This past month Ekaru hosted a lunch and learn with over 50 local business leaders. Education and "the human firewall" are key components of any cybersecurity plan, and we're on a mission to educate our community. Here's a re-cap of the event.
The average cost of a cyber attack for a small business is $53,970. Big businesses make the headlines, but half of attacks are hitting smaller businesses. Cyber crime is now bigger than all other forms of organized crime combined!
To set the stage, we opened with a short video from Jimmy Kimmel Live. If you haven't seen this yet, its worth watching!
It's very important for business owners to understand that the threat actors can leverage the bad habits of well-meaning employees. Are you using the same password for many on-line applications? Are you sharing passwords? Are they easy to guess? Who in your organization will click on the bad link in an email and unknowingly help launch an attack?
In 2018, the Internet Crime Complaint Center (IC3) received over 350,000 complaints representing over $2.7 Billion in losses. Some of the major categories include BEC - Business eMail Compromise - whereby a threat actor will impersonate a known person to steal money, most commonly by wire transfer. Other types of threats include fake tech support scams, credit card scams, non-payment or non-delivery scams, and the list goes on. With the availability of crypto-currency, criminals can hide their identity and they're motivated to invent new attack methods.
Research by Barracuda Networks shows a "startling rise" in the number of Account Takeover Attacks for Office 365 suggesting that hackers impacted 29% of organizations in March of this year alone.
One of the factors driving the rise in cyber crime is the convenience we all expect from our technology to be able to work from anywhere on any device. In years past, a business would keep all computers in an office protected by a firewall. Now the laptops, tablets, and smart phones travel all over and they're harder to protect.
Some of the cybersecurity myths commonly held by small businesses include:
- SMB owners don't believe their information is valuable to hackers (in a Ransomware attack, the only thing that matters is how important your data is to YOU).
- SMB owners think that cyber crime won't happen to them and that it only happens to big companies. Actually half of attacks hit smaller organizations, but they don't make the headlines.
- SMB owners think their IT team has everything covered. The reality is that the foundational security that's typically delivered (firewall protection, antivirus, security patch updates) just aren't enough anymore!
Some of the many different types of attacks were discussed in more detail. The bottom line is that there's a lot of money in cybercrime these days, and the threat actors are very clever in finding new ways to attack.
We recommend a frame work of thinking about the roles of the data owner (the business owner), the Information Technology (implementing and maintaining data systems), and Information Security (risk insights and mitigation strategies). We recommend starting with a Security Risk Assessment to understand what critical data needs to be protected, where it is located, and how it is protected. Then the gaps in protection can be more clear. Each business owner needs to make an informed decision about the acceptable level of risk and security.
One of the analogies we encourage business owners to consider is how you protect your home. The first step is to identify what you're protecting (family members, pets, documents, valuables, etc). Then you can consider the various ways to protect your home (locks, doors, windows, yard signs, etc). For detection, there are many options for alarm systems, motion sensors, cameras, etc. The next two areas are Response and Recovery.
Consider how you would change your home security if you learned about a major crime wave in your neighborhood. Effectively, this is what's happening in cyber space right now.
The biggest threats we're currently seeing for SMBs involve Ransomware. In a Ransomware attack, the business data is encrypted and held hostage for a Ransom. There's no guarantee that you'll get your data back from the criminals if you pay the ransom, and you'll be targeted for more attacks. Cyber Insurance typically won't cover all the damages. We covered a few exampled in the presentation of an innocuous looking email arriving at the company, such as a resume, and hard working employees accidentally opening the email and inadvertently assisting in the launch of an attack. Also in in other types of emails, passwords can be compromised and then wind up on the Dark Web.
Education is a key first step to understanding the threats. It's important for businesses to make sure all employees know about the risks and what to look out for. In fact, the Massachusetts Data Security Law (and various other industry regulations such as HIPAA) REQUIRE on-going employee training.
Next on the list is a complete assessment to understand the current state of security and identify the gaps. There's no such thing as 100% security, but there are many affordable options for small businesses to increase security and decrease risk.
Call us for an assessment or for training for your employees. We're here to help!