SECTION 1

Is Your Business In Denial About Cybersecurity?

If you think you aren’t — because your business is too small or doesn’t have worthwhile data to steal — think again.

Likewise, if your business is larger, with a dedicated IT department and has never fallen victim to an attack, also, think again, because the risk of a cyber-attack increases every day.

Hackers know that the IT systems for small and medium-sized businesses typically have weak security and are easy to exploit. Small business in particular, tend to favor convenience over security.

Consider these statistics:

• Almost half (49%) of Small Businesses report that a cyber breach would cost them $100,000 or more. 20% say that a breach would cost $1 million to $2.5 million, if all their data was lost, stolen or clients left them due to lost data.
• An astonishing 60% of Small Businesses that are hit with cyberattacks never recover and end up closing down.

It’s almost certain that your business will fall victim to a cyberattack in one form or another.  It’s not a question of if, it’s when.

Considering the damage a cyberattack can wreak on your business, you can’t remain in denial any longer. The time to assess your cybersecurity preparedness is now.

What continues to surprise me is how so many businesses think they’re “cyber-fit” because they have a firewall, use passwords or simply because they never fell victim to an attack.

COVID introduced a whole new paradigm to cybersecurity because, not only do businesses need to work about security at their place of business, but they now need to worry about the cybersecurity of their employee’s homes.

Top Questions:

1. Business owners who suffered a data breach often ask me, “Why me? Why did the hacker choose my business?”

People think hackers pick each business they hack. That’s simply not true. More than 90% of the businesses that are hacked are victims because it all began with the discovery of a hackable vulnerability. Picture a hacker walking down a block looking for a house to rob. He’s not thinking about how to analyze what’s in the home and if it’s worth robbing. He’s looking for an open door or open window that will make it easy. Whatever is inside he’ll likely have opportunity to sell. The same goes for hackers.

2. Another question I often get is, “What is the biggest cyber security threat right now?

Without question, wire transfer fraud and ransomware are the most critical threats facing businesses today.

Wire transfer fraud occurs when attackers compromise an organization’s email system and start looking for finance and payment-related employees. Once they’re in they may wait and watch for months, just to learn the people, the roles, even the slang people use to carry out their jobs.

At just the right time they insert a second email making it seem like there was a transcription error and to please use the new account number (or take the exchanged credentials and attack the bank account directly).  They then divert the transferred money before anyone notices.

Ransomware is malicious software (malware) that encrypts data and critical system files, rendering computers and data unusable without decryption. Decryption is only possible with a key that is only provided if a ransom is paid to the attacker.

The ransom is paid using cryptocurrencies like Bitcoin.  Interestingly the attackers know that if they ask for an outrageous amount, they business is never able to pay, so they ask for modest sums like $2500 or $5000, just low enough for a business owner to consider “making the problem go away” and avoid the embarrassment associated with getting hacked.

These hackers have developed into sophisticated operations with help desks, 24×7 technical support, and trained negotiators.  They make every attempt to encrypt during off hours and target backup mechanisms to make recovery without paying the ransom very difficult – as a result many organizations pay the ransom to recover their systems and data in days rather than weeks or months (or not at all).  Ransomware-infected companies have even had to go out of business because of the cost of recovery.

3. Sometimes I get industry-specific questions from organizations that are regulated or under certain compliance obligations, such as money managers, hedge funds or accounting firms.

You heard about this from an expert on your show, Andrew Lanning

It might seem obvious that protecting the information of clients or customers is enough of a reason to maintain the best available cyber security measure, but many companies, especially small-and-medium-sized are not aware that they are legally required to have a robust program

For example, under the Gramm-Leach-Bliley Act (GLBA), enacted by the Federal Trade Commission in 1999, the GLBA Safeguards Rule requires organizations to develop a written information security plan that describes how they protect client information.

Penalties for Non-Compliance

Because compliance with the GLBA is mandatory, there are severe penalties for non-compliance. These penalties include imprisonment for up to five years, fines or both. An organization can be fined up to $100,000 for each violation, while officers and directors can be fined up to $10,000 for each violation.

Another example is HIPPA compliance. The Health Insurance Portability and Accountability Act of 1996, commonly known as HIPAA, is a series of regulatory standards that outline the lawful use and disclosure of protected health information (PHI). HIPAA compliance is regulated by the Department of Health and Human Services (HHS) and enforced by the Office for Civil Rights (OCR).

Protected health information (PHI) is any demographic information that can be used to identify a patient or client of a HIPAA-beholden entity. Common examples of PHI include names, addresses, phone numbers, Social Security numbers, medical records, financial information, and full facial photos to name a few.

In 2017, OCR levied its first HIPAA settlement for a violation of the Breach Notification Rule. The $475,000 fine against Presence Health was the first in the history of HIPAA enforcement levied for failure to properly follow the HIPAA Breach Notification Rule.

Federal HIPAA auditors levy HIPAA fines on a sliding scale. Fines range between $100-$50,000 per incident depending on the level of perceived negligence. If auditors detect that the organization under investigation has neglected to perform a “good faith effort” toward HIPAA compliance, fines can become astronomical. With well over $40 million levied in fines since 2016, HIPAA compliance is more important now than ever before.

