Be Prepared, Stop Hackers in their Tracks

If the lack of news is a benchmark, Seattle­ area companies appear to have skirted through the holiday season without having their customer records hacked. But did they? Only the big breaches grab the headlines. Danger, though, lurks just below the surface.

About three of every four reported breaches in 2014 weren’t at a retailer at all, according to the Identity Theft Resource Center. The San Diego nonprofit found that 42 percent were at health care and other medical offices.

Local victims included the Franciscan Medical Group – Catholic Health Initiatives, the Seattle King County Department of Public Health and even a small chiropractic clinic.

Government and education are also drawing the attention of hackers. Overall, data breaches grew by more than 25 percent last year, with most of the growth coming at the smaller end.

Hackers and others have also turned their sights on small- and mid-sized businesses with fewer than 250 employees, according to security solutions provider Symantec. Hackers have found that smaller businesses are soft targets and often gateways to far larger companies.

That’s what happened at Target a year ago. Hackers first broke into the servers of a 125-employee HVAC company that had done some work on a few Target stores. While plundering the HVAC company’s computers,   the   hackers   found  network credentials that gave them access to Target servers.

Once inside the Target network, hackers were able to plant malware at check-out stations across the country. Over the next three weeks, the bad guys were able to siphon off a wealth of data on 70 million Target customers.

While Target pondered what to do, a respected blogger broke thestory and Target lost control. Customers expect more from a trusted brand.

The year since has been an awful one for Target. It should serve as a warning to the broader business community. The trust that it had built in the Target brand crumbled. Middle- and upper-income shoppers that had become the chain’s sweet spot fled.

Sales tumbled. Target shares took a beating. The handling of the crisis forced the CEO out in just a few months.

Perhaps the biggest lesson learned from the Target breach was how important it is to be prepared.

The Ponemon Institute, the world’s top authority on privacy and data protection, says there is a 20 percent chance that a U.S. company will have a data breach of at least 10,000 records at some point in the next two years. It also predicts that 43 percent of all U.S. companies will have some kind of breach.

Data breaches are costly. The average per customer tally in the U.S. last year was about $200. A breach of just 10,000 records zapped the typical company for more than $2 million in hard costs. Hundreds of Seattle-area companies have at least 10,000 customer records, even if it is just credit and debit card info. Medical offices might have even more sensitive information ripe for the taking.

The bigger cost comes when they lose customers who no longer trust them. Fewer customers usually lead to layoffs. Just ask Target. Lost sales have run to hundreds of millions of dollars. The drop in revenue forced the chain to cut hundreds of jobs, including nearly 500 at its home offices.

Companies must have a plan in place in case of a data breach. Only then, when that day comes when a breach is real, will customers see and hear a company worthy of their continued support.

This article originally appeared in the Puget Sound Business Journal on December 26, 2014.