Data breaches are on the rise, with 780 reported in 2015 and 1,093 in 2016, according to Identity Theft Resource Center and CyberScout. Globally, the attacks are costing us hundreds of billions of dollars every year, with experts estimating a cost of $6 trillion a year by 2021.
Many of the attacks are targeting small businesses.
The biggest breach in the news lately has been the one at Equifax, where hackers accessed the personal information of 143 million Americans. Exposed data included names, social security numbers, birth dates, addresses and driver’s license numbers.
Attacks like these can destroy the breached companies, especially if they’re not prepared.
There are important things small businesses can do to prevent and minimize damage from cyberattacks. On Oct. 10, the Idaho Business Review took advantage of National Cyber Security Awareness Month to bring together a panel of experts on the topic.
The Equifax breach – what does it tell us about cybersecurity?
We live in a day and age where mega breaches exist, where we see large quantities of records being affected. It’s actually probably driving the value of the record down. … With Equifax, what I can talk on is the aftermath of it. It’s difficult to see an entire board step down, and once you start to reveal some of the details of when the vulnerability was identified, when it was patched, when they notified the public or the public found out — to me that’s the biggest life lesson if you’re a business owner.
If you don’t proactively start thinking about the measures you’re taking prior to the breach, and just thinking either you don’t have regulatory requirements, so security is not something you want to allocate funds to, or at some point you do have these requirements but they haven’t been tested fully and it comes down to simple patching measurements — these are seemingly simplistic ideals that you can live by. …
And same with [the breaches at] Yahoo. … You see these breaches, and you’re going to see those numbers of affected data keep going up. And we’re going to stop being surprised by it, especially when, it’s ironic, but we can’t even do a credit monitoring service for this type of breach. We need to start looking at those proactive measurements: your preparedness plan — how do you take control of your narrative, especially when the media’s involved? Because if you’re thinking about the livelihood of your business, especially if you’re a small business owner, that’s the most important portion of it.
The significance of the Equifax breach is that the quantity is bad, but it’s the type of data that was taken. Remember the last time you changed your social security number? The type of data that was taken, and think of it as a business owner – how would you establish a line of credit with the bank? Name, address, social – a handful of key data elements. They’re immutable, they’re unchangeable.
The impact of this breach is going to last for decades. It has the possibility – I’m not going to say it will – it has the possibility to fundamentally impact the way that commerce is done. A lot of our business climate is based on trust. If banks have to reduce the level of trust, establishing credit is going to get harder. If businesses have to reduce the level of trust, it’s going to get harder.
The current system is in no way perfect, not even close to perfect, but it just got a lot less perfect. What you’re going to begin seeing now is a move to do much more dynamic – not static, not like your social security number, etc. – there will be a lot more dynamic things that you have to go through to prove you are who you are and that your ability to take on and service debt, credit, etc. is what it is.
As a business owner and then as an individual and then as the responsibility you have to your employees, as a leader, you can impart some information to your employees and colleagues that may be at risk. You have to be especially vigilant on your credit file by checking your credit file – you can actually use lock services to freeze your credit so people can only use your credit when you give explicit permission. That is a pain. You can sign up for services – there are some services like LifeLock, and there are others that are less well known – but then in your business practices, you can think about reducing the level of trust that you have.
The things that you traditionally would have relied on to begin a business relationship, you probably have to be a little more suspicious. The good news is that mindset change gets to last forever because until they come up with a way to base it on something other than social security number and business identity details, the way we go about doing things has fundamentally changed, whether we see it or not.
Top threats are employee mistakes, phishing
I would definitely with 100 percent certainty say your end user awareness and the phishing exploitation that occurs are going to be your No. 1 concern right now. Granted, tax season will be very interesting. With the IRS and now Equifax, I imagine that’s going to be on your priority list. But really understanding the connection between the person operating the system and how open that system is and how open their email is, that infrastructure, those little bits of administration … — just clicking a link is so scary. Ransomware – I’m sure everyone’s heard of it – that’s going to be the No. 1 threat when it comes to phishing. It’s so simplistic, but if your backups are attached to the same server that you have your e-mail gateway running on, that’s everything, right? That’s your whole business. And if you don’t have, as we’re migrating to the cloud, if you don’t have a backup that’s old school paper, then you’re really going to be up a creek on that one, which is sad. All it takes is one person and a .02 second incident for that to completely annihilate your infrastructure.
