Small and midsize businesses are increasingly at risk for data breach class-action lawsuits that typically have targeted large corporations.
Large companies are learning to address cyber threats. Hackers are responding by setting their sights on SMBs. It’s simply more productive and efficient to attack poorly protected companies that could take weeks or even months to notice they’ve been breached.
As the risk of exposure moves downstream, the associated class-action lawsuits surely will follow. Statistics from the Identity Theft Resource Center show that the number of data breaches reported in 2016 exceeded 2015 levels by 40 percent, a worrying upward trend for those in the small business sector who likely will bear a greater percentage of those breaches going forward. The data stores held by SMBs may be smaller, but they’re no less rich in value to hackers. They contain financial data, healthcare information and other tantalizing personal details.
Security falls short
Unfortunately, because SMBs often lag behind larger companies in the sophistication and scope of their defensive measures, they’re much more susceptible to litigation centered on charges of negligence or a lack of due diligence. Exposures in the SMB sector also could go undetected for long periods of time, leaving more records vulnerable and increasing the size of the victim pool that may be interested in filing suit.
Smaller firms’ responses to the risk of cyber attack and litigation depend largely on their industry. Even the smallest healthcare entities are typically well adapted to address potential data breaches and cyber risks. Long-standing mandates such as HIPAA—as well as a robust centralized breach reporting mechanism—have made companies in the medical space a little paranoid about their heavily regulated environment.
Behind the curve
Other small business sectors aren’t as prepared for the risk of a breach. Outside of healthcare, the professional services industry, including legal and accounting, is much less aware of where threats exist or which measures should be taken to mitigate them. Many small firms don’t understand their responsibilities regarding data privacy or how data breach notification laws apply to them. Without a good awareness of data privacy concerns, obligations and solutions, these businesses are easy targets for any hacker who happens upon them.
Litigation bills add up
Data breach class-action lawsuits can result in million-dollar judgments, but devastating costs may be incurred even if a settlement never materializes. A breached small business still needs to defend itself against litigation, and that takes money. Between legal counsel, forensic investigations, data recovery and any other steps the company may be required to take, they’re likely to incur significant financial penalties no matter which way the lawsuit goes.
Some SMBs are realizing they aren’t prepared for a cyber attack. The truly savvy ones are waking up to the prospect that, just like the professional and employment liability insurance they already have, it would be wise to pursue coverage to defer defensive and recovery costs around their cyber liabilities. With the specter of more breaches—and more class-action lawsuits—coming down the pipeline, SMBs must find a way to minimize the threat of exposures while also putting protective measures in place should they find themselves facing litigation.
Credit: EDUARD GOODMAN, SPECIAL TO THIRDCERTAINTY
We’ve collected these cyber security statistics for small businesses from a variety of sources.
The numbers show that small businesses are not only at risk of attack, but have already been attacked:
In the aftermath of these incidents, these companies spent an average of $879,582 because of damage or theft of IT assets.
In addition, disruption to normal operations cost an average of $955,429.
The types of cyber attacks broke out as following:
The root causes of data breaches broke out as following:
As cyber criminals continue to target small businesses, owners and employees need to know how to protect both their customers and themselves. There are cost effective programs that help small business with breach preparedness and resolution.
Article published Jan 3, 2017
MISSOULA, Mont. - The IRS is warning of a new scam targeting those who are deaf and hard of hearing.
The following is a news release from the IRS:
Every day scammers come up with new ways to steal taxpayers’ identities and personal information. Some scammers pretend to be from the IRS with one goal in mind: to steal money.
Be aware that con artists will use video relay services (VRS) to try to scam deaf and hard of hearing individuals. Don’t become a victim. Deaf and hard of hearing taxpayers should avoid giving out personal and financial information to anyone they do not know. Always confirm that the person requesting personal information is who they say they are.
Do not automatically trust calls just because they are made through VRS. VRS interpreters do not screen calls for validity.
The IRS has procedures in place for taxpayers who are experiencing tax issues. If you receive a call through VRS from someone claiming to be from the IRS, keep this in mind:
The IRS Will Never:
Receive a Suspicious Call? Here’s What to Do:
To learn more about the latest tax phone scams, go to IRS.gov and type “scam” in the search field. IRS YouTube videos are available on a variety of topics in American Sign Language (ASL) with open-captions and voice over.
