Prominent data breaches at Target, Neiman Marcus, Michaels and other retailers have exposed just how ill-equipped major retailers often are to detect and fend off cyber criminals. And they raise a scary question: If Target can be a victim, what about that mom-and-pop store around the corner?
To help smaller businesses deal with security issues, the office of California Attorney General Kamala Harris released guidelines Thursday outlining steps that these firms can take to better prepare themselves against data breaches.
Small businesses may not yield as much information in a data breach, but they are often more vulnerable to attack because they don’t have the time or money to invest in the tightest security. After all, how many local wine shops do you know with a chief security officer?
“There are a lot of businesses that are worried about payroll and taxes and health care; they don’t have millions, or even thousands, to spend on security,” said Kevin Mahaffey co-founder of Lookout, a San Francisco mobile security firm. Lookout worked with Harris’s office and the California Chamber of Commerce on the guidelines.
Smaller firms are also often attacked in an attempt to get to bigger firms. The Target attack started when hackers broke into a smaller contractor that services the heating and air-conditioning systems at the retailer. Data breaches can spread like contagions, Mahaffey said, and hackers know that small businesses are easy targets.
“We identified these steps to help provide businesses with material, make it simple and let them understand what they can do to really reduce their risk,” Mahaffey said.
The guidelines suggest that businesses take very basic measures such as encrypting their data and banking securely. But the guidelines also point to less tangible cultural changes that businesses should make, such as making security a boardroom discussion rather than the walled-off responsibility of one person or department and keeping employees educated about emerging threats.
The guide also recommends that businesses understand what data they hold, who has access to it, and what part of it needs to be most secure.
Above all, the tips highlight that vigilance is key.
“Just as it has become second nature for most of us to lock our front doors when we leave the house, assume you are a potential target and take basic precautions to protect yourself and your company,” the guide says.
The suggestions are not binding, but are designed to be a plain language guide — much like the privacy recommendations for mobile developers that Harris’s office published last year.
Harris has put a strong focus on technology policy — understandable, given her state’s importance to the industry — with an emphasis on consumer protection. The Golden State was the first in the union to require companies to tell the state attorney general about breaches that affect more than 500 customers. Its law has since become a template of sorts for the 45 other states (plus the District of Columbia, Guam, Puerto Rico and the Virgin Islands) who have implemented their own versions of breach notification laws across the country.
Follow The Post’s new tech blog, The Switch, where technology and policy connect.