Large scale data breaches such as Target and Home Depot make the news but smaller organizations are victims of data breaches as well. The problem is that most data breaches that happen to small or midsize companies are either not reported or do not make the news headlines. This in turn leads many small to midsize businesses (SMBs) to underestimate the risk that their company may be a victim of a data breach.
The New York Times has a really good article that documents a small business that has suffered a data breach. It is insightful because it looks at the disruption to the business, the financial impact to the business and raises awareness that breaches can and do happen to SMBs. The article is well worth your time to read in full. Here are a few highlights:
Take Eataly, the operator of more than two dozen upscale food halls in New York, Chicago, Italy, Japan and elsewhere. The company disclosed last month that the systems at its store in the Flatiron district of Manhattan had been breached. The hackers unleashed malicious software into its payment processing system that enabled them to potentially steal customer credit card information for several months of this year.
The impact of the breach is real:
“The disruption to our business, the extent of unanticipated costs and expenses, and the unwelcome frustration and concern caused upon our customers have all been, and continue to be, significant,” Eataly said in a statement.
Many SMB breaches are not reported:
One frustration for the authorities investigating these cases is that many attacks against small companies go unreported because the businesses are not publicly traded and are bound by fewer disclosure requirements.
SMBs are unsuspecting targets:
The FireEye investigation found that while many hackers are carrying out such “spear phishing” email campaigns broadly, some are aimed specifically at smaller retailers.
The hackers’ interest in small businesses illustrates their insatiable appetite for credit card numbers that can either be used by the hackers themselves or sold to others on black-market websites.
SMB breaches can be costly and can damage a company’s reputation:
In the case of Eataly, the company has taken a number of steps to notify its customers and investigate the incident. On May 1, the company bought a legal notice in The New York Times to alert its customers of the breach — along with posting the same notice on its website. Eataly also hired the law firm Norton Rose Fulbright and a forensic investigator to review the incident. And as retail giants often do when they are hacked, Eataly is offering complimentary identity protection services for any customers who were affected.
As more small business data breaches are disclosed, SMBs will become more aware that the risk of a breach is real. SMBs need to focus on security of data just like they focus on sales, marketing and operations.