PQ: ‘Tax season will be very interesting.’ – MacKenzie Brown
I would also say the second one, as far as a threat goes, is going to be patching your applications and patching your appliances. At that point, it comes down to making sure you’re up to date on the updates and patching. This was the same thing we said probably 5 years ago when I got into awareness and evangelism at a state level – security and patching and backups within those two. It’s really simplistic, but also when you look at larger enterprises and the red tape or slow process of change management, they become more difficult. The human factor is not predictable. Those are going to be always your top threats.
One of the first things I thought of was phishing and ransomware. It’s interesting that I have that perspective, and I’ll listen to our CEO, Dr. David C. Pate, speak about what keeps him up at night, and his response will also be cybersecurity, and the reason being we’ve got 15,000 threats out there – actually more, because everyone of our employees and people who aren’t employees who have access to our system are a threat to us. …
It’s not only the threat to privacy – patient privacy and employee privacy – but the threat that then puts on our patients’ safety. Thinking about ransomware, thinking about all the medical devices we use to care for our patients, and the impact a cyber incident could have on those devices in our network that we use to provide that care [is scary].
I’m a small business as well, [and the biggest threat] has definitely got to be employees, because if you have them helping you out [with] something as simple as if the owner or manager of the company has somebody [such] as a secretary or a manager check emails or just helping them out with day-to-day business, it’s so, so easy to get confused. If you’re flying by the seat of your pants, and there’s an email that gets sent to the owner, it looks legit and they’re asking for information – a lot of times, if someone’s asking the owner or whoever’s in charge, ‘hey, do you want me to respond to this?’ ‘Yes, just take care of it.’ It’s scary if you think of that.
Start at the top, as an owner or manager, and show your employees how serious cybersecurity is. …
The other piece, too, is aging technology and aging physical hardware. Which ones do you purchase, because they’re going to be obsolete in 6 months or a year or 2 years? That’s scary just because there are so many changes, and if you look at the Windows and iOS world compared to Linux – they’re the ones, [that are] pushing those updates out. We just assume they’re going to push out those updates that take care of any kind of security issues that might be out there.
Make sure that we hit yes and update those, because there’s a reason they put those out. It truly is to help us.
I spend a lot of time doing research on the dark web, and so my stuff might sound a little more paranoid than the typical [concerns]. The things that really keep me up at night or that I really worry about are things like a cyberattack on the electrical grid or industrial control systems. Or think about, well, winter is coming – if people that don’t like us figure out how to turn off heating in all the nursing homes or hospitals in Fargo, North Dakota, on January 2nd or something. You can take those industrial control system analogies to the grid, to skyscrapers, to bridges, to power, or whatever – these are digitized systems that have vulnerabilities and are subject to attack. That’s scary. That’s real life.
On a personal note, the things I think about – we talked about the Equifax thing – think about coming home one day and your answering machine is full at home and it’s collections agencies inquiring about the loans that you’ve been negligent on, and you’re like, ‘what loans?’ And it’s the 50 loans that somebody took out in your name, or in your kids’ name, or in your wife’s name. To me those are real possibilities.
We’re all carrying these [smartphones]; we’ll call them endpoints in the security world. These are powerful computers. This one happens to be powered completely off. When it’s on, I don’t have a way to shut off the mic. I don’t know who could potentially be listening to me.
We had a breach in October last year of a domain name service company on the east coast. Essentially they allowed traffic to be routed to websites when you type in a name instead of a number. It almost shut down the internet. The root cause of that, they found out, was vulnerable devices like DVRs, I’ll just say the word toasters – maybe there’s a toaster that’s connected to the internet – or a refrigerator, or a router – that has a default factory password that was never changed.
