Recently, I had the opportunity to talk to Mike Bettigole, of Roark to talk about cyber security issues today. We talked about how a good number of businesses are in denial about cyber security. Here is what he had to say about it.
If you think you aren’t — because your business is too small or doesn’t have worthwhile data to steal — think again. Likewise, if your business is larger, with a dedicated IT department and has never fallen victim to an attack, also, think again, because the risk of a cyber-attack increases every day. Hackers know that the IT systems for small and medium-sized businesses typically have weak security and are easy to exploit. Small business in particular, tend to favor convenience over security.
Consider these statistics:
- Almost half (49%) of Small Businesses report that a cyber breach would cost them $100,000 or more. 20% say that a breach would cost $1 million to $2.5 million, if all their data was lost, stolen or clients left them due to lost data.
- An astonishing 60% of Small Businesses that are hit with cyberattacks never recover and end up closing down.
It’s almost certain that your business will fall victim to a cyberattack in one form or another. It’s not a question of if, it’s when. Considering the damage a cyberattack can wreak on your business, you can’t remain in denial any longer. The time to assess your cybersecurity preparedness is now. What continues to surprise is how so many businesses think they’re “cyber-fit” because they have a firewall, use passwords or simply because they never fell victim to an attack.
COVID introduced a whole new paradigm to cybersecurity because, not only do businesses need to work about security at their place of business, but they now need to worry about the cybersecurity of their employee’s homes. Here are some of the top questions you should ask:
1. Business owners who suffered a data breach often ask, “Why me? Why did the hacker choose my business?”
People think hackers pick each business they hack. That’s simply not true. More than 90% of the businesses that are hacked are victims because it all began with the discovery of a hackable vulnerability. Picture a hacker walking down a block looking for a house to rob. He’s not thinking about how to analyze what’s in the home and if it’s worth robbing. He’s looking for an open door or open window that will make it easy. Whatever is inside he’ll likely have opportunity to sell. The same goes for hackers.
2. Another question often asked is, “What is the biggest cyber security threat right now?
Without question, wire transfer fraud and ransomware are the most critical threats facing businesses today. Wire transfer fraud occurs when attackers compromise an organization’s email system and start looking for finance and payment-related employees. Once they’re in they may wait and watch for months, just to learn the people, the roles, even the slang people use to carry out their jobs. At just the right time they insert a second email making it seem like there was a transcription error and to please use the new account number (or take the exchanged credentials and attack the bank account directly). They then divert the transferred money before anyone notices.
Ransomware is malicious software (malware) that encrypts data and critical system files, rendering computers and data unusable without decryption. Decryption is only possible with a key that is only provided if a ransom is paid to the attacker. The ransom is paid using cryptocurrencies like Bitcoin. Interestingly the attackers know that if they ask for an outrageous amount, they business is never able to pay, so they ask for modest sums like $2500 or $5000, just low enough for a business owner to consider “making the problem go away” and avoid the embarrassment associated with getting hacked.
These hackers have developed into sophisticated operations with help desks, 24×7 technical support, and trained negotiators. They make every attempt to encrypt during off hours and target backup mechanisms to make recovery without paying the ransom very difficult – as a result many organizations pay the ransom to recover their systems and data in days rather than weeks or months (or not at all). Ransomware-infected companies have even had to go out of business because of the cost of recovery.
3. Sometimes industry-specific questions from organizations that are regulated or under certain compliance obligations, such as money managers, hedge funds or accounting firms ask…
It might seem obvious that protecting the information of clients or customers is enough of a reason to maintain the best available cyber security measure, but many companies, especially small-and-medium-sized are not aware that they are legally required to have a robust program
For example, under the Gramm-Leach-Bliley Act (GLBA), enacted by the Federal Trade Commission in 1999, the GLBA Safeguards Rule requires organizations to develop a written information security plan that describes how they protect client information.
Penalties for Non-Compliance
Because compliance with the GLBA is mandatory, there are severe penalties for non-compliance. These penalties include imprisonment for up to five years, fines or both. An organization can be fined up to $100,000 for each violation, while officers and directors can be fined up to $10,000 for each violation.
Another example is HIPPA compliance. The Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA, is a series of regulatory standards that outline the lawful use and disclosure of protected health information (PHI). HIPAA compliance is regulated by the Department of Health and Human Services (HHS) and enforced by the Office for Civil Rights (OCR).
Protected health information (PHI) is any demographic information that can be used to identify a patient or client of a HIPAA-beholden entity. Common examples of PHI include names, addresses, phone numbers, Social Security numbers, medical records, financial information, and full facial photos to name a few.
In 2017, OCR levied its first HIPAA settlement for a violation of the Breach Notification Rule. The $475,000 fine against Presence Health was the first in the history of HIPAA enforcement levied for failure to properly follow the HIPAA Breach Notification Rule.
4. Federal HIPAA auditors levy HIPAA fines on a sliding scale.
Fines range between $100-$50,000 per incident depending on the level of perceived negligence. If auditors detect that the organization under investigation has neglected to perform a “good faith effort” toward HIPAA compliance, fines can become astronomical. With well over $40 million levied in fines since 2016, HIPAA compliance is more important now than ever before. What are common HIPAA violations?
- Stolen laptop
- Stolen phone
- Stolen USB device
- Malware incident
- Ransomware attack
- Office break-in
- Sending PHI to the wrong patient/contact
- Discussing PHI outside of the office
- Social media posts
So, what can any-sized business do to protect themselves and understand if they are under any legal obligation to take extended steps to protect the data of their clients or customers?
Mike Bettigole has compiled a comprehensive cybersecurity risk assessment approach to understand the necessary actions any business must take. Listen to his interview and get a simple assessment form at: https://theriskadvisor.com/shows/is-your-business-in-denial-about-cyber-security/