It was a cold February day in Minnesota, the kind that hurts exposed skin. Stopping my car at the mailbox, I grabbed a bundle of letters and catalogs. As I browsed through the mail, I noticed a check from the IRS and got an instant sick feeling to my stomach.
This wasn't my tax refund because I hadn't filed my taxes yet. I knew instantly what had happened - I'd been the victim of a data breach.
Steeling myself, I ran through the remaining pile of envelopes and found one from my accounting firm confirming that my information had been stolen. Sadly, this isn't uncommon, and we now take it for granted when we get a letter informing us that we've been the victim of a breach. I've lost count how many times it has happened to me.
While the national news talks about large credit card companies and retail firms being the target of cybercrime, small businesses often remain blissfully unaware that they will be or already have been the target of hackers. Many law firms and accounting firms fall into this category and hold critical data that will enable criminals to easily commit tax fraud or identity theft.
While there are more than 28 million small businesses in the US, representing a vast target for these hackers, most don't have a permanent IT team or anyone on staff with security knowledge. These businesses represent low hanging fruit for attackers interested in making a quick buck and are usually much easier to penetrate than a large national firm with a permanent security team.
Without an IT staff and security expertise, it's no surprise that these companies don't often detect a breach right away and such an event can have a massive financial impact. Indeed, as I helped the accounting firm review what happened, I discovered they had no antivirus software on their server, a rudimentary firewall, and (to their credit) month-old backups of their server where tax records are warehoused. They estimated the cost to their business was in the order of $70,000 at the time that I consulted, primarily in lost customers and hours helping their clients report the fraudulent filings.
In the end, I pointed them to a local security partner who had a staff of knowledgeable engineers and a well-rounded product suite to help them move forward and recover from this.
Those with enterprise software sales backgrounds are familiar with the large national resellers and security partners that deliver product expertise and services around the complex myriad of software needed to security networks from their perimeters down to their core mainframes. They have a team of certified engineers who specialize in every manner of security product. But we often forget the little guys, the ‘1-20 employees’ shops that tackle all the SMB problems.
When small accounting firms, law firms, medical practices, and other business that hold critical data need security help, they turn to local experts willing to solve a strange variety of problems on a budget. These small security firms go blind into environments they've never seen before, encounter obsolete and custom technologies, strange dataflow configurations put together by one of the partner's nephews, and have to map what happened and how to prevent it again.
Instead of being specialists on a single element of security technology, their engineers have to learn the entire stack. They review the device logs, hunt the malware, pen test the network, and educate the users, often without charging at all for their services. And while big security firm consultants are testifying before congress on government breaches and their team spending six months reviewing logs from 10,000 servers, these local heroes are in the trenches every day protecting our personal data.
Ultimately, the service they provide is barely visible - but absolutely indispensable. Without them, we'd all be dealing with a lot more identity theft. So while we sing praise every day for the robust security community, we should take a moment to thank our local security partners and the community of engineers and Whitehat hackers who are protecting us every day without our knowledge.