New advancements in how we file have made the process a little less painful, but have also left the door wide open for hackers, scammers, and identity thieves.
There are a number of tips to keep in mind as you file your state and federal taxes. These suggestions are meant to protect your data when you file, but can also work to secure your refund if your information has been compromised in the past.
The most common credentials are a combination of username and password, but those have lost a good bit of their protective powers. Next-generation credentials also are edging toward a precarious place. Here’s what you need to know about the dangers of compromised credentials and how to mitigate those risks.
The speed of work these days puts enormous pressures on InfoSec, IT and workers alike to rush the credentialing process. Employees, contractors and even vendors are rapidly credentialed with little attention given to security rules such as limiting access per job roles, enforcing secure passwords, and immediately revoking credentials after an employee moves on. These are but a few of the dangers that lead to compromised credentials.
When passwords and usernames linger long after an employee, contractor or vendor relationship has ended, criminals get to choose from a smorgasbord of credentialed identities with which to phish employees and even top executives.
And when automated systems render short, ineffective password choices or, conversely, overly long ones that users must write down to remember, they end up compromised quickly. Add to that any password sharing practices and security shortcuts during sign-ons (such as storing a password in a browser) and things get more precarious. Yet, all of this is common.
These practices represent significant risk considering that according to Verizon’s 2016 Data Breach Investigation Report, 63 percent of confirmed data breaches involved weak, default or stolen passwords.
Unfortunately, PINs and tokens can fall prey to shoddy security practices as can several of the next-generation credentialing protocols. This means the cost of data breaches will continue to escalate.
Per the Ponemon Cost of Data Breach 2016 report, the average cost of a breach has jumped to over $4 million per incident. That’s a 29 percent increase since 2013 and a 5 percent increase since last year. But this staggering figure doesn’t include damages to brand reputation, customer confidence, an executive’s career, or other related costs in damages or recovery.
Fortunately, companies can mitigate risks and regain control.
Policy makes better practice
The key to making effective policy is to consider the work processes and stagger the credential processes to fit. For example, a password may suffice for access to public-facing information with no transaction, identifying or sensitive information. These passwords should still be encrypted and protected, but they shouldn’t slow down the user.
On the other end of the spectrum, where access to highly sensitive information is needed, stronger, more complex passwords and security layers such as biometrics, cryptographic keys or out-of-band confirmation codes can be added.
The point is to match the security measures to the actual risk. But you also want to make your policy workable in the real world.
Consider asking users to think of a long sentence that means something to them and capitalize every second, third, fourth or other letter in every word. They also should use at least one symbol.
Also, it is a good idea to involve business users and executives in the policy development so that what you end up with is workable for all parties. This means better adoption and adherence.
Adding security tech, services to your arsenal
It’s important to not only use strong credentials, but to associate known behaviors with those credentials. If for example, you know that Bill comes to the office on Tuesdays and Thursdays but works remotely the rest of the week and that he routinely accesses certain types of files, it becomes much harder for a criminal to use Bill’s compromised credentials undetected
Monitoring activity such as password resets, unusual fund transfers, unauthorized account access reports, unexpected address changes, and public record alerts also are helpful in catching malevolent characters quickly.
Fortunately, security services can handle all of these issues. However, not all security services are created equal.
Differences in threat intelligence
One of the key areas that differentiates security services is threat intelligence. But that’s a broad term and the services offered may be unclear, so it pays to dig deeper for a better understanding.
For example, some security vendors rely heavily on Open Source Intelligence (OSINT) data that is publicly available and sometimes unverified. While there is value in shared threat information, it is difficult to authenticate and evaluate the threat when there is insufficient or unverified information available.
Security vendors who proactively scan Dark Web sites, hacker dump sites, hacktivist forums, file-sharing portals, data leaks and botnet exfiltration, and malware logs to both verify the publicly shared OSINT data and harvest additional threat data provide the most protection.
Closely evaluate what a security company means when it says “threat intelligence” before you sign on.
