There’s a saying among Delaware security and IT experts regarding two types of companies: the ones that know their data has been breached, and the others that have been breached – but don’t know it.
National headlines offer a steady stream of big-name breaches, from the Ashley Madison scandal to credit bureau Experian, which earlier this month exposed the personal information of 15 million T-Mobile customers.
But 70 percent of global cybercrime is targeted at small and midsize companies, according to Greg Gurev, president of MySherpa, an IT company based in Wilmington. He said most Delaware companies are just beginning to grasp their vulnerability.
“It’s really hitting the mark this year,” said Gurev. “People are finally feeling the need to take responsibility for their own companies. Hackers are going for the “˜low hanging fruit.’ “
In the close confines of this small state, reputation and finances are driving local businesses to make sure they’re stepping up data security measures and operating in compliance with the increasing number of Delaware laws that govern it.
Since 2005, data breaches in Delaware have included at least 107,000 personal records exposed through local companies, according to the nonprofit Identity Theft Resource Center, which aggregates published lists of breaches nationally.
Experts say that number is much higher. More than 155 million records have been exposed nationally in 2015 alone. According to the 2015 data breach study by IBM’s Ponemon Institute, the cost of an average breach is about $217 per lost or stolen record.
Delaware is home to a number of workshops and programs aimed at helping small business professionals get on the front end of data security. Gurev facilitated a panel of industry experts on cyber security event sponsored by the Technology Forum of Delaware in September. The sixth annual Cyber Security Workshop sponsored by the state Department of Technology and Information, the Greater Wilmington Cyber Security Group and the Small Business Development Center (SBDC) welcomed a record business crowd two weeks ago.
“There’s a great need for these kind of resources,” said Elayne Starkey, chief security officer at the Delaware Department of Technology and Information. She said high-profile breaches are fueling an “aha” moment for small business professionals now ready to assess their susceptibility.
“The average cost of a credit card on the black market is about $1,” said Starkey. “The average cost of medical information on the black market is about $10.”
According to an informal poll conducted by the SBDC at the cyber security workshop, more than half the attendees of business-based workshops indicated they considered an external hacker one of their biggest concerns. More than 70 percent reported they had no written IT security policy in place.
Delaware industry insiders say the lack of a data security strategy among business leaders is concerning, particularly when the approach is straightforward.
According to Gurev, most companies should begin with a tech-based audit, a front-end strategy for protection that includes assessing the information you have, identifying gaps in security, both externally and internally, and examining how storage of that data is in compliance with federal guidelines like HPPA, HITECH, PCI and FSMA.
The final piece calls for creation of a security policy plan, a roadmap to risk mitigation.
“Most people simply make sure they have the bare minimum like firewall protection and an antivirus,” said MySherpa’s Jim Sproat, who also was a panelist at the TechForum event. He said companies must assess where their data is at rest and in motion. “They have to do a baseline that asks, “˜Where is your data?’ “
From employees to third-party vendors, Sproat said sometimes the biggest liability is a staff that’s untrained on the basics of in-house protection.
Carl N. “Chuck” Kunz is the co-chair of data privacy and information governance group at Morris James. It’s a relatively new division that went live just this spring thanks in part to a number of new privacy laws signed by Gov. Jack Markell this year.
“We do a lot of corporate litigations and we were staring to get some inquiries along the lines of “˜what are we supposed to do,’ ” said Kunz, whose group advises boards of directors with fiduciary obligations about the intricacies of data breaches and policies.
Central to increasing awareness is House Bill 295, which governs how companies dispose of records containing consumers’ personal identifying information, including their name and social security number, passport number, driver’s license or state identification card number and other data elements not encrypted.
According to the law, the commercial entity must take “reasonable steps” to destroy or arrange for the destruction of each record by “shredding, erasing, or otherwise destroying or modifying the personal identifying information in
those records to make it unreadable or indecipherable.”
“They read about it every day,” said Kunz. “It sets people on edge and with litigation proliferation into this area, people want to know how they can protect themselves.”
Kunz advises that clients should get in front of the issue by becoming familiar with privacy data laws and mitigating their exposure to identity theft which leaves them open to financial loss, reputation damage and lawsuits.
Delaware’s Privacy Related Laws include:
- Company Security Breach Notification Laws
- Safe Destruction of Documents
- Delaware Online Privacy Protection Act
- Student Data Privacy Protection Act
“Until you know what you have, you have no idea when it’s gone,” said Kunz.
Gregg Haslinsky is in the business of destruction. In just under an hour, his transportable shredder can reduce thousands of pounds of metal and plastic hard drives to a pile of indecipherable rubble, crushing any chance for a security breach in the process.
As the owner of Securis, an IT asset auditing, recycling and data-destruction company, Haslinsky operates the only in-state facility approved for e-waste recycling and electronic data destruction.
Haslinsky offers onsite and offsite data destruction capabilities for hard drives, soft drives, thumb drives, floppy discs and others. Each hard drive is scanned as part of an inventory procedure, it’s pulled apart by the shredder and then an itemized report is submitted to the contracting company or organization.
Haslinsky estimates that 50 percent to 60 percent of his business is generated from the pharmaceutical, finance and health-care industries. He said while larger companies are at the forefront of compliance, many smaller companies struggle with the basics. They stack their hard drives in a spare room and distribute laptops indiscriminately – many times without tracking who has what.
“We’ll go pick them up and they’ll say they’re giving us 15 laptops or computers and they hand us 18 or 13,” said Haslinsky. “I’m astonished how lightly that’s taken.”
The Small Business Development Center, in conjunction with the University of Delaware, will launch a program in January called Dat-A-ssured, aimed at local businesses looking to develop a cyber readiness plan. The program will feature training events and student-led risk assessments.
Barbara Necarsulmer, associate state director at SBDC, said the program is designed to get at the heart of the security issues facing small business owners. Program goals include building awareness, managing threats, minimizing impact and developing a certification for those who finish the program.
Ignoring the issue, she said, is not an option.
“What data do you have? How important is it to you? If you’re storing information from employees for customers you have to do something,” Necarsulmer said. “I think increasingly it’s going to become more and more prevalent that if you haven’t done at least the basics you’re going to be held negligent or liable.”
Tech audits look at information storage, security
According IT experts, a technology audit is the first step toward assessing the type of information a company has, and pinpointing its vulnerabilities. According to MySherpa’s Greg Gurev, an inspection will include both an internal and external evaluation.
“¢ Physical inspection/external audit ““ Looks at how information is used and stored; whether confidential information is locked or unlocked; i.e. whether a company has a clean-desk policy for employees when they go home at the end of the day; an examination of security systems to see data being physically secured.
Let’s say a company does accept credit cards,” said Gurev. “Where does that information live? What’s the process when they go to run it?”
“¢ Internal audit ““ Shows what information is on that network that’s classified as private information including all Personally Identifiable Information.
