Small-business owners: Can you afford any data breach?

There is little doubt we’ll be talking about this year’s email hacks for some time to come: Hillary Clinton’s astounding loss in the presidential election, the often embarrassing revelations of another former U.S. secretary of state and the resignations of top officers of the Democratic National Committee during the national convention are now all part of the national consciousness.

In the case of former secretary of state Colin Powell, who sits of the board of, the email breach may have cost that company some significant coin, as it revealed that company’s acquisition targets. For the most part, the breaches brought about great loss of reputation and trust — certainly currency for political candidates and staffers.

But a similar loss in reputation and trust is also real currency for American business people, which may be a significant part of the reason why 60 percent of small companies shut their doors within six months of a cyber attack, according to the U.S National Cyber Security Alliance. Even worse news for the small-business owner, their shops are hit by as many as 81 percent of all cyber attacks.

But these costs can also be measured in dollars and cents. According to the recently released, “2016 Cost of Data Breach Study,” by the IBM-funded Ponemon Institute, the average cost of a data breach is $4 million, or a figure more suitable for small-business owners, about $158 per record.

Email hacks may not sound as if they would be incredibly damaging as other data breaches, but they are significant attack venues into larger reservoirs of data. The email hacks that have gained much of our national attention this year are also not particularly difficult, either.

Typically, many of us use accounts that are secured only by our email account user name and a password, which can present an open invitation to hackers. Once a hacker knows the user name, tools are available in the hacker world that can enact a brute-force attack revealing a password in less than 15 minutes.

One of the most common brute-force attacks is to use a “dictionary” of common passwords, which is a good reason to make sure employees make reasonable selections. However, a brute-force attack can also simply march through the alphabet, numbers and symbols sequentially trying every combination.

More-advanced email administration can reduce the exposure by using “salted” user names and passwords for identification, obscuring credentials with additional information. This method exponentially increases the difficulty of using a brute-force attack, with an average attack now needing weeks — during which time, hopefully, the attack can be identified.

There are many other recommended steps for avoiding common email hacks, such as not opening suspicious emails and definitely not clicking on suspicious links, which are referred to as “phishing attacks;” keeping anti-malware programs updated; and using firewalls, as well as other standard and easily-adopted company tactics. The Cyber Security Alliance keeps an updated list of how to further lock down email accounts and other login services, from online banking to social media.

But these cyber attacks grow more refined every day. For example, the phishing attack on Clinton campaign manager John Podesta had been shown to his IT people, who told him to go ahead and change his password on the site. These refined attacks are known as “spear-phishing” attacks, because they are directed at specific people, such as corporate managers and HR personnel.

In many instances, these people essentially hold the key to all the data behind the firewall, which can often be accessed by a user name and password. Often, the hackers gain enough information through the emails to easily hack their way into data-storage vaults, through finding employees’ often-used passwords, or worse, finding an email in which the password in transmitted in plain text.

The inherent difficulty of stopping email attacks is compounded by the fact that all of us use it so regularly that complacency can almost be counted on. However, the way in which we lock up our data vaults may allow us to better protect our most valuable, and potentially damaging, information deserves a greater degree of examination.

Scott Hoot is the founder of the startup ZFyre. He can be reached at or 970-231-8755.