Is Your Business In Denial About Cyber Security?
If you think your business is too small or doesn’t have worthwhile data to steal -- think again.
Hackers believe that the IT systems for small and medium-sized businesses are more likely to have weaker security than larger organizations. Business owners who suffered a data breach often ask me, “Why me? Why did the hacker choose my business?”
People think hackers pick each business they hack. That’s simply not true. More than 90% of hacked businesses are victims because hackers came upon a vulnerability that made it easy for them to bust in. For most victims it’s random.
Picture a thief examining a neighborhood for a house to rob. More than likely, he’s looking for an opportunity and not conducting research on the people who live in each home. Rather, he’s looking for someone careless who leaves a door or window open window. Perhaps he examines the car in the driveway to see if the keys are the ignition. Whatever the thief steals, he’ll likely have opportunity to sell it. The same goes for hackers. Consider this:
Almost half of Small Businesses report that a cyber breach would cost them $100,000 or more if all their data was lost, stolen or clients left them due to data loss.
An astonishing 60% of Small Businesses hit with cyber attacks never recover and ultimately close down.
It’s almost certain that a hacker – at one point or another – will examine your business for vulnerabilities to exploit. It’s not a question of if, it’s when. What continues to surprise me is how so many businesses think they’re “cyber-fit” because they have a firewall, use strong passwords or simply because they never fell victim to an attack.
COVID-19 introduced a whole new paradigm to cyber security because not only do businesses need to worry about security at their place of business, but they now need to worry about the cyber security of their employee’s homes.
Another question I often get is,
“What is the biggest cyber threat to small and medium-sized businesses right now?
Without question, wire transfer fraud and ransomware are the most critical threats facing small and medium-sized businesses today. Wire transfer fraud occurs when attackers compromise an organization’s email system and start looking for finance and payment-related employees. Once they’re in they may wait and watch for months, just to learn the people, the roles, even the slang people use to carry out their jobs.
At just the right moment they insert a fake email making it seem like there was a transcription error or an account update, allowing them to divert money before anyone notices its gone.
Ransomware is malicious software (malware) that encrypts data and critical system files, rendering computers and data unusable without decryption. Decryption is only possible with a key that is provided if a ransom is paid to the attacker.
The ransom is paid using cryptocurrencies like Bitcoin to keep it untraceable. Interestingly the attackers know that if they ask for an outrageous amount, a sum the business is never able to pay, they are much less likely to collect. So, they ask for a modest sum, such as $2,500 or $5,000, which is just low enough for a business owner to consider “making the problem go away” and avoid the embarrassment (and possible publicity) associated with getting hacked.
Hackers today maintain sophisticated operations with help desks, 24×7 technical support, and trained negotiators. They make every attempt to encrypt during off hours and target backups to make recovery without paying the ransom very difficult. In rare cases, ransomware forces companies to go out of business because of the cost of recovery. Of course, remaining cyber-fit is sometimes mandated or regulated by an industry or even the government.
Think about small-business money managers, hedge funds and accounting firms. It might seem obvious that protecting the information of clients or customers is enough of a reason to maintain the best available cyber security measures, but many companies, especially small-and-medium-sized organizations, are not aware that they may have a legal requirement to maintain a robust cyber security program.
For example, under the Gramm-Leach-Bliley Act (GLBA), enacted by the Federal Trade Commission in 1999, the GLBA Safeguards Rule requires certain organizations develop a written information security plan (WISP) that describes how they protect client information. If your business is money management, accounting or involves investors, the GLBA Act may affect how you must handle their information in cyberspace. Because compliance with the GLBA is mandatory, there are severe penalties for non-compliance. These penalties include imprisonment for up to five years, fines or both. An organization can receive a fine of up to $100,000 for each violation, while officers and directors can receive a fine up to $10,000 for each violation.
Another example is HIPAA compliance. The Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA, is a series of regulatory standards that outline the lawful use and disclosure of protected health information (PHI). HIPAA compliance is regulated by the Department of Health and Human Services (HHS) and enforced by the Office for Civil Rights (OCR).
In 2017, OCR levied its first HIPAA settlement for a violation of the Breach Notification Rule. The $475,000 fine against Presence Health was the first in the history of HIPAA enforcement levied for failure to properly follow the HIPAA Breach Notification Rule.
What can small and medium-sized businesses do to protect themselves and understand if they are under any legal obligation to take extended steps to protect the data of their clients or customers?
You start with a comprehensive cyber security risk assessment to understand the necessary actions any business must take. In summary,
1. Assess the Risk. This means a comprehensive understanding of where vulnerabilities exist and which regulations govern your compliance, if any.
2. Mitigate the Risk: Once the vulnerabilities are identified, countermeasures are put in place to close the holes that are so attractive to hackers and ensure the business can pass a regulator or government audit.
3. Monitor the Risk: Remain aware of the devices on the network, test backups, conduct phishing tests, update policies, train employees and consistently update operating systems, applications and device firmware.
How does a business get started with a cyber assessment? Depending on the size of the firm, a standard cyber assessment is usually straightforward. A comprehensive set of questions, observations and tests will reveal the vulnerabilities and risks of a small or medium-sized business.
Once the assessment is complete, how disruptive is the remediation? Remediation depends a lot on what’s found in the assessment, but the biggest disruption always comes from the loss of convenience in favor of security. For example, mandating complex passwords that change every 90 days or blacking out the screen after 15 minutes of inactivity are security measures that impose a bit of inconvenience on employees. The bottom line is, if you want to demonstrate your cyber fitness, convenience must take a back seat to security.
Are there budget guidelines for small and medium-sized businesses that want to adopt a cyber security program? As a rule of thumb, a small or-medium-sized business should spend between 7% and 10% of their annual IT budget on cyber security.