For most of us in business, if we heard of a venture that has grown to the $6 trillion level in annual revenue, we might be inclined to say “thumbs up” for being so successful.
Not so fast! The venture I refer to does not deserve such an accolade. I’m referring to cybercrime, which is a $6 trillion annual industry that shows no signs of slowing down.
Cybercrime is big business. Its perpetrators are becoming more and more sophisticated each day. For all business owners it’s critical that we look out not only for our own infrastructure, but also for the infrastructures of the customers who entrust us with their technology needs.
Whether you are in a business that sells, leases and services equipment such as multifunction printers, or you are a managed services provider with several dozen clients, you see firsthand each day the increasing reliance on technology from your customers. They see you as an integral part of their infrastructure and a solutions provider.
As cyberthreats continue, it is more important than ever to educate clients on how to minimize the constant danger they face from a hack of their infrastructure.
For example, an employee opens an email that appears to be from FedEx, alerting them to a delivery, or a “wire service transfer” statement appearing to come from a vendor. Sometimes, all it takes is a single click for the damage to begin.
Cybercriminals have changed the way in which they infiltrate a system. In the old days, with the “I Love You” virus, the damage (payload) was immediate and spread throughout the system. Today, the delivery of many virus payloads is delayed while the attacker gains a foothold in the system – thereby not alerting the company to an immediate threat. By the time it is discovered, the damage is widespread. That was the case with the recent Colonial Pipeline hack where the virus traveled around the system for three months before becoming active.
Cybercrime is a real threat and a moving target. Hackers work every day to get to your data. At one time, they would simply encrypt the data and render it unavailable to the owner, and only a ransom payment could free it up. Now, these criminals also threaten to make the data public. This alone should be incentive enough for businesses and organizations to do whatever they need to in order to keep this information out of the wrong hands. Then there is the added pressure from regulatory agencies for businesses to establish a more proactive approach to compliance where data privacy and cybersecurity best practices are concerned.
A business that ignores or neglects these mandates does so at its own peril – opening itself up to the increased risk of an audit, hefty violation penalties, potential litigation and severe reputation damage, which could lead to a loss of trust and ultimately a loss of customers.
In Massachusetts recently, the Steamship Authority – the organization responsible for ferry transportation between Cape Cod and the islands of Martha’s Vineyard and Nantucket – was hacked, temporarily bringing ferry crossings to a screeching halt. In addition to Colonial Pipeline, there was the recent hacking of beef supplier JBS (which reportedly paid $11 million in ransom to get its data back), and T-Mobile, which saw the personal data of more than 50 million customers go public. While these instances of cybercrimes all made headlines, there are countless more every day that businesses – like ours and those of our clients – may face.
The 2019 IBM Cost of Data Breach survey revealed that 24% of all data breaches in the past five years were the result of negligent employees or contractors. Another report, Insider Data Breach Survey, found that 60% of executives felt employees who made mistakes while rushing to complete tasks were the primary cause of internal breaches. Another 44% pointed to a lack of general awareness as the second most common reason, and 36% cited inadequate training for their organization’s security tools as a close third.
Another often-cited statistic suggests that up to 60% of small and medium-size businesses go out of business within six months of a major cyberattack. So, it’s a very real threat for all of us.
How does a business begin the process of better protecting itself and the customers it serves?
1) Detect vulnerabilities and compliance needs with a comprehensive risk assessment. Determining where the weaknesses are makes it possible to develop an effective remediation plan.
2) Implement a “security stack,” which is designed to work in conjunction with your anti-virus, anti-malware and firewall. A good security stack will help to detect if cybercriminals have already planted a foothold onto your network. Practice regular vulnerability attacks on your infrastructure to find out where the weaknesses are so that they can in fact be mitigated.
3) The best protection is only as good as the humans who run the infrastructure. So it is critical to train employees to be the frontline of defense against cyberattacks – for your own company and for any clients you advise. Every organization should engage in regular training to identify and detect suspicious emails and phishing scams. It’s good business practice, and insurance companies are now requiring some form of employee training for cyberinsurance coverage. If there is a breach, your carrier will want to know if you have provided employee training.
4) In addition to ongoing employee training, it is crucial to have basic company policies to minimize outside hacks. These include some basics such as:
• Written information security program – this is essential for compliance and is Best in Class business policy; this explains what your organization is doing to avoid a breach, what your security stack is made up of, and more.
• Web browsing policies – in general, it’s best to not allow access to non-company websites from the company network, both for security and productivity purposes.
• If an email looks suspicious, ask first – do not open.
• Policies about allowing the company website to be loaded onto remote personal devices (in general, this should be avoided).
• Frequent changing of passwords for all company accounts.
• Training in what to avoid in password changes (such as 12345).
• Two-factor authentication for access.
5) Every company should do all it can to avoid ending up on the dark web, even though many businesses do end up there eventually. The real key is to stem future damage – one important way to do this is to change passwords frequently. In particular, anyone who has a password that ends up on the dark web should change it and never, ever use that password again for anything.
6) Set up automatic scans to check security settings on each machine to ensure that your security policies are being enforced. Generate an automatic alert when two-factor authentication is not turned on where it should be.
7) Establish “exit procedures” for employee turnover that includes the immediate removal of ex-employees from the active directory. Scan the network daily for suspicious log-in attempts by ex-employees and others, and generate an alert for each incident.
8) Set up internal IT security policies that limit storage of credit card and other personal identifying information, and include additional security levels for access.
9) Scan all networks daily, looking for software that is missing the latest security patches, and generate alerts for machines that need updating.
The technological advances that we all enjoy are great – they enable us to move in leaps and bounds beyond what anyone would have thought possible a generation ago. But with these advancements come threats. Every business must do all it can to thwart cybercrime. If something looks suspicious, it probably is. Be certain that your company has the very best cyberprotection software on the market, a rigorous and ongoing training program to see that employees stay on top of their game, and a cybersecurity company to partner with who can watch out for your needs.
The threat is real. You have worked too hard to get your business to where it is, and your customers/clients have done the same, to have it disabled by a hacker. It makes sense to seek the advice of a cybersecurity company to help you assess threats and develop a plan to avoid being the next victim of a cybercriminal.