Compromised credentials will always be a potential problem but with the right partner, the risk can be contained.
In this day of ubiquitous digital information, it seems like it’s easier than ever to have your identity stolen. The Federal Trade Commission reportedly received 490,000 identity theft complaints in 2015, up from 341,898 complaints the previous year. In order to help keep your identity safe, it’s important to stay vigilant with your personal information.
Here are some things you can start avoiding immediately.
It’s not a good idea to give out personal information if you are on the receiving end of any call. Also, email is an insecure way to send information, and most legitimate companies would never request information be sent to them this way.
Example: the Internal Revenue Service will never call or email you — their correspondence is done via U.S. mail. If someone calls and says they are with the IRS and wants to know things like your Social Security number, hang up — it’s a scam.
Similarly, a bank or other financial institution most likely isn’t going to call and ask for your personal information. However, if it’s you initiating the call to a bank or other company, you may be asked to give your Social Security number, address, mother’s maiden name or PIN number as part of the way to identify yourself.
It’s not uncommon for most people to have dozens of online accounts and it may be pretty hard to keep track of all the passwords. You may fall prey to the temptation to make your passwords easy to remember, but it’s a good idea to curb that impulse. While any password can be discovered using a brute-force attack, make yours so difficult that the thieves move on to easier targets. Many security experts recommend that your password be at least eight characters, using one letter, one number, one symbol, and one uppercase letter.
In addition, avoid using the same password for everything — should one password be successfully hacked, you can bet hackers will use it to try other accounts. Even if your password is complex, it pays to change passwords every few months so if your account is breached, the thieves won’t always have ready access to your accounts.
You’ve probably heard this bit of advice before, but it bears repeating: shred all documents containing personal information that you no longer need. Secure your mailbox and never leave bills with checks inside a mailbox overnight to be picked up the following day. If you’re going on vacation, it’s a good idea to put your mail on hold or have a trusted family member or friend pick it up for you so it doesn’t sit in your mailbox.
According to an Equifax study from earlier this year, 40% of Americans are not pulling their credit reports each year, even though they are entitled to annual free copies. You can view your credit reports from the three major credit bureaus — Equifax, Experian and TransUnion — for free each year by visiting AnnualCreditReport.com.
Keeping a watchful eye on your credit reports can alert you to early signs of identity theft, like seeing new accounts you did not open or inquiries on your credit report that you do not recognize. If you spot these signs of trouble, you should immediately notify the creditor of the problem. It’s also a good idea to file a police report and notify the FTC. The earlier you intervene, the better. (You can also keep an eye out for sudden credit score changes by viewing two of your credit scores, updated monthly, for free on Credit.com.)
If you have young children, it’s a good idea to pull their credit files as well. Thieves attempting to cultivate new identities will often use an underage person’s information, as the theft may go undetected for years. Parents can request credit report copies for their children under the age of 18 to make sure their identities are not being abused.
While no anti-virus software can totally protect you from malware, it’s wise not to skip on this piece of software. Once installed on your computer, malicious malware can steal passwords and other sensitive information stored on your computer.
If you get a call from someone who claims your computer was hacked or has been infected with a virus, this is also most definitely a scam — these people will try and get your credit card information from you under the pretense of installing software on your computer. If they do install software, the software could also steal other information on your computer.
Consumer Reports reported that 3.1 million phones were lost in 2014. No matter how you get separated from your phone, your unlocked phone is a treasure trove of information. Passwords may be cached in your phone’s web browser, allowing thieves to gain easy access to online accounts; some people even keep their lists of passwords on their phones. Anyone who has the phone may be able to impersonate you online at social media sites, allowing them to request more personal data from your social media contacts.
Article contributed by Kristy Welsh, a consumer advocate who contributes to Credit.com, where this article originally appeared.
Identity theft is one of the hardest-hitting crimes that consumers face, largely because it’s easy to pull off. Whether through old-fashioned means like dumpster-diving or stealing your driver’s license, or through more sophisticated cyber crimes like hacking into a university network, thieves can make off with your entire identity before you even know your information was compromised.