4. What are common HIPAA violations?

Some common causes of HIPAA violations and fines are:

• Stolen laptop
• Stolen phone
• Stolen USB device
• Malware incident
• Ransomware attack
• Hacking
• Office break-in
• Sending PHI to the wrong patient/contact
• Discussing PHI outside of the office
• Social media posts

SECTION 2

So, what can any-sized business do to protect themselves and understand if they are under any legal obligation to take extended steps to protect the data of their clients or customers?

We compiled a comprehensive cybersecurity risk assessment approach to understand the necessary actions any business must take. In summary,

1. Assess the Risk. This means a comprehensive understanding of where vulnerabilities exist and which regulations govern your compliance.
2. Mitigate the Risk: Once the vulnerabilities are identified, countermeasures are put in place to close the holes that are so attractive to hackers and ensure the business can pass the audit of a government audit.
3. Monitor the Risk: Remain aware of the devices on the network, test backups, conduct phishing tests, update policies and consistently update operating systems, applications and device firmware.

Question # 1:  What are the typical components of a Cyber Risk Assessment?

We use a comprehensive set of questions that span everything from physical security to policies to backup and administration. This involves physically visiting the site, usually under the guise of an insurance adjuster, walking around, asking questions and observing the habits of various users.

Typical questions include:

• Is a formal inventory of desktop machines maintained?
• Are OS updates installed on a regular basis?
• Is data stored locally on any of the desktops?
• Do users have administrative access to their desktops
• Is Antimalware (antivirus / antispyware / anti-adware) in use?
• Are Desktops backed up?
• Is Wi-Fi Used? What about a separate Guest Wi-Fi?
• Is VPN in place?
• Is a password policy in place and enforced?
• Is a Data Loss Prevention (“DLP”) policy in place and enforced?
• Is a firewall in place and properly configured?
• Are non-business websites blocked?
• Do screens auto-lock after a certain amount of non-activity?
• Are USB ports blocked?

Question 2: Once an assessment is complete, how do you go about closing the gaps in security?

We take a very methodical approach to the key areas we know attackers use to gain entry and exploit a business. This include.

1 End-user training

It’s important to provide regular training to your employees on the latest trends within cyber security, so they can be more aware as they operate. Important things to cover includes phishing, password security, device security, and physical device security.

Employees need to know what potential cyber security breaches look like, how to protect confidential data and the importance of having strong passwords.

It’s recommended to have organizational workshops with your company at least once every six months.

2. OS and Application patches and updates:

The single most important—and simplest—action you can take is keeping your computers’ applications and operating systems up to date with the latest security patches. If your computers are still running on Windows XP, you are at risk: Microsoft stopped supporting this version of Windows long ago, and is no longer providing security updates. The venerable Windows 7 will soon suffer the same fate. If you do nothing else, at least update your systems with the latest versions and security patches.

3. Antivirus updates:

Simply having an antivirus application is not enough—it has to be updated with information on the newest viruses and other malware. This usually requires a subscription. If your subscription has lapsed, renew today and make sure your antivirus software downloads updates automatically.

4. Strong password policy:

Make sure all your passwords are changed from their defaults and are not easy to guess (“password,” “admin,” and “1234” are poor choices). Where possible, implement multi-factor authentication to further increase security.

5. Access control measures:

All users should have only the minimum data access required to do their jobs. When every user has access to sensitive data, accidental or deliberate exposure or release of the data can occur, leading to damaging consequences. Consider keeping highly sensitive systems under physical lock and key in addition to password protection.

6. Minimize administrative access:

Similarly, most users should not have administrative access to computers, networks, or applications. Limiting this access can prevent users from installing malware or accidentally turning off security measures.

Least privilege is the practice of preventing certain users from accessing certain computer processes and data by restricting their access. Typically, there are “super user” or “standard user” accounts which can define the roles that people can have.

7. Device security:

Implement disk encryption and remote-wipe capability on all company devices to render them useless if they are lost or stolen. Establish a strong, sensible policy regarding the use of personal devices for work (known as “bring your own device,” or BYOD).

8. Protect mobile devices:

Company-owned and personal mobile devices should be protected with strong screen locks or biometric authentication as well as remote-wipe capability. Establish and enforce no-nonsense organizational policies around the use of mobile devices.

9. Secure communications:

Never use email to share sensitive data and avoid using devices outside the company’s control for email.

11. Strong IT policies:

These policies define how company IT assets can be used and what constitutes inappropriate use.

12. Internal and External Vulnerability Scans:

It’s recommended to conduct internal and external vulnerability scans at least once a quarter to look for weaknesses in your system. The scans are implemented through a computer program to find any type of threats that could exist.

Internally these scans detect if there were harmful programs downloaded onto a computer. Or externally detect the strength of the network segmentation and segregation.

13. Data backups:

Regularly backing up your data to a secure, encrypted, and off-site location can aid in recovery from a cyberattack as well as other human and natural disasters. It’s also essential for compliance with certain government regulations.

14. Cyberattack response planning:

A cybersecurity breach response plan is a regulatory requirement in several industries. Furthermore, it identifies a clear path of what to do to mitigate the damage from a successful cyberattack and how to get your systems up and running immediately. Defined escalation levels cater to auditor and regulatory requirements.

15. Cybersecurity insurance:

This is a prudent investment to cover financial losses in the event of a cyberattack.

Click here for the PDF