Hackers get in and use that device to install software, and they take over the device, then shut another system down. If you have a webcam in your house for security purposes, is it connected to the internet? Of course. It’s great; we have an app on our phone. Well those devices, if they have a default password, are known. There’s a website called Shodan that allows you to search for unprotected physical devices on the internet, and you can go look and, ‘oh, here’s one. Oh look, here’s someone’s living room; here’s someone’s children’s nursery.’
So that kind of stuff really worries me, especially when it involves hospital equipment. If it’s connected to the internet in some way, it’s vulnerable, and we don’t want a heart monitor or an infusion pump or something keeping someone alive – a dialysis machine – to be compromised.
Inventory is the most important part of patching
It’s never too early to patch. I guess sit depends on the size of your enterprise, how many endpoints you have, how many appliances and applications that need to be patched. When we pull apart and dissect Equifax, the vulnerability was released a month before they could actually get the change management process done and get the patch alive.
When you look at the vulnerability, it was an open source library on an application…. I guess inventory is the most important part of patching. You need to know what’s in your environment and in your enterprise. But most importantly, how many applications and dependencies of those applications are you running to operate your business?
Struts was an open source library plug-in, so when we say that, it’s commonly used. So if you’re outsourcing that application to another business, and aren’t even outsourcing patching to a third party, you need to make sure your contracts and your understanding of what you’re liable for is going to be also threat free. …
Apple is pretty good at pushing out patches, but they also like to push out a second patch over that patch over that patch over that patch the more they find flaws that need to be remediated. Windows is really great at just getting one good patch out there – Patch Tuesday – and you have them all done.
When it comes to automating the process, like I said, inventory and your staff. Who do you have in charge of that? Who is responsible for that, and who is the check and balance to make sure they’re actually administering that on a regular basis?
Create a designated security expert
I go to these types of forums a lot, and I heard a really smart guy from Google say, ‘The best way to do it is just to paint your house brown,’ meaning don’t have anything good inside there; make it as plain as possible. Don’t save any data that you don’t need. If you don’t have credit card data, if you don’t have identity stuff, you’re by nature safer. But having said that, that’s not an option for a lot of businesses.
I would recommend if you have a technology person or department, designate somebody to be your security expert, and vest the responsibility with them to educate your entire company. I would also say it makes sense to routinely invest in a local provider that you can develop a relationship with, pay them by the hour life you would pay your accountant or lawyer or whatever to deal with this a as typical business issue. It is now part of owning a modern company. Develop the relationship, invest in it regularly, and it can be very simple to start and to grow your and your company’s aptitude in dealing with security, because a lot of the fundamental mistakes for businesses happen out of ignorance. Bad things happen to good people that just didn’t know something. So if you can build up the talent and skills and relationship, you’re going to be in a better position.
The Small Business Administration is a great resource. The Federal Communications Commission also has a small business cyberplanner outline, and it touches on all the areas you need to be concerned about – it’s tailored for small businesses. I would also encourage you to speak with your – if you don’t have an accountant on staff – a CPA or attorney. They can refer you to a professional who has established themself, who has a good reputation. As a consultant myself, these are the people that I look to to say, ‘do you have business clients who are looking for somebody that has the right background and qualifications to come help them and can work in conjunction, perhaps, with their accountant or their attorney as an advisory team on this topic?
It’s truly, as MacKenzie said, knowing your inventory. I worked in law enforcement for a short amount of time, but the one thing that stuck with me was this idea of a perimeter. If you have an incident or a crime that happens, you don’t block off the whole city. You try and figure out how to contain an area where the suspect is on the loose so you can search buildings methodically. And you try to make it as small as possible. If you use that analogy in a business, if you have four servers running and you realize, wow, you know, we really only need two, shut the other two off. You’ve cut your cybersecurity risk in half just by eliminating some hardware. …
Same thing with software. If you have software installed on your system that isn’t used, uninstall it. Same thing on your mobile device. If you haven’t used an app in a while – I delete them if I haven’t used them in three days. I just try to get rid of them. …
There are some things that are fairly simplistic – tightening the perimeter, doing patching, find somebody that can help you with that – you’re probably not in the IT business; you’re running another business and IT is a tool. So get the right people in place to support that tool and just do the oversight around it. …
Focus on the planning. I think planning is the most important thing. Know what you have installed, have backups, keep things updated, and of course end user training. There are some differentiating factors that you can handle mostly on your own, but bring in professionals.
