In the ‘Wild, Wild West’ of cyber attacks, security is everybody’s job
BY NANCY DAHLBERG
Think your business is too small to be a target of the cyber bad guys?
According to the Verizon 2019 Data Breach Investigations Report released in May 2019, 43 percent of cyber attacks in 2018 targeted small businesses. That’s pretty high odds.
More than half of the breaches resulted from hacking. Other tactics included social attacks (33 percent), malware (28 percent), events caused by errors (21 percent), misuse of authorized users (15 percent) and physical actions (4 percent).
If that is not enough to scare you, Symantec’s 2019 Internet Security Threat Report found that “formjacking” attacks skyrocketed in 2018, with an average of 4,800 websites compromised each month. Remember ATM skimming? Formjacking is similar, but it’s targeted at e-commerce.
Cyber criminals load malicious codes onto retailers’ websites to steal shoppers’ credit card details.
The Symantec report also found that supply chains remained a soft target with attacks ballooning by 78 percent.
While large businesses can dedicate resources to cybersecurity, small businesses face the same cybersecurity challenges and threats with limited resources, capacity and personnel. Yet, these statistics show that small businesses can no longer afford to sit back and hope that it won’t happen to them. Just like their large company brethren, small businesses need a cybersecurity strategy.
Kevin Campbell, PwC’s Southeast cybersecurity expert, told Treasure Coast Business: “I hear all the time from all size businesses, ‘Why would anyone attack us?’ In today’s world, it doesn’t matter if you are a Fortune 500 company or a startup or an individual, there are attackers out there that are coming after data, coming after money, using different mechanisms to attack all sized companies.”
RANSOMWARE THREAT IS REAL
Ransomware continues to be a big threat to small businesses, he says, a point echoed in the findings of both the Verizon and Symantec reports.
Verizon’s report found that ransomware accounted for a quarter of all the malware incidents analyzed. Symantec’s report found that while ransomware threats were down against individuals, attacks on enterprises were up 12 percent.
“Ransomware are these bots that people can create or go to a store [on the dark web] and rent to launch attacks,” Campbell explains. “Once the ransomware has found the way into your system in some way, shape or form, they very quickly propagate across your network and encrypt everything. Then a message comes up demanding a ransom, typically $50,000, give or take.”
The bad actors know that small businesses are typically more vulnerable.
For a lot of these businesses, they are paying the ransoms, because the alternative is to rebuild their systems from scratch.
“I’ve seen small, medium sized companies that went in and tried to rebuild their systems, but then realized they hadn’t been backing up for six months,” Campbell says. “Ransomware really is targeted at your smaller companies.”
Another trend is the use of IoT technologies, a system of interrelated computing devices, as an infection vector. Indeed, the Symantec report found that IoT was a key entry point for targeted attacks and privacy breaches. Most IoT devices are vulnerable, according to the report.
“It’s the wild, wild west,” Campbell says. “People are building products, they are building apps, but yet, they aren’t taking the lessons learned from all the cybersecurity issues we have had, by building cyber and digital resilience into their product offerings. We are making the same mistakes we made 30 years ago.”
In PwC’s inaugural Digital Trust Insights survey, 81 percent of respondents say IoT is critical to at least some of their business, but only 39 percent say they are very confident they are building sufficient digital trust controls with security, privacy and data ethics into the adoption of the IoT. Only 30 percent list IoT security among the safeguards they plan to invest in this year, the survey found. Similar results were seen for other emerging technologies.
So what’s a small business to do?
BUILD SECURITY INTO YOUR CULTURE
“If you are a new or newer company, from day one you’ve got to build security into the people, the process, the technology, the culture and the governance. You have to do it right … to ensure you have that digital resilience,” Campbell says.
Employees clicking on attachments is still one of the easiest ways for companies to get infected, he says.
“Security awareness is huge. By building the right culture, the products we are going to build will not only hit this level of quality, but they are also going to have quality associated with security. Security is everyone’s job.”
And yet, he adds, a lot of times companies are not putting enough structures in place for the reporting and oversight.
“Having the latest security software, web browsers and operating systems and having the best anti-virus software are part of the basics every company needs to have in place. But also key is the culture that ensures that an employee doesn’t introduce vulnerabilities, and that they keep the software and systems updated.”
CUSTOMER TRUST AT STAKE
The stakes are high — and they go way beyond monetary losses. Your customer’s trust is on the line.
“Every company out there these days may be swept up in some broad attack that is happening out there. Every threat actor is relevant,” Campbell says, noting that the costs of one of the ransomware attacks, NotPetya, was $10 billion worldwide.
“I’m sure there were companies that went out of business [because of that attack]. And how do you build trust with your customers if your site is down for a week while you are figuring out whether you are going to pay a ransom or not? For hospitals, it’s lives on the line.”
Campbell believes having a cyber insurance policy is becoming a cost of doing business but warned that small businesses need to make sure they have the right controls in place. He’s seen instances of insurers denying claims because the company hadn’t done certain things that were required.
Cybersecurity is a big focus for PwC, says Campbell, who is one of six partners in the Southeast dedicated to cybersecurity and privacy. “With all sizes of companies, we try to address this risk that is real, and sometimes underestimated, so when it does happen to them — and it is not if, it’s when — they are able to respond accordingly and have their business back up and running quickly.”
The Florida Small Business Development Center Network has a program and a website dedicated to cybersecurity education and advice. That website offers a guidebook, videos and other information. See: FloridaSBDC.org/services/business-continuation/cybersecurity/ .
In addition, the Florida SBDC at Indian River State College occasionally holds seminars on the topic.
MORE ADVICE FOR SMALL BUSINESSES
Here are some other recommendations gleaned from the reports cited in this article and from the Small Business Development Center’s guide:
• As you put your cybersecurity plan into place, consider firms that have experience in helping small businesses respond to cyber attacks. Your IT or managed service provider may have suggestions. The main function of a competent incident responder is to quickly identify the issue, stop the attack and minimize damages.
• Go beyond passwords (and there is an alarmingly high number of companies that don’t even have a strong password policy). Require two-factor identification for everything, including customer-facing applications, any remote access and cloud-based email.
• This sounds super basic, but it’s often not done, especially among small businesses: Keep your operating system and antivirus software up to date and patch your operating systems as soon as they become available.
• Web application compromises now include code that can capture data entered into web forms, so consider adding file integrity monitoring on payment sites, in addition to patching operating systems and coding payment applications.
• Your employees are your first line of defense against cyber attacks. They need to be trained to avoid becoming victims of phishing attempts and to report strange computer activity. Are company guidelines in place about the security of data on company laptops and on the use of unsecured Wi-Fi?
• Speaking of employees, we know you love them, but about a third of cyber attacks on businesses last year were inside jobs: Monitor and log access to sensitive data, quickly move to shore up the access when an employee leaves the company and be vigilant.
Treasure Coast Business is a news service and magazine published in print, via e-newsletter and online at tcbusiness.com by Indian River Magazine Inc. For more information or to report news email [email protected]