As little as a decade ago, technology was a tool; now it is the central gear. Hacks and data breaches used to be inconvenient, expensive, embarrassing; now they are debilitating, destructive, sometimes disastrous.
Despite the integral position technology occupies in our businesses, small businesses, particularly, are woefully unprotected and unprepared.
- In 2019, Juniper Research reported that small businesses make up 13 percent of the cybersecurity target base, but on average invest less than $500 in security. Additionally, nearly 60 percent of all businesses in the United States have experienced a cyber attack, including phishing, malware and ransomware.
- Cybercrime in the United States is far more extensive than we know. The FBI’s Internet Crime Complaint Center says only about 10%-12% of cybercrime is actually reported.
- Did it take you 14 seconds to read these bullets? In that time, another business fell victim to a ransomware attack — a new one every 14 seconds — according to the Herjavec Group’s annual Cybercrime Report.
When we know how critical tech is, when we know our businesses are in the crosshairs of cybercriminals, when we know the cost of an attack reputationally as well as monetarily, I wonder why we aren’t getting much better at protecting ourselves. Particularly small businesses — like most of us have.
There may be three reasons.
- We feel overwhelmed. When major corporations and governments with deep pockets and large IT teams can get hacked, how can a small business or nonprofit possibly fight back effectively?
- We are lulled into a false sense of security by having technology in place, thinking that hardware and software systems will protect us not only from the criminal threat but from our own behaviors as well. Many of us think that software and hardware manufacturers are protecting us by building security into their products. But consider malware loves Microsoft, and its products make up 38 percent of all file types infected and weaponized by hackers, according to Cisco. The biggest risk to any company is authenticated users falling victims to phishing, whaling, CEO fraud or impersonation fraud. Some metrics say 20 percent of all employees will bite on a phishing email.
- Although two-thirds of all businesses have been hacked, we don’t see that every day. News of hacking and fraud instances are often limited to the largest breaches affecting the biggest or most-visible companies. Most businesses and nonprofits that deal with fraud or hacking do not want it getting out. Few choose to prosecute to avoid public exposure. Additionally, nationally there is a huge backlog of prosecutions for white-collar crime, and the state of local news reporting means there’s little chance you’d see coverage of these crimes. The lack of public awareness that cybercrime, data breaches, hacking and technology-driven impersonation fraud are happening every day, to us, and all around us.
It doesn’t have to be this way. Knowledge is power. Knowing the risks, knowing how to guard against them, and having a plan to react if you are a victim is what this month — National Cybersecurity Awareness Month — is all about.
My company, Portfolio, is a champion of this program because it is critical that businesses and individuals understand their risks and protect their assets.
Five elements are key to hardening yourself against these attacks:
- Identify: Know what data your business has, how sensitive it is, and how vulnerable it may be. Know where that data is stored and all the individuals and organizations — particularly third-party vendors, which are a huge security hole for many companies — that have access to it.
- Protect: This is the biggest job and involves everything from patching and updating software to regular, persistent training and testing of your employees.
- Detect: Be suspicious. Question unusual emails or out-of-process requests. Establish strong password requirements, force monthly changes (employees hate this, I know. Do it anyway), implement and require two-factor authentication anywhere you can. Conduct regular reviews of users and their access. Users with administrative access that they do not need are a significant risk.
- Respond: In 2015, the FBI’s director of cybersecurity said: “You are going to be hacked. Have a plan.” That still holds. There are resources help you create a plan including one from the Federal Communications Commission. Like any effective disaster-recovery plan, it’s a hefty process. But the risk-reward equation is on your side.
- Recover. Too many businesses don’t learn or document from the mistakes they make. Readers of this column know that lessons learned is a frequent theme. Look at every incident with a critical eye. Most things go deeper than a user’s mistake. Make improvements in communications, policies, and procedures.
You can get more information as well as tools, research, and templates at staysafeonline.org. Can we eliminate this crime? Probably not. But we can lessen first the chance of becoming a victim; or, failing that, the depth of loss and impact on our businesses and organizations if we are.
Hey, be careful out there.