There are a lot of steps that college students can take to prevent this crime. Passcode and password locking their hardware, shredding those pesky pre-approved credit card offers, locking their dorm rooms … the list goes on. But what too many college students aren’t aware of is the wide variety of crimes that fall under identity theft.
Most individuals typically envision identity theft as someone using their credit card or opening a new account in their name. And that’s still a major threat, with the overwhelming majority of cases involving financial identity theft. But don’t be fooled into thinking your identity is safe just because your credit card hasn’t been compromised.
So what are college students supposed to do to protect their identities? The first step is to understand the different ways identity theft can hurt you. From there, it’s important to safeguard your information, your documents, even your computer, and to keep others from nabbing your sensitive data. Never give out your university passwords, your account passwords, or even your personal documents. You can be implicated in any crimes that are committed under your identity, and you can face lifelong complications.
The article was contributed by Eva Velasquez, president and CEO of the Identity Theft Resource Center.
By Bob Meyer
Keeping employees happy and providing them with a solid benefits package is an ongoing task for employers. Employees are averaging about four to five years at a job versus the 20 to 30 years people used to spend at one place. To help hold onto valuable employees, employers are offering even more voluntary benefits these days. Some of the more common voluntary benefits that have been offered for years are dental, accident, vision and disability. It’s plain to see that benefits have to keep up with the times and technologies being offered. Now a new set of voluntary benefits are being offered such as critical illness, student loan reimbursement, pet insurance and paternity leave.
The most popular new benefit being offered these days is identity theft protection. According to a recent study by Willis Tower Watson, it is predicted that identity theft protection, which was offered by 35 percent of employers in 2015, could double to nearly 70 percent by 2018, making it the fastest growing type of employee voluntary benefit over the next couple of years. For this reason it is important for brokers and employers to be educated in this benefit and see the value it can deliver to employees
Identity theft is a growing concern for many Americans and based on the numbers it should be a concern for everyone. It is said that about one of four Americans will experience identity theft. These days everything from checking your bank balance, to reading your Facebook feed to buying a new pair of shoes is all done from the convenience of our phones and computers. With more and more things being done digitally, your information is more accessible for hackers and thieves to access and use fraudulently.
Many people think of identity theft as fraudulent charges on their credit card, but identity theft goes much further than that and can be more complicated to resolve than just letting your credit card company know that you were not the one responsible for certain charges. For those who are not familiar with identity theft and various ways it can occur, here is a list of the major types of identity theft.
• Tax ID theft—An individual’s social security number is used to falsely file tax returns with the IRS or state government.
• Child ID theft—Children’s identities are very vulnerable because the theft of their identities often goes undetected for many years. Once the child reaches an age where they are looking to use their identity, the damage has already been done. According to the Identity Theft Resource Center, “The chance for a child’s information right now in this day and age, before they reach adulthood, to be compromised in a breach is 100 percent.” For this reason when employers are looking into offering employees identity theft protection they should make sure that the coverage includes spouses and children.
• Medical ID theft—This happens when someone’s personal information has been stolen to get medical services or to issue fraudulent billing to the victim’s health insurance provider. This is currently the fastest growing form of identity theft!
• Criminal Identity Theft—When someone fraudulently gives another person’s name and personal information (ex: driver’s license, date of birth, or Social Security number) to a law enforcement officer upon arrest or during an investigation. This type of identity theft can be very timely and costly to resolve.
• Senior ID theft—Seniors are usually in constant contact with individuals that access their personal information such as medical professionals, caregivers and staff at long term care facilities. For this reason seniors are vulnerable and often the target of many scams.
• Social ID theft—A thief uses an individual’s name, photo and other personal information to create a phony account on a social media platform such as Facebook, Twitter, etc.
With all these different forms of identity theft happening, there is more and more stress surrounding the idea of becoming a victim of ID theft. For this reason employers are offering identity theft coverage as a way to help provide employees with a sense of security and help to improve financial wellness. Employers are seeing that by helping their employees with financial wellness, they are more likely to create a more engaged and productive workforce. When employees are stressed with the burdens of their financial well being they are more likely to be distracted and need more time off.
