High Profile Breaches Create a Misguided Belief That SMBs are Immune from Attacks Because They Are Small Fish in a Big Ocean.
Is there anything more financially fragile than a small business in the U.S. today? As we climb out of the Great Recession, many of the surviving small businesses were forced to cut corners, often making compromises on the IT side. Combine this with an unprecedented rise in cyber crime that took the 2011 U.S. cost of security breaches to $32 billion, and one can easily predict the future security troubles of many small businesses.
As legal, and sometimes operational and financial, advisors to small businesses, law offices should be more aware than ever of the security risks to small business clients, understand how to mitigate these risks, and lend support when a security breach occurs.
While I can’t cover IT security in its entirety here, I’ll touch on three areas, each of which should give you an idea of security troubles ahead and what you might be doing to anticipate these troubles:
1. Professional and financial liabilities
2. Reasonable contractual expectations
3. Responses after a breach
Professional and Financial Liabilities
Without hesitation, I can say that the vast majority of small businesses not only have inadequate security protections in place, but are oblivious to the fact they are security risks. Even worse, recent headlined security breaches of high-profile companies seem to engender only a misguided belief that they are immune from security attacks because they are small fish in a huge ocean.
The truth is, not only are small businesses not immune from attack, they are prime targets because of their lack of security. Consider the monetary value of even small, undetected breaches – unlimited time to exploit compromised data and the opportunity to revisit the sources months and years into the future.
When considering security liabilities, I like to separate small businesses into two categories. The first would be those businesses that collect and save protected data (i.e., medical, identity) within their own environments. The web sites that support these businesses tend to be custom built by design or development companies that have little or no experience in creating secure web sites, and almost never have the capabilities of testing new sites for security vulnerabilities. These companies potentially are open to huge fines when their data is compromised.
The second, and larger, category is small businesses with e-commerce components. These businesses usually, and wisely, use well-established (and secure) external web services to handle credit card and other payment transactions. Unfortunately, this approach is successful only when the business’ basic web site is secure. The point almost always missed is that a hacker does not always breach a web site for its underlying data. For example, a hacked site may be modified in subtle ways to take an unsuspecting consumer to a fraudulent e-commerce service that will happily collect and exploit the consumer’s credit card as soon as it is entered. Or, one of my favorite security flaws, Cross Site Scripting (XSS), might allow a hacker to take over a legitimate user’s browser – effectively compromising that user’s e-commerce transactions or invading the user’s entire computer.
In either case, a small business may be financially and legally liable for the fraud and illegitimate use of information from its security breaches. Perhaps just as importantly, the loss of reputation and consumer confidence alone might be enough to ruin any small business.
A proactive law firm might be in a unique position to address potential security issues and breach consequences with their clients. This should be part of the support of any client.
Reasonable Contractual Expectations
One of my best contractual stories revolves around a conversation with the president of a local web site design firm – a good friend and one who feels comfortable with being candid with me. During one of his development projects, I offered to do a free security evaluation of the soon-to-be-released web application. His rejection of my offer came with the rationale that if the web application was ever compromised, he wanted to be able to honestly tell the client that, to the best of his knowledge, the delivered web site was secure.
I haven’t the faintest idea of the legality of my friend’s hope for plausible deniability, but it should be obvious that two very poor consequences come out of his approach to security. The first is that his client will end up with an unsecure web site, when they could just as easily have had a product that would have withstood all but the most experienced and persistent hackers.
The second eye-opening realization is that the client never asked about security, and the development contract never addressed security. In this case, the client (and potentially the law firm that reviewed the contract) never included security development and testing as one of the primary requirements of the relationship. A single section added to the development contract might have the effect of preventing a devastating security breach.
A favorite statement of mine goes as follows:
Businesses end up with a lack of security because they never, ever ask about it.
Almost all web site development contracts include obvious legal details like payment schedules, software ownership and product specifications. These terms protect the interest of the business as well as the development firm – standard boilerplate.
A well-written contract should also include a requirement that the contracted web site be developed under strict security guidelines (consider OWASP as a source of information) and that a comprehensive third-party security penetration test be run and presented before product acceptance.
The additional cost for security-oriented development should be minimal, since a knowledgeable development firm should be adhering to these practices regardless of a request. The third-party security penetration test can be contracted for with one of many firms and should cost only a few thousand dollars.
Again, the role of a law firm in this environment should certainly be the crafting and approval of the basic development contract, but also making sure security validation is a well-defined requirement of the overall agreement.
How to Respond After a Breach
When a security breach does occur, businesses (and their counsel) need to be ready to react thoroughly and decisively. A few of my suggestions for the days, weeks and months following a breach are:
• Don’t panic. Carefully consider the nature of the breach, what data (if any) has been compromised and what the business’ next steps should be. A premature release of breach information may cause unnecessary customer panic or, even worse, make management look even more inept when they revise information sent out too hastily. Advise them to take the time to respond with dignity and thoughtfulness.
• If required, inform the appropriate financial and legal entities as soon as possible. Depending on the industry, there may be strict requirements for reporting security breaches. Your client’s problem will only get worse if they are caught hiding information. Keep in mind that many security breaches become public knowledge as the compromised data is used or sold within the cyber underground, not as a result of company disclosure. As a side note, an embarrassingly large number of security breaches are never discovered by the company that was breached.
• Inform users or clients and customers as soon as appropriate. There is a line between keeping a company viable and an ethical responsibility to customers. My thoughts on this line are to consider the damage that might be done to customers and think about how you would expect to be treated.
• Call the insurance company. Depending of the nature of the breach, the business may be covered for some, if not all, of the expenses associated with recovery. Suggest that the business give their insurance company a call. They might also take the time to talk about cyber insurance with their agent – for the next time.
As a legal professional, you should easily be able to see the pitfalls inherent in panic-stricken businesses reacting to security breaches. Legal, financial and professional stakes surrounding a security breach may be high enough to shut down the business. The correct reaction may be well outside of the expertise of the business, or, even worse, the business may naively attempt to react on their own.
Conclusion
Hopefully, I have provided food for thought on the security opportunities and responsibilities of law firms supporting small businesses. Obviously, I’ve brought up far more issues and concerns than solutions. My hope is that even a casual discussion of security problems will prepare you with far more knowledge that the majority of your clients.
It’s a mean world out there; cyber crime is an industry run by foreign nationals from countries where cyber criminals are not prosecuted. An industry-accepted statistic is that more than 70% of all Internet web sites contain critical security vulnerabilities. Many of your clients undoubtedly are on the wrong side of this depressing number.
One final note to add one more level of additional worry: Web application security awareness has only recently entered mainstream web site development. If your client’s web site is more than 4 years old, not only is it certainly open to a critical security attack, but it is probably a target for even the most amateurish hackers: script kiddies, young kids who hack web sites because doing so is more fun than playing a predictable Xbox game.
