You’re Vulnerable Because Cyber Crime is Way Up
I cannot understate the transformation currently happening in cyber crime. Presently, it is growing faster than it has at any other point in history. We saw a huge increase in cyber crime from 2010–2020, and in 2020 it just seemed to explode exponentially. One of the greatest indicators of growth of cyber crime is the growth of the cybersecurity industry to meet it. In recent history, we have already seen:
- A huge increase in yearly spending on cybersecurity, from $4.5 billion in 20041 to $167 billion in 20202. Growth is expected to continue with a rate of at least 10% year over year. It is predicted to reach $372 billion globally by 2028.2
- In 2015, cyber crime cost the globe nearly $3 trillion yearly. In 2021, this number is expected to reach $6 trillion.3
Current predictions are that this number will increase to at least $10.5 trillion in 2025.3 This is the long-term trend that we must fight against and ensure we prepare for. With an ever-growing number of tools for hackers to use, the rise of digital data, and the explosion of artificial intelligence being used for hacks, the threat is now bigger than ever.
The situation in 2020 grew even crazier, a trend that continued into 2021. The pandemic caused many people to adopt “Work from Home” (WFH) situations, or hybrid situations — working from the office some of the time and at home the rest of the time. All of this change increased the attack exposure for companies and their data. In the first quarter of 2020 alone, breaches were up over 267% compared to the same time in 2019.4 The United Nations placed the rise in phishing attacks in 2020 alone at 600%.5
This trend will only increase in intensity and means that workers and their devices will become crucial endpoints in protecting against attack. During this time of transition and change, there is often confusion and it is that confusion that cyber criminals take advantage of to thrive.
People Are Your Biggest Vulnerability
Often when I’m discussing cybersecurity with a business owner, they will say to me, “I’m too small to get hit with a ransomware attack,” or, “I’m just a _________ company, there’s really nothing here worth taking from us.” But nothing could be further from the truth. I recently had a good example of this play out for one of my clients.
Laura (not her real name) is on the executive team at a successful central Texas law firm. One day recently, she was having a productive phone discussion with a client. To move her client forward, she would need some information from her. They agreed on the info and hung up. Minutes later, an email popped into Laura’s inbox from her client. Without even thinking, Laura clicked on the email and opened the attachment. Nothing happened. Laura took a second glance and realized the email was not legit. She quickly closed everything and deleted the email. That was her second mistake (not telling anybody). Her third mistake was waiting until the next day to reach out to our team about the issue. She called us when a seemingly unrelated issue popped up on her computer. While diagnosing that issue, my team discovered her email from the day before and what had transpired.
The good news is that after almost two hours of diagnosis and digital forensics, we determined that her security software blocked her attempts to open the malicious file and no compromise occurred.
But this brings me to my second important point: Your business is vulnerable to attacks because it is staffed by people. The above scenario plays out every single day. Often it does not have the happy ending that Laura experienced. Some of the biggest attacks in the past year have started the same way this story started. The main thing you need to understand is that it takes only one good-hearted and well-meaning employee to click on a link and bring your whole business to its knees… or maybe to an end.
Systems and processes are desperately needed that allow for and mitigate the vulnerability of people. Security software needs to be in place to mitigate the risk of bad links, email attachments, threat footholds, and other known attack vectors. We are under a constant cyber threat barrage and need the help that comes from having the right strategies. The problem is as businesses we have to “do business.” Our security needs to stay out of the way as much as possible. Also, no security is 100% foolproof. That’s why we desperately need training for our employees and executive staff. In the past, most people reading this would think “I have antivirus, this doesn’t apply to me” but the reality is that in the current climate, that’s not nearly enough.
Training, Training, Training
Even with every possible security mitigation strategy in place you can still have human error. That’s why it’s so important to implement an ongoing and effective training strategy to raise cybersecurity awareness among your employees and executive team. In as little as five minutes a week, you could mitigate attacks similar to one that happened to Laura. That attack got through their first line of defense. Thankfully, it was stopped by their second line of defense, but it could have been a horrible disaster. Cybersecurity training and simulated phishing training need to be implemented in businesses ASAP.
In my own company, the first time we started this training we had two employees click on fake phishing links. One of our employees even turned down the automatically offered training. When my employees fell for the phishing emails, this was devastating for me, but I knew it was just the first step in a process of becoming more secure. Our software offers a short, one minute training video to the offender if they click on one of the simulated phishing links. Within a couple of rounds of phishing training, we got to the place where nobody ever clicked on the links or opened the emails. Now, when one of my employees gets a suspicious email, they will take a screenshot and post it in our company chat. They do this to warn their fellow employees and to sometimes make fun of the criminals.
