Written By: Jonathan Arena, CISSP, ITIL, CSM
President & Founder of White Clay Technology
Cyber-attacks have become a frightening daily occurrence. Every day we hear about our favorite stores, the websites we visit, or even our local municipalities falling prey to some form of cyber-attack.
It is not just well-known businesses that are suffering at the hands of these cyber criminals. Cyber-crime indiscriminately impacts large enterprises, individuals, non-profits, and small businesses alike.
While attacks are high, prosecutions are low. The result is that cyber-crime has become the number one global criminal moneymaker, even exceeding the drug trade. It is big business for all involved with damages expected to exceed $6 Trillion by 2021.
Should a security incident occur, most large businesses have the needed resources to prepare and respond to an attack. However, small businesses usually lack the necessary means to defend against a cyber-attack, ultimately making them a more attractive, lucrative, and easy target.
Due to the overwhelming number of cyber-attacks, government & industry leaders alike have turned to compliance regulations aimed to keep consumers personally identifiable information safe. All of these new laws and regulations have clearly placed responsibility of protecting your user’s data on you, the business owner.
Although there are many methods a cyber attack can occur, the following are five of the most frequent threats currently impacting small businesses, and some steps you can take to minimize your risk of becoming a casualty of cyber-crime.
Ransomware is when a cyber-criminal has gained access to one or more of your systems and has encrypted your critical data sources. They then attempt to extort money from you in exchange for the decryption key. Payment often results in no decryption key ever being sent despite the promises of the threat actor.
Ransomware is the current scourge of the internet for good reason. It is extremely effective. In the 1st quarter of 2019, the average successful ransom was $12,000 per incident. Just one year later, the average ransom jumped over 900% to $111,000 per incident!
Protection Tip: Make sure that you have offsite and/or offline backups of your critical data sources on a regular interval. Onsite backups will likely be found and encrypted to further entice you to pay the ransom.
Social engineering is the practice of abusing someone’s trust so that they will do what you want them to when they otherwise would not have. The most common tactic in the cyber-criminal’s social engineering toolbox is called phishing.
In a phishing attack, an email is created to look like it is from a legitimate person or business. It attempts to extort either information, obtain access credentials, deliver malicious software or convince the victim to provide tangible goods to the attacker. Victims can be completely random or specifically targeted.
Protection Tip: Invest in both security awareness training tools, as well as continuous user testing solutions. Continuous user education is essential. While email filtering is somewhat effective to cut down on the number of attempts your business may receive, it only takes one user to open a message for a phishing attack to be successful.
Accidental Data Breach
An accidental data breach occurs when someone takes advantage of your data sources not being adequately secured. This is an incredibly common occurrence and has been the cause of several recent high-profile data breaches.
Protection Tip: First, always separate your testing and production environments. Testing and development should always occur in a lab setting, and without real user data. Production should always be heavily restricted. Then, be sure to perform regular security risk assessments against your application. Also, perform regular vulnerability and penetration testing to help expose additional risk points in your environment.
Your Vendors Have Risks
Businesses continue to migrate to software-as-a-service (SaaS) offerings & cloud solutions such as AWS, Salesforce or Microsoft365, among others. These services provide businesses easier scalability and management in exchange for a normalized monthly fee.
Many business owners are under the misbelief that because their data is in the cloud it is “magically protected” from all risk. This is a dangerous and incorrect assumption. Any data in the cloud is at an equal risk of attack as if it were in your own onsite systems and must be protected with the same level of diligence.
Protection Tip: When it comes to your vendors you want to understand what each of your vendors do to ensure they have minimized their risk. Many will have performed assessments or audits. Ask to see the results. You want to make sure that your contracts address any potential liability should their systems not be adequately protected. Also, be sure to understand specifically how your data is being protected, how they are backing up your data, and what their guarantees are should an incident occur, as well as how you can get access to your data in an emergency.
Lastly, even if the provider claims to back up your data, determine how you can obtain a regular backup copy of that data on your own, and regularly retrieve it. Even service providers can be casualties of ransomware and other cyber-attacks.
Poor Corporate Cyber Hygiene
Like electricity and running water, cyber criminals will usually take the path of least resistance. To that end they will find a way to get to your data in the easiest manner possible.
Some of the more common methods include having a cavalier approach to user account management, not embracing the concept of least privilege access, using default settings and credentials on systems and appliances, having weak or no password controls, having an infrequent software patching regiment, or exposing unprotected access to systems from the internet.
Protection Tip: It is time to get serious about your corporate cyber hygiene. This is one of the most meaningful steps you can take to reduce your cyber risk. Review all of the aforementioned items. The best first step is to perform a risk assessment with a provider who can help identify your security gaps. If you have IT or risk professionals working for you either full time or as contractors, be sure to engage them for their assistance in this endeavor.
The final hygiene area that often goes unchecked is your insurance coverage for a cyber incident. Many businesses believe that their General Policy or their Errors & Omissions insurance will cover a cyber incident. In almost every case that is incorrect.
Be sure to check with your insurance provider to determine if you have cyber liability insurance and understand what is covered. If you do not have it, talk with your insurance provider as soon as possible to get it. If you do have cyber insurance, make sure you have enough. Right now, “enough” is estimated at about $250 per breached record. Lastly, do not forget that you not only have to be concerned about your client records, but you must be equally concerned about your personnel records. You have an obligation to protect those, too.
Effective cybersecurity is about minimizing your risk of being attacked. By implementing these key concepts, you will significantly reduce the risk your business faces. If you need assistance, White Clay Technology stands ready to support you.
White Clay Technology provides custom Strategy, Solutions & Support for your technology, project management, cyber security, disaster recovery, and business resilience needs. White Clay Technology works with your leadership team as trusted strategic technology advisers with the goal of making technology a business enabler, reducing your cyber risk, and empowering you to focus on the continued growth of your business. Contact White Clay Technology through their website at https://www.whiteclaytechnology.com.
Jonathan Arena, CISSP, ITIL, CSM is a recognized technology, cyber security & disaster recovery expert. He is the founder and president of White Clay Technology in Wilmington, is the author of Cyber Security Essentials For Small Businesses and is a technology, cyber security, and data privacy professor at Wilmington University.