The stress is not just the fear of becoming a victim but the stress associated with resolving the identity theft once it has occurred. According to the Federal Trade Commission that tracks identity theft statistics, they estimate that “recovering from identity theft takes an average of six months and 200 hours of work.” In more complicated cases it may take even longer for the issue to be resolved. For employers this is a real problem because the agencies and authorities that must be contacted to resolve identity theft are not open in the evening or on the weekends. Therefore employers are left either paying for employees to resolve their issues while on the clock or paying for lack of productivity when an employee has to take time off to rectify the situation. Either way the employer ends up paying into the cost. By providing identity theft coverage the employer can help to save time and money and reduce stress for the employees.
Identity theft coverage is a rather new type of employee benefit being offered, so employers and HR professionals need to be familiar with the types of features often provided by identity theft providers and how those features can help to reduce employee stress and time away. When selecting an identity theft provider, here are some of the types of services you want to make sure are offered.
• Customer service line—Make sure that the provider selected has a line for employees to call for info once the employee’s identity has been compromised. These call services should help walk the victim of identity theft through the process of what they need to do. Also with these services many providers can even arrange three way calls with credit bureaus and other agencies to help make sure things are going in an efficient and timely matter. Some providers even assign a customer service rep to the individual’s case from the time they call in initially. This is a great perk to have because it will save the customer time having to explain their situation to each new person they speak with.
• Reimbursement—Make sure that coverage purchased offers some type of reimbursement for time and money lost. Not only should the provider help to reimburse for any financial loss, they should also reimburse for the costs associated with time it takes to resolve the issue. For example if an employee needs to take two days off work to fly to another state to prove that they are who they say they are, these costs for time away from work can be reimbursed by the identity theft protection provider rather than the company having to pay the employee for the time taken off. Many identity theft protection providers will also cover cost of child care if someone needs to take time to rectify their situation.
• Resolution services—Many identity theft protection providers offer a $1 million guarantee. This means that the identity theft protection providers will spend up to $1 million dollars to resolve your issues. Knowing when the company has spent $1million dollars on a specific case is impossible, so looking for a provider with an unlimited guarantee is a good way to make sure that at some point the identity theft provider does not stop working to resolve the issue until it is fixed.
• Family Coverage—Knowing who is covered under that identity theft coverage is very important. Some providers price their products on a per person basis, others automatically cover the entire family under the policy. Being aware of this is very important because if the pricing is done on an individual basis the coverage may become very costly once the whole family is covered under the policy.
• Monitoring Services—At this point in time identity theft cannot really be fully prevented, but being aware of when your personal information is being used to do things such as make major purchases, changing your address, or set up new utilities is key to resolving the issue in a timely manner. If an individual is alerted about their personal information being used and it was not authorized by them, they can notify the identity protection provider to help keep a better eye on their information and make sure it does not lead to bigger issues down the road.
Employers looking to offer identity theft coverage can offer this benefit on a voluntary or employer paid basis. On December 30, 2015, the IRS announced that identity theft coverage being offered to all employees can now be offered as a tax free benefit if the benefit is paid for with payroll deductions or is offered as an employer paid benefit. Prior to the December 2015 IRS announcement, this benefit was only able to be provided on a tax free basis if the employer had a history of breach. With this announcement the IRS is working to make it easier for employers to offer this benefit.
With identity theft it is not a matter of if it will happen but rather when it will happen. At some point all individuals will need to have this type of coverage, so the sooner it is offered the better. With rates for this type of coverage starting as low as four dollars per month with some carriers, can employers afford not to offer this coverage?
is the President of Meyer Group, a benefits consulting firm that has been serving clients in the Midwest for over 35 years. Meyer Group helps to build and customize benefits packages for clients and brokers. Meyer is a University of Missouri graduate and is a diehard Mizzou football fan to this day. Meyer has a specialization in self-funding and Affordable Care Act compliance. He is a visionary with years of industry knowledge and he is always looking to be ahead of the curve in the benefits industry. Six years ago he launched Compliance Source, a company created to help companies navigate the laws surrounding the ACA and ensuring that companies remain compliant. Meyer's most recent venture is helping to launch a new consumer friendly website, FreedomIDdirect.com. His firm has been offering identity theft protection services for years to groups and associations but now in addition to helping groups attain this type of coverage, he is helping to make sure that the same great coverage can be offered to individuals at lower prices than leading competitors. Meyer can be reached at Meyer Group, 9201 Watson Road, Suite 300, St. Louis, MO 63126. Phone: 314-961-7077. Email: firstname.lastname@example.org. Website: www.myrgrp.com.
