We've all seen the headlines of the major cybersecurity incidents: Target, Yahoo, Equifax, Sony, etc... Cybersecurity is a topic that affects everyone, and we view it as a public safety issue. With all the headlines over the past years, at this point, most people "get it" that cybersecurity is a big problem, but the education can't stop there.
Too many SMBs see the big companies listed in the headlines and think they're "under the radar" when it comes to cybersecurity, but half of all attacks hit small businesses. A big part of our mission at Ekaru is to bring enterprise class IT to small businesses, and security is a big part of it.
And there's more: The headlines tell just part of the story -it takes a little more digging to identify the real costs. As an example, the San Francisco metro system was hit by Ransomware over a year ago. At the time, the network was held hostage for $73K. All ticket point of sales systems were rendered useless, so to keep people moving, free fares were offered for the busy holiday weekend. With an estimated 700,000+ rides per day at a fare of $1 to $2.25, the system lost between $1.3M and $3.3M. This figure includes lost revenue, and doesn't include all the round the clock work to restore systems from backup.
The cost analysis doesn't stop there, though. Last week Microsoft released a critical zero-day security alert. As bad actors continue to find and exploit cyber vulnerabilities, the major tech vendors continue to update products to address the vulnerabilities.
In the case of security patches, these are actually required by law by the MA Data Security Law, HIPAA, and other industry-specific regulations.
"For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information. "
So here's the curve ball. The critical security patch released by Microsoft last week had a bug: systems that got the security patch lost their ability to connect to the network! This meant that these PCs became basically useless until the network connections were restored. This led to downtime at customer sites, and enormous efforts by IT support firms like Ekaru to restore connectivity for affected users. As we consider the overall cost of security, the downtime associated with failed security updates is also a major consideration.
To secure networks and comply with regulations, we rely on Microsoft to continually address security vulnerabilities with security patches. With the complexity of modern computing systems we realize that things are changing all the time. Going forward, more diligence by Microsoft in testing of security updates is needed - 2018 has gotten off to a rough start! That said, our message to all SMBs is that the risk of not complying with security updates is far greater than the risk of the rare problem update.
So we continue our message to all users that cybersecurity is a public safety issue and we're all in this together and we all need to do our part!