Target. Neiman Marcus. Nordstrom. Home Depot. When it comes to security breaches, big chains get all the press. It’s no surprise, in the game of numbers. In cyberattacks against multimillion-dollar companies, computer criminals break in and steal personal information from millions of customers. Though there will be big losses and maybe a high-profile resignation, the reality is, these retail giants will live to sell another day. But the stories that won’t make the front pages involve the most frequent targets, whose survival isn’t guaranteed: small businesses.

2003With Assembly Bill 700, California becomes the first state to require businesses and state agencies to notify residents when their personal information is compromised in a security breach.

Many of these small service firms, neighborhood restaurants and mom-and-pop shops use only basic security, easy for would-be attackers to bypass. Compared to individuals, these enterprises have higher-dollar balances, which makes them attractive. Not only can hackers with malicious intent steal more money, but many businesses have the capability to transfer funds electronically, which makes recovery of lost funds virtually impossible.

Some business owners assume they can fly under the radar or that they’re immune to attack. But there is no hiding in the digital world, and these days nearly all businesses use wireless technology. Without updated security measures, cyberattackers put small businesses in their bulls-eye, using phishing attacks, malware and other methods to break into vulnerable systems.

“The majority of small businesses used to have the mentality, ‘Hackers aren’t going to target us; they only target big companies,’” says Eric Johnson, chief information officer for River City Bank. “I think they are realizing that hackers actually are more successful breaching small businesses, due to lower levels of security and employees’ lack of information security training. It only takes one employee at a company to click a malicious link in a phishing email and the whole network can be compromised.”

That single click could bankrupt a small business. In a National Small Business Association survey, 44 percent of 845 small-business owners reported being victims of at least one cyberattack last year, with an average cost of about $9,000 per attack. Fraud insurance doesn’t cover all accounts, leaving some businesses on the hook for losses. An Experian report finds that 60 percent of small-business owners who experience a security breach fold after six months.

But there are options for support, from insurance companies and IT security firms to brokers that bridge the gaps. As a global insurance broker, Aon helps clients procure insurance and mitigate losses by offering a preselected panel of vendors. Prearranged contracts can help reduce the cost of a claim. Overall, the surge in insurance companies offering these products has driven cybersecurity insurance costs down, according to Alex Michon, senior vice president at Aon.

2011 Attorney General Kamala D. Harris creates the eCrime Unit to identify and prosecute cyber crimes (hacking, theft of intellectual property, identity theft, online fraud and extortion). 2012 Under Senate Bill 24, companies and state agencies must report any breach that involves more than 500 residents to the Attorney General’s Office.

“It’s dropping in price every year, especially for small businesses, but it is complicated coverage,” he says. “There are maybe 40 or 50 carriers that all have different policy forms. It’s important to have a really good partner or consultant when you’re buying insurance, or you might get a policy with very little coverage.”

Still, many small-business owners don’t think they are at risk or don’t know how to best protect themselves. Regarding cybersecurity issues and the handling of online security, less than a quarter reported a “high understanding” in the NSBA survey.

“If a large company isn’t able to protect its data, how is a small company going to protect its data with a fraction of the resources?” Michon says. “This is one of those areas where businesses need a lot of help, especially small businesses. You almost want to tell clients to drop their fire insurance and buy cyber security insurance.”

Secure and Protect

Not all security breaches look the same. Most qualify as malicious criminal attacks, but a breach can also result from human error, such as when an employee loses a laptop, smartphone or other device with sensitive data. One of Aon’s clients spent $170,000 for an attorney and PR firm after losing in the mail an encrypted CD that contained employee health information.

Another client compromised customer data due to negligence. A programmer at the company had gotten stuck repairing software and went online for support. But a user from Tehran University in Iran was monitoring the thread, Michon says, and found a way to break into the program and download all the customer’s data. The client maxed out the insurance, got fined and lost the customer.

When a breach occurs, the first thing you want to figure out is the cause. What was the extent of the breach? Were records lost? Names? Social security numbers? Getting these answers and recovering from a breach is neither easy nor cheap. There are crisis services costs (forensics, notification, credit monitoring and legal counsel) and legal damages (defense and settlement), not to mention the impact of business interruption.

After a breach, an IT services firm may come in to do forensics, checking for malware and verifying that the system is up to date. One key objective is also to determine who is at fault, says Tom Schauer, president of TrustCC, an IT auditing firm that performs security assessments for banks and credit unions, including 10 in the Sacramento region.

“Normally, we are on the side of the bank or credit union,” Schauer says. “We are trying to establish that the customer was the biggest factor. Most breaches occur by an attacker finding weaknesses on the customers’ systems.”

2013 In response to Executive Order 13636 from the White House, the state develops the Cyber Security Task Force, headed by Department of Technology Director Carlos Ramos and CalOES Director Mark Ghilarducci.

Getting Tested

Ideally, small business owners would find weak spots in their systems before attackers come snooping. One option is to hire an IT services firm to do regular check-ups, known as penetration testing. Think of it like a virtual fire drill. At random times, the firm tries to crack into a client’s network just as a criminal would. Caught off guard, the IT department must detect and respond to the “breach.” That is the approach TrustCC recommends, but Schauer says 30 to 40 percent of his clients choose not to get tested because they are afraid their systems might go down in the process. “We never knock systems offline,” Schauer says. “Their concern is unfounded, but they have a concern.”

2014 Assembly Member John A. Perez introduces a bill to create the California Cyber Security Commission in the Department of Technology, consisting of 12 members from the state, private sector and an appointed representative of California’s critical infrastructure interests. This group would establish cyber attack response strategies and perform risk assessments, among other duties.

Public accounting firm Moss Adams helps minimize external threats by making sure systems are secure and checking for malicious code. But sometimes attacks have nothing to do with bad code or firewall breaches. Sometimes, all that’s needed is a company’s email listing online. A cyberattacker can create a similar email address and trick an employee into sending money overseas.

This is called a social engineering attack. Kevin Villanueva, senior manager and IT consultant at Moss Adams, referred to such an ongoing case with a client. A controller received a fake email with instructions for wiring a few hundred-thousand dollars to an account for a vendor. At a quick glance, the email address looked like it came from an authorized employee, so the controller filled the order and sent the money. Later, he found out the sender was actually a hacker somewhere in Europe.

“For some small business owners, data security is an afterthought,” Villanueva says. “They think that security can come from a box that they can buy at Best Buy. It’s not just about technology, but also people, processes and policies.”