While it’s important to do everything you can to protect yourself from identity-related crime when you’re traveling, it’s equally important to do everything you can to protect your home and the breadcrumbs of your identity that you leave behind.
Every possible kind of identity-related crime exists in a dormant state in your home. In more forms and places and files than you can possibly remember, sensitive personal information stays behind, and only you can protect it.
Identity theft is a pandemic, and it can happen to you or your kids. Depending on how prepared you are, resolution can be as simple as a few phone calls to the identity theft service organization provided by your insurance company, financial services institution or employer, or it can take a lot longer. If you decide to go it alone, bear in mind that it’s no easy task to prove you were scammed to a retailer, a credit reporting agency, a bank investigator, a debt collector, a medical provider, a judge, the IRS or local or federal authorities.
So before you leave for a ride on the EuroRail or hit the links, campground or mountain trail, be sure you aren’t sharing your credit cards, identity, finances or medical files with a stranger.
Your personally identifiable information is a basic ingredient in all stripes of identity-related crime. In the night kitchen of data crime, it’s flour, and the thief’s ingenuity is the yeast. The rising and baking process happens wherever your information is used to commit fraud — a thief opens up accounts in your name with banks, credit card companies, etc. — and the cooling rack is when a fraudulent account winds up in debt collections.
The latest report from the Federal Trade Commission provides a breakdown of the most common kinds of identity-related crime. Tax and wage-related fraud led the way last year, followed by credit card fraud and a cattle call of other crimes.
Child identity theft is another major worry. Because child ID theft takes advantage of a financial nonentity and monitoring the credit reports of minors isn’t standard practice or even on the radar of most parents, it can take a long time to discover — a fact that fraudsters literally bank on. Their information must be secure at all cost.
Notify your bank, credit union and credit card providers that you are going away. This will keep your card from being frozen when you attempt to make a purchase or ATM transaction in a place outside your usual flight path. It also might help protect against invasions of your various accounts.
Since caller ID is one authentication factor used by many institutions, if a scammer has access to your home line and some of your records, they may be able to access your cash or credit. Sign up for transactional monitoring programs offered by your financial institutions so that you’re notified any time there is activity in your bank or credit accounts.
Also consider freezing your credit accounts so that no one, including you, can access your credit unless you thaw it.
Make sure the post office and your newspaper delivery service know that you will be out of town, and fill out the proper forms to suspend any deliveries while you are away. Overstuffed mailboxes are thief magnets.
It’s crucial to let your family members, close friends, doctors and lawyers know you will be on vacation. Folks need to know how and where to contact you if there is an emergency.
It’s also a good idea to provide copies of pertinent documents to those you trust in case your sensitive personal information is stolen while you are away. Alternately, you can scan sensitive identification documents like passports and licenses and store them on an encrypted, password-protected thumb drive, which you must keep very close. Then the only issue is remembering the (hopefully) long and strong password you use to access the data it contains.
Tell your home security company that you’ll be out of town, if you use one. They need to be even more sensitive to any activity around your home. If you invite someone to stay there in your absence, alert the security company of their presence.
There are plenty of strategies you can implement to protect your home while you’re away. Set lights on timers or find a trusted house sitter. But bear in mind, a significant percentage of identity thieves are related to or know the victim well.
Regardless if there is someone staying there or not, make sure that every document containing sensitive personal information is filed in a completely secure environment (for example, a safe) or in a safe deposit box at your bank. While this should be part of your normal best practices, it is even more important when you are not around.
If you have reason to believe you’ve been a victim of fraud, be sure to monitor your credit for signs of identity theft. You can view your free credit report summary, updated each month, on Credit.com.
While doing these things may seem like a great deal of work at a time when your head is in vacation mode, don’t forget that no one has a greater interest in your personal and financial security than you.
Adam Levin is co-founder of IDT911 and Credit.com, where this article originally posted.