If you're a business, there's a target on your back, or yourdata to be more precise. Cyber criminals have developed alucrative, black market enterprise that will rival some majorcompanies when it comes to valuing information that's been hackedfrom legitimate sources.

Hardly a week goes by without a release about a high-profilecyber attack against a company. At a presentation entitled,"Hacked: The Realities of a Cyber Event" hosted by Travelers in Washington, D.C., recently, apanel of experts discussed the impact of cyber crime on small tomedium-sized businesses. "One in two companies report being thetarget of a cyber attack," stated Tim Francis, enterprise leaderfor cyber insurance for Travelers. "Sixty percent of attacks lastyear struck small to medium-sized businesses." He said there are34,529 known computer incidents each day and the goal for the badguys is to "make money as easily as possible."

All of the information stolen has value on the Dark Web,where names, social security numbers, credit cards and other dataare available for sale. Credit cards can be purchased for $10 to$35 per name. Social security numbers are worth significantly morebecause they can allow users to open bank accounts, credit cards,rent apartments and basically create a new identity.

Purveyors of information on the Dark Web are extremelysophisticated, even providing credit card return policies if thecards purchased don't work, and customer service to help criminalsuse their stolen information effectively said Francis. "You canpurchase specialized information, like credit card numbers for30-35-year-olds who live in lower Manhattan," he added.

Just last week, T-Mobile announced that approximately 15 millioncustomers who had applied for credit with the mobile carrier hadtheir information stolen by hackers who accessed a database run bycredit monitoring firm, Experian Plc. Hackers accessed names,addresses and social security numbers.

Commenting on the breach, Francis said, "Cyber threats areincreasing, but businesses can take action. Hackers have evolvedand are now more sophisticated than ever."

(Photo: mindscanner/ThinkStock)

He said that the industry is seeing more state affiliatedhackers coming out of countries like China, North Korea and Russia.And some hackers attack companies because they don't agree withtheir ideology or what their business does as in the case withAshley Madison. "An industry or outspoken CEO can cause a companyto become a target," Francis explained.

Data breaches still cause the largest losses for companies, andfrequently the breach is due to vulnerabilities from within thecompany such as an employee who works from home and has his or hercomputer hacked, or somehow loses a computer with unencryptedinformation.

Small businesses are particularly vulnerable because they maynot have the resources to prevent an attack or they may believethey would never be a target. Chris Hauser, second vice presidentwith Travelers Investigative Services said that small businessesalso may not vet their new employees as carefully as largercompanies with more resources and may hire the wrong person such asan employee who skims credit cards.

See related story:  Small,mid-sized businesses hit by 62% of all cyberattacks

Hauser said, "Sometimes employees don't act maliciously, butthey may do something wrong unknowingly." He gave an exampleinvolving social engineering, a sophisticated attack where thehacker poses as a company executive who sends an employee whatlooks like a legitimate email instructing the employee to transfermoney from one account to another. The reality is that the wiretransfer goes into the hacker's offshore account and the money willnever be recovered.

In another scenario, an employee may click on a link that puts aTrojan program on the server that allows hackers to gain access tothe company's database. Other hacks may allow someone to access acompany's social media credentials so they can take over the firm'ssocial media sites and post information that will harm the businessin some manner.

(Photo: Adam Smigielski/ThinkStock)

John Mullen, an attorney with Lewis, Brisbois, Bisgaard andSmith LLP said that many companies post the wrong information onsocial media or they outsource data to a vendor who doesn't protectthe information being shared. It's still an issue for the companythat outsourced the data management because they are responsiblefor the information.

When companies reach out to his firm, Mullen said the priorityis to get a sense of what transpired. He asks questions suchas:

• Was customer information hacked?
• Were employee records impacted?
• When was the last time the company purged the data?
• Did they get into your payment processes and access creditcards?
• How far back do the records go?

He doesn't expect the company to have all of the answers, butsince there are deadlines for federal regulators, understandingwhat kind of information is in play is critical. "We need to dealwith provable facts, bring in a forensic company, develop a scopeof work and come up with a plan of attack," he explained. "We needto know how many records were touched, what burned and what didn'tburn."

(Photo: zimmytws/ThinkStock)

Managing the message

Once the scope of the breach has been identified, the companymust develop a plan to share that information with customers,regulators if they are publicly held, the media and the public ingeneral. How the details of the breach are explained and theinformation conveyed to all of these constituents is vital inrepairing the damage to the company's reputation.

Melanie Dougherty, CEO and managing director at public relationsfirm, Inform said, "The natural response is to shut the door to themedia, but many times you are obliged to respond for legal orregulatory reasons."

Since many breaches stem from human error, companies need to beprepared for this eventuality and work on messages that will helpthem recapture their customers and their reputations. "It's not thebreach, it's the perception of a cover-up that can cost a company,"she added.

"For a small company, a data breach can force them to shut theirdoors forever," said Francis. He shared that one Travelers customerspent around $300,000 to find out they didn't have a breach, but itwas still important information for the company to have and itallowed them to see how their processes would work in the event ofan actual breach.

Francis identified four common weak spots for companies:

• Intrusion detection software – this raises a red flag when asystem has been breached. Francis said it's important to havesomeone in the company monitor this and respond immediately when abreach is detected.
• Encryption of private data – encrypting data can turn a lostlaptop into a paperweight, although a sticky note with the passwordon the computer can undo an expensive encryption program
• Patch management – companies have to apply them to patchvulnerabilities in programs and keep software up to date
• Vendor mismanagement – vendors have to be trustworthy andprotect the information they are entrusted with for a company

All companies are vulnerable, regardless of their size andinsurers are now tailoring policies to meet the needs of allbusinesses. "Less than 20% of companies have cyber insurance now,"said Francis.

With the reality becoming more of a "when" scenario as opposedto an "if" possibility, companies will need to be proactive inmanaging this emerging risk. "Once a data breach happens, thebiggest problem is that no one knows who to call," added Francis."It's important for businesses to create clear action plans to helpmanage the data breach."

Related: Demand for cyber risk insurance market onrise