The costs associated with computer and website attacks can run well into the thousands and even millions of dollars for a small company. Many small businesses have been attacked — 44%, according to a 2013 survey by the National Small Business Association, an advocacy group. Those companies had costs averaging $8,700.
JP Morgan Chase (JPM) said the attack on its computer servers this summer compromised customer information from about 76 million households and 7 million small businesses. Target (TGT), Michaels Stores and Neiman Marcus have also reported breaches of their computer systems in the past year, as did Home Depot, whose customers include small contracting companies.
Typically, businesses must have a computer expert find the source of the attack and systems have to be purged of harmful software like viruses. When websites are shut down revenue can be lost.
Making matters worse, if customer data was breached, companies often must pay to notify each person or business affected. In some states, they’re encouraged to pay for credit report monitoring for customers, says Matt Donovan, head of technology insurance underwriting for the insurer Hiscox USA.
In almost every state, companies must notify people when information has been breached, says Samuel Cornish, a commercial law attorney with Genova Burns Giantomasi Webster in Newark, New Jersey. Companies can also be liable for damages in lawsuits brought by customers, he says.
Small businesses are particularly vulnerable to attacks because many owners believe they don’t have the time and money to invest in software programs or consulting services to make systems more secure.
Many businesses are ignorant of risks they face or possible solutions, says Jeff Foresman, a consultant with Rook Security, an Indianapolis-based computer security company. They may not realize an attack can happen from a seemingly harmless source. For example, a perfectly normal-looking email from a friend’s computer that was attacked without the owner’s knowledge could lead to trouble.
“They don’t know what they don’t know. They don’t understand the sophistication of these attacks,” Foresman says.
Berkeley Varitronic Systems’ bank account was hacked earlier this year and $50,000 was taken, CEO Scott Schober says. He got the money back, but considers the incident a lesson. He had already invested $50,000 in security for his own systems and plans to add another $20,000.
Schober believes his Metuchen, New Jersey-based company was attacked via its bank because its business is computer security.
“We are a target. Thieves like to send that message,” he says.
No system is hacker-proof, but there are steps, some of them inexpensive, businesses can take to shore up defenses and mitigate damage from attacks that get through:
• Hire computer security consultants to evaluate computers and websites and suggest ways to protect them.
• Buy insurance to cover financial losses. Premiums can be as low as $1,000 a year for $1 million in coverage.
• Install free antivirus and anti-malware software available online. Also add firewalls, which block attempts to access, says Joe Caruso, CEO of Global Digital Forensics, a computer security company based in New York.
• Make sure email is secure by using an email provider that has proper security systems, Caruso says.
• Avoid having customers’ credit card information stolen by using a separate company to process orders. The company should guarantee that its systems are secure.
• Use a service that helps weed out fraudulent credit card transactions, says Jason Opdyke, director of online commerce for Berkeley, California-based BearExtender, which sells Wi-Fi equipment. It uses such a service to try to avoid becoming a victim of attempted fraud.