Be prepared with incidence response planning
When we go in and assess – and generally we assess large enterprises, commonly known as Fortune 1000 companies — what we find, which might be of some reassurance, is you can have all the sophisticated technology in the world for your boundary protection, and none of it will matter if you don’t have communication internally for your different stakeholders.
So if you look at your business, if it’s small or medium, you’re looking at your incident response planning and preparedness plan. We live in this time when they say not if, but when, and so we’re all waiting for the when, right? We’re waiting for that one phishing email to come and really [ruin] your day and make it not so fun.
When I talk about preparedness, I talk about sitting down with everyone from your management level to your employees, depending on the size of your business, to maybe even specific units, whether you’re looking at your HR or you’re looking at your accounting department or just sitting down with your end users, we recommend proactive activities like tabletop exercises. And when we talk about tabletop exercises, we look at the asset that that group will protect, and then we throw them with an attack vector. We say, what if this end user is hit with a phishing email, and she happens to be on her personal email on a computer that is attached to a single database with all your patients’ information or customers’ information — pretty important.
So what’s good about a tabletop exercise is you have each person go around and say, well what would you do? If you’re the first responder, who do you call? How do you verify that this happened? Who’s going to be the commander of this incident? … These are things you need to know.
By proactively preparing and planning all these things, you can mitigate a lot of the gray area, and you can expedite the process and also give yourself a little bit more predictability on the outcome of it so that you might not be able to remediate and isolate and completely save the financial aspect or impact that it might have, but you can certainly calm down the effect that you previously would have had. It’s knowing how your employees are going to respond, period.
A lot of things, when it comes to small business, depending on which industry you’re in – if you’re in the health care industry, Medicaid, Medicare, they’re the ones that are dictating policy and procedures and which plan. They want to see what is your plan. If you’re in the financial world, you’re dictated by the FDIC and those sorts of things.
But what if you’re not? What if you have your own plumbing or HVAC or some of these other businesses that are not dictated or governed? What do you do? Everything Mackenzie just said. It’s being proactive.
Knowing who needs to be a part of that is key. We’ve mentioned an attorney. Whoever handles your PR – you think about Equifax and how terribly it’s been handled from a PR perspective – make sure that whoever is going to handle that for your company is prepared to speak to that. What’s your plan?
Make sure you’ve got the right people prepared for that. It’s not just an IT problem. We go over this all the time. From a cybersecurity perspective, we’re constantly battling that notion. … Cybersecurity is a business problem.
Insurance coverage for cyberattacks is ‘the Wild West’
There are several underwriters writing cyber insurance policies. The problem is understanding and quantifying the risk is very easy to do when you ensure a car – you know what the car is worth, you have a Blue Book value, you go through your driving history and get you a premium quote. Cyber is kind of the Wild West still.
One of the biggest insurance companies, AIG, is actually working with a company out of Spokane, Wash., that’s come up with some quantifying methods that will help in underwriting. But right now, if you talk to your insurance broker they will probably tell you what they have. They’ll say, ‘Well, the state of Idaho has a limit on what they can pay, and oh, by the way, you’ll probably have to do some kind of audit. …’ And then if you make a claim, it’s not really clear if they’ll pay it. Like I said, it’s the Wild West. But it’s probably worth talking to your broker. …
Also … your liability is limited by the value of your business. Once [damages] go up beyond that, you declare bankruptcy and you’re done.
In many instances you’re going to be obligated to carry cyber insurance by either your clients or partners or as a part of a regulatory regulation you have to comply with. I can’t make a recommendation as to whether you need it or not. I don’t know about Wild West, but maybe St. Louis in 1850. I can’t tell you, and I don’t think most brokers can tell you what sort of events are actually going to be covered, how you’re going to assess the value of the loss – it is a super, super complicated space.
