I recently attended a presentation made by a manager from Microsoft. The topic was cybersecurity and cybercrime. It was eye opening and scary. She talked about what she called Level 100 and Level 200.
Level 100 is what most business owners are pretty much aware of. It involves protection, detection, and response.
Some statistics she shared:
- 50% of adults in the US have been victims
- $500 billion cost to the economy
- 20% of all businesses have been targeted
- Most malware is on computers (or in business networks) for 3 to 4 months before it is detected. This is exactly what happened with Equifax.
The key data you want to protect:
- Intellectual property – most small businesses don’t think they have any. But they do – it could be an efficient way to do things.
- Access credentials – who within the company has access to what. Bad guys use this to figure out who to target.
- Financial information
- Employee information
- Customer information
Cost can be very high. She said the typical cost is $240 per record stolen/accessed. Can very expensive, real fast. The total could easily exceed the limits of a $1 million liability insurance policy.
Steps to take to reduce risk:
- Two-factor authentication – password + text, email, key fob, etc.
- Conduct backups and have them physically separated from your network.
- Use strong passwords
- Encrypt hard drives
- Run software updates regularly – even something as seemingly benign as Adobe Acrobat may have a security improvement
- Use antivirus software
Cloud advantages that she cited:
- You may access data on the go
- You pay for only what you need
- Safer, more secure data storage
- Cloud storage vendors like Microsoft and Apple recruit hackers to try to break in
She was a big fan of the cloud.
Common Cyberattack tactics
- Phishing emails
- You need to train your employees to be aware. A bank did some testing. The bank’s IT department sent out fake phishing emails and 30% of its employees opened them.
- Good antivirus – update software
- Good backups
- Tech support scams
- Microsoft does not call and say that you have a problem and they need access to your computer
How to best respond to a cyberattack:
1. Plan ahead
- Have a technology policy
- Have a cheat sheet of which employees have access to what – so you can jump on issues quickly
- Educate employees
2. If you get hacked…
- Get help – both legal and technical – don’t try to deal with this yourself
- Assess the damage – what got taken?
3. Mitigate the damage
- Respond quickly
- Notify customers, vendors, employees
- Business owners don’t like to do this. You are admitting a problem. But, Equifax made the situation worse by delaying.
- Comply with regulations
Level 200 encompasses cybercriminals at several stages, but all are dangerous for your small business.
- 93% of all money is digital
- Many companies are breached each week
- There is a big one (like Equifax) each month
- “Blackhat” cybercriminal is a professional adversary
- It may be an organization that has over 100 employees
- Motivated by the profit motive and ROI
These are the new wave of the cybercriminal.
Crimeware kits are available on the darknet. They are easy to get and cheap to buy.
Levels of cybercriminals:
- Script Kiddies – an unskilled individual who uses scripts or programs developed by others to attack computer systems, lacking the expertise to write his/her own.
- Gray Hats – refers to a computer hacker or computer security expert who may sometimes violate laws or typical ethical standards, but does not have the malicious intent typical of a black hat hacker.
- Black Hats – gifted but unethical computer users who break into networks to destroy, modify, or steal data, or to make the networks unusable for authorized network users.
- State-sponsored (Russia, for example)
- Hacktivists – do it for a social or political cause
Mobile devices are a big opportunity for criminals. They provide lots of points of entry into businesses.
- Example – think about mobile banking
With all this in mind, how you are protecting your small business from cyber-attacks? The statistics reveal that something you find valuable in your business could be taken advantage of. Take precaution and protect your business assets.
(Source: Matt Pearce, Business Consultant, UGA SBDC)