With each passing mega-breach, from Target to Home Depot, JPMorgan Chase and Anthem, small-business owners on Long Island grow more concerned about their cybersecurity.
"A data breach is one of the biggest risks businesses have today," said Linda Armyn, senior vice president of corporate affairs at Bethpage Federal Credit Union. "You don't want to be planning your crisis while it is happening. You want to have a plan for a rainy day."
Armyn spoke Wednesday as part of a panel discussion on how to survive a data breach. The event was hosted by the Long Island Association business group at its headquarters in Melville.
In 2012, Bethpage disclosed that a computer error by an employee caused some of the personal information of nearly 86,000 members to be viewable on the Internet for a month. The data included names, addresses, dates of birth, Visa card numbers and expiration dates, and members' savings and checking account numbers. Bethpage lost fewer than five accounts as a result of the breach, Armyn said. Less than 10 percent of customers signed up for free credit monitoring that the credit union offered as a precaution.
Still, "it cost us almost $2 million," Armyn said. "We were completely transparent and used the media as a way to get notification out because we knew snail mail was going to take a while."
According to a recent study from the National Small Business Association, more than nine out of 10 small-business owners cited cybersecurity as a concern and half of them report they have been the victims of a cyber-attack. The average cost of dealing with cyber-attacks increased to $20,752 per attack in 2014, up from $8,699 in 2013, the association found.
To prepare for a potential breach, business owners should assign roles and responsibilities ahead of time, said panelist Katherine Heaviside, president of Huntington-based Epoch 5 Public Relations. Once a breach occurs, businesses need to assess the damage before publicly releasing information, she said. They must identify stakeholders like customers, employees and elected officials, reassure that safety has been restored, provide phone answering services and provide free credit monitoring services to clients.
"When you are first hacked, you are a victim," Heaviside said. "When you don't do the right thing, you become the villain."Data breaches can be caused by hacking due to employee negligence while surfing the Web, said panelist Kevin Edwards, director of compliance and IT security for Flexible Systems in Hauppauge. Businesses should have firewalls to filter office Web traffic, he said, and should secure data on laptops and mobile devices with encryption.
Companies also should limit access to data within the organization, because the vast majority of breaches are caused by rogue employees, not outsiders, said panelist Douglas Nadjari, partner at Uniondale law firm Ruskin Moscou Faltischek.
"Most breaches are . . . internal threats; we're not talking about the Russians," Nadjari said. "It is a disgruntled employee or an entrepreneurial employee, somebody who wants to take your data, your client list, your propriety information and they want to use it for themselves."