Cybersecurity really is just a risk management activity. It’s having the conversation and making sure you understand what’s your cutoff. What are you willing to lose, and how much are you willing to pay to protect it?
If you do take the dive into cyber insurance, — I don’t necessarily promote or not promote it because I’m more on the side of preparedness and getting things done that are not expensive – but read your contracts. … You might get breached, but it could be a very long time before the insurance buyout comes back and you can pick up where you left off. That amount of time could be a financial loss that you’re going to suffer. …
To me, it’s lower on the priority list if it’s not mandated or required. Definitely look at it, but consult with a lot of people before you just jump in with one broker. Get some expertise … and if you can leverage people you already know in the industry, leverage them and ask them for advice because the long-term effects from a payout from cyber insurance after a breach could be exponentially longer than you would be able to afford to keep the lights on in your business.
Whenever businesses are trying to justify cutting costs – you know, why should I pay another co-location or data center to actually store your physical hardware or your physical computers or servers in there for a couple hundred bucks a month or a thousand bucks a month? Again, it’s almost paying like an insurance policy. You’re going to take them offsite, out of your office and you’re putting them in another facility – read your contracts, as far as what is covered, what happens if your servers do go down. … If something happens, why should I pay that extra? It’s another security measure keeping your physical hardware safe.
The future of cybersecurity
There’s a root cause to some of this that goes outside of the con schemes and the human element, and that is that fundamentally software is flawed. The whole idea of having a password is a bad idea. It’s just open to vulnerabilities. Patch Tuesday exists because software is broken. It was built not to be secure; it was built to work, function to some spec.
I’ve recently joined North Idaho College in Coeur d’Alene, and we’re building a curriculum there in computer science that is not really focused on cybersecurity, which is more of an after-the-fact response measure. Software can be built to be secure. The theories are advanced enough; we should be able to … eliminate some of these really fundamental flaws in security in software.
So software is part of the root cause, of course human nature is part of the root cause as well. I hope that is encouraging.
It isn’t the user’s fault all the time. If we had better software, it could account for inconsistencies in the process or identify people fundamentally. … We have something called blockchain that’s evolving. You’ve heard of bitcoin – bitcoin can be used for more than currency. It can be used for authenticating parties in a contract and other relationships. So maybe there’s some promise there; there are also some vulnerabilities there. The world is moving very fast and I’m hopeful that technology will get its act together.
When we talk about the future of cybersecurity, to be more optimistic – but it’s really hard to be optimistic in this job sometimes – but there are two things that really need to change, and Shawna and I talk about these things all the time: Culture. I don’t mean to steal people’s taglines, but really is everybody’s responsibility – your child on an iPad or your teenager on the internet or as a consumer with your own personal data or as a business owner. Cybersecurity isn’t a misconception or only hacking and technically based. This is your livelihood. This is your privacy, and this is the risk associated with you as a person and what identifies you in regards to data and your metadata.
The other thing is they are estimating 3.5 million unfulfilled [cybersecurity] positions by 2021. … A part of that estimation is based on the fact that our now-IT guys are also going to be security people. Security is going to be a mandatory role that they equally play, so now we’re looking at an entirely different type of security position that’s going to need to be filled, and that’s going to be the risk portion of it, that’s going to be the business management portion of cybersecurity. I think if we focus on that workforce pipeline, and hoping that both your IT, your students, your children, you as a business owner – you are adopting cybersecurity for more than what it’s at, face value, then that’s going to slowly change the evolution that we see cyber in the next 10 to 20 years. Technology won’t slow down.
There are a lot of really passionate individuals and groups who are working on [changing cybersecurity] whether it be from a government level, whether it be from an individual, not-for-profit, others who are out there, and really trying to make a change. Let’s make a change in how manufacturers develop internet of things devices – our phones and other devices – let’s make sure that they’re implementing security into building those. Let’s change the way we educate society. Let’s make sure our kids understand the concept of privacy when they’re out roaming the internet, and let’s make sure we’re educating the business owners and employees and others.
All of those things are going to come. … At some point we are going to hit rock bottom, and we as the whole world will have to band together and change the culture of cybersecurity. I think we will see that.