures that a business faces: cyber security and privacy liability, Morris said. If a company is hacked and information is compromised the company, by Colorado law, must notify the clients whose information was stolen.
“Health care and higher education organizations that have a lot of personal identification information have been addressing this issue for quite some time because they are the biggest targets,” Morris said. “But, to most small to mid-size companies, in El Paso County, it’s far down on the list from the state of the economy and any of the other issues the organization is facing.”
Now, negligence cases related to cyber security and hacking are being filed more regularly, DePeppe said. And cases are going both ways — sometimes the business that was hacked is held liable for the losses of the client; sometimes the client is just out of luck, he said.
Businesses are now buying insurance to protect themselves against cyber criminals. Three years ago, less than five percent of CB Insurance business customers purchased cyber crime insurance. Now, between 25 and 30 percent of its customers have the insurance, which can cover the costs of notifying clients when there is a breach or cover the cost of damaged equipment when viruses spread, Morris said.
And, there is a privacy liability policy, which pays for third party claims when a client has suffered damages because his personal information was stolen from your business. There is not a lot of precedence in the courts as to how those claims payout, Morris said.
“The courts are still trying to figure out who is liable to pay for those and what the limit should be,” he said. “Now, there is talk that damages can be awarded even if the individual has not incurred a loss, but because the information has been breached the fear of potential identity theft could be included in damages.”
Cyber criminals have changed, Morris said. The once experimental hacker has evolved into a sophisticated criminal who uses business computers and networks to commit crimes.
“They are no longer just going after the big boys,” he said. “They are going after small to medium size businesses who haven’t dedicated resources to address this issue.”
For more information about the Western Cyber Exchange, visit http://www.rmtech.org/cyber/
For more information about the next CB Insurance cyber security seminar email email@example.com.