Like most businesses, self-storage operations aren’t immune to cyberattack. In fact, storage facilities can be prime targets for criminals who use customer information to empty bank accounts, steal identities and commit other fraudulent activities.
If yours is a small operation, or you have multiple sites, you may not be as vigilant as you should about safeguarding your software systems and data, unwittingly putting your business and customers at risk. The good news is you can help mitigate your vulnerabilities by staying educated on the latest scams, understanding how your operation can fall victim to cybercrime and applying risk-management best practices. Let’s look at the top threats you face, the cost of damage and recovery, how to respond if you’re breached, and the best ways to avoid becoming a target.
Top Five Cybersecurity Threats
In general, small businesses tend to be vulnerable to data breach for a couple of key reasons. First, they don’t believe they’re at risk. Second, they often lack the time, resources and technological know-how to implement safeguards. To make matters worse, it can take longer in a small operation to detect a breach once it occurs.
To protect yourself, you must first understand your enemy. Here are the five mostly likely cyberthreats you face as a self-storage operator:
1. Password attack. Often, an automated system is used to test multiple password combinations in an effort to gain entry to a network. A hacker can then access customer information and confidential payment data.
2. Malware. Short for “malicious software,” this infects a computer to disable a system, prevent user access, or steal sensitive or valuable data. It’s typically hidden in an email attachment, link, popup or Web page. The unsuspecting user downloads an attachment or clicks on a dangerous link, installing the harmful program.
3. Phishing attack. This is when someone masquerades as a trustworthy source in an attempt to bait a user and get him to surrender sensitive information, such as a username, password or credit card number. Think of it as robber convincing someone to let him into the house by simply knocking on the door and asking to come in! The three most common types of phishing attacks on small businesses are:
- Deceptive phishing: A user receives an email that claims to come from a recognized source, asking him to re-enter sensitive information or make a payment.
- Spear phishing: A user receives an email that looks legitimate and may contain information, such as a name, position, company or work phone number, designed to trick him into believing the sender is authentic.
- Pharming: A user is sent to a fraudulent website that looks legitimate. Most commonly, this is done by redirecting a URL to a fake website, though some pharming attacks involve clicking a link.
4. Ransomware. This is a malicious software designed to block a user’s access to his own computer system or files unless he pays a certain amount of money within a set time frame. Once stolen files are encrypted, there’s no technical way to fix the system other than wiping it clean and restoring it with backup data.
5. Man-in-the-middle attack (MITM). In this approach, also known as an “eavesdropping attack,” a hacker secretly puts himself between a user and a Web service he’s trying to access, allowing the criminal to filter and steal personal data. The MITM attack can originate from an email, social media or simply browsing the Internet.
What Cybercrime Costs You
If a self-storage operation falls victim to data breach, the cost to resolve and recover from the event can be staggering. According to the Ponemon Institute, a research center dedicated to privacy, data-protection and information-security policy, the average price for a small business to clean up after a breach is approximately $690,000—and that figure doesn’t consider the loss of revenue. Some of the more direct costs associated with a breach include:
- Notifying customers that a breach has occurred
- Hiring a third-party consultant to manage recovery efforts
- Communicating with data-protection regulators and other related parties
- Conducting a forensic investigation to determine the source and extent of the breach
- Paying fines and penalties imposed by the Payment Card Industry Security Standards Council, payment-card associations and the facility’s own financial institution
- Ongoing credit-report monitoring and identity-theft repair for affected parties
- In some cases, reissuing credit and debit cards to customers whose personal data was compromised
- Upgrading or replacing compromised computer systems, payment software and hardware, and servers
- Implementing additional security-monitoring services to ensure ongoing compliance with the Payment Card Industry Data Security Standard (PCI DSS)
Perhaps the biggest long-term consequence of a data breach is the loss of customer trust. In a competitive market, businesses must work tirelessly to build and maintain their brand integrity. Unfortunately, a single compromising incident can harm even the best of reputations, making it difficult for a self-storage operator to fully recover.
Consumers today are willing to share their sensitive information with businesses because they assume proper security measures are in place to protect them. When renting storage space, they trust you’ll keep their personal data and payment information safe and secure.
Operator Response
Once a data breach has been discovered, there are three steps you should take to help minimize the damage. It all starts with containment. Do the following as soon as you know you’ve been compromised:
- Disconnect the Internet.
- Disable remote access.
- Maintain firewall settings.
- Change passwords.
- Contact your cyber-insurance carrier.
Next, you need to assess the damage. Use the security data logs provided by your antivirus program, firewall and email provider to identify the source of the breach, the servers infected, and the network connection active during the attack. It’s also critical to determine who may have been impacted by the breach (employees, customers, vendors) and what information was accessed, such as names, addresses, emails, passwords, birthdays, credit card numbers and payment-account numbers.
Finally, you must manage the aftermath. Involve your cyber-insurance carrier and legal counsel to ensure that any notifications and follow-up actions are conducted in accordance with relevant statutes and in a manner that doesn’t create additional liability. Employees and staff should be given clear instructions on how to conduct operations and communicate with customers while recovery activities are underway.
When notifying customers, it’s important to be transparent and provide all relevant information. You may wish to set up a dedicated phone number or email address to ensure tenants can communicate with your business quickly and directly.
General Best Practices
The best medicine is prevention. You need cybersecurity best practices to ward off virtual threats. In fact, the best approach is a multi-layered protection strategy that includes the following:
- Establish a password-security and -management policy. Train employees how to create strong passwords that use a combination of numbers, letters and symbols. Require that passwords be changed at regular intervals (monthly, quarterly, etc.).
- Use a Web-based PCI-compliant software system and keep it updated. A Web-based facility-management system is a superior method of safeguarding data vs. storing information on a local platform where it’s an easier target for hackers.
- Protect your facility's wireless network. Change the default name and password of the router, disabling remote management, and log out of the administrator role once setup is complete.
- Maintain system integrity. Prohibit the connection of personal or untrusted storage devices or hardware to computers, mobile devices or networks. This includes USB drives and external hard drives.
- Back up and encrypt data in the cloud. This will allow you to automatically and safely store system data independent of your facility-management software.
- Implement multi-factor authentication. This might include using a rotating PIN in addition to a password to verify a user’s identity when accessing your company’s email or network. This provides an additional level of protection even if a user’s password has been compromised.
- Control access to your facility’s network. Establish procedures that limit employee access to only what’s needed to perform a job. Create a process to immediately revoke user access and change passwords when an employee exits the company.
- Establish a recovery plan. After a cybersecurity incident, it’s important to begin your efforts as soon as possible to resume normal business operation. A plan helps map and expedite the process to restore and resume services more quickly.
- Purchase cyber insurance. This is a critical component to cybersecurity management. It covers first- and third-party costs as well as business-interruption expenses if a breach forces a business to shut down. Specific coverages include notification expense, crisis management, regulatory investigation expense, data-breach liability, content liability, data loss and system damage (data restoration), data extortion, and business interruption.
Be Prepared
A cyberattack can have a serious negative impact on a self-storage operation. Staying informed on key issues and regulatory changes is important to understanding potential risks and any business obligations. Implementing best practices and safeguards can make it much easier to prevent and detect a security issue and help facilitate a speedy recovery.
Michael Attanasio is vice president of professional liability for Phoenix-based MiniCo Insurance Agency, a provider of specialty insurance products and publications for the self-storage industry since 1974. He manages the company’s cyber-insurance program. For more information, call 800.528.1056; email [email protected].