That first training event was a real eye opener, but we had to start somewhere! It’s TRAINING that got us to this point and it’s training that every business needs to reduce attack exposure in this vulnerable area of their business. When you have implemented successful training, employees will not only be able to detect threats, but also actively implement cybersecurity best practices.
Your Technology Makes You A Target
Your business is also vulnerable to attack because you use technology. It’s a double-edged sword that can cut deep. In our world, we need technology to get our work done, but this same technology also makes us vulnerable to attacks.
First, there is the hardware we use. From smartphones, to laptops, to servers and printers and everything in between, everything we own now is interconnected. And with the transition to remote working, this has only become more pronounced. In an office setting, all it takes is one device getting compromised for your entire network and business to get breached.
Beyond the hardware you use, your business is vulnerable because you use software. One of the most recent examples of this vulnerability was the Microsoft Exchange servers hack of early 2021. These servers control a sizable portion of the world’s email. Their vulnerabilities were exploited as a result of the SolarWinds Orion hack a few months earlier. If you use these servers there is a high probability that cyber criminals got into your network.
Web server software is also commonly attacked. In 2018, Facebook had an estimated 30 million accounts-worth of data stolen. If it can happen to them, it can happen to you. Sometimes tools themselves become compromised and can infect anyone who uses them. Sometimes all it takes is one old account from a forum or business tool that you used years ago, and your password is compromised. This can lead to losing access to an account that is integral to your business.
NIST To The Rescue
The reality is that your business is vulnerable if you do not have good cybersecurity control processes in place. The best practices to put in place are those outlined in the NIST (National Institute of Standards) cybersecurity guidelines. The details of NIST are covered in other chapters of this book so I won’t get into it too deeply here beyond the basics. What I will do is emphasize that these controls go hand in hand with your employee training and are part of a bigger picture. Laws, directives, and insurance guidelines are quickly coming our way which will require your business to be NIST compliant. I cannot stress this enough. If you are not adhering to the NIST guidelines very soon, you most likely will be crossing legal, compliance, or insurance lines that you do not want to cross.
Here’s a quick list of the basics you need to be NIST compliant:
- traffic monitoring
- intrusion detection
- threat hunting
- multi-factor authentication
- at-rest and in-travel encryption
- zero trust
- BYOD policies
- device-use policies
- disaster recovery plans and procedures
- incident response plan
And it goes without saying, you need an expert to help you understand and implement these controls.
The NIST guidelines are broken down into five sections: identify, protect, detect, respond, and recover. Here is how each section breaks down, simply put:
“Identify” is the first function laid out in the framework. It begins with identifying exactly what your business’s core functions are and how they could be disrupted. This means determining where your business could be targeted, what assets you have that exist digitally, current risks, endpoints that are vulnerable, and tools used that could introduce the risk of a breach.
The next step, “Protect,” means properly applying a defense set up by an expert, complete with the most up-to-date artificial intelligence to defend your business. Everything you identified as important to the function of your business needs to be protected.
The next section is “Detect.” According to a report published by IBM in 2020, the average time to detect a breach is 207 days. How much damage could a hacker do to you if they saw everything you did within your business for 207 days? Once identified, it takes an average of 73 days to contain a threat. The longer this process goes on, the more costly it will be. Companies that manage to contain a breach in less than 200 days save a million dollars on average compared to those who do not.6 This means having continuous detection strategies in place is paramount.
Next, “Respond” deals with your response to the threat and having someone formulate a plan to deal with the impact of a threat.
Finally, “Recover” deals with restoring full functionality to your business and making sure that the threat does not reassert itself to cripple your business again. Both need to be prepared far in advance so you will be ready “when” the time comes.
Blood, Sweat, and Tears
I was talking with a business owner recently about their lack of cybersecurity. She said some things that I hear shockingly often. She said that there’s nothing in her business that anybody would want. She literally said, “if somebody wants it bad enough they can just take it.”
She also said if a cyber crime was bad enough, they would just close down their business and reopen under another name. If you have the same perspective as this business owner, you’ve got to change your thinking! No matter what you think about your business, I can almost guarantee you it’s worth far more than you have ever imagined. Your business isn’t just the office building that you own or lease. Your business isn’t the sign out front. Your business isn’t just your online presence. Your business is the product of an almost infinite number of hours dreaming, working, going through hard times, making the sale, and more. In many ways, it’s worth is also almost infinite.
Vulnerable Because It’s Valuable
Your business is vulnerable to attack because it’s valuable. The criminals know this. There are aspects of your business that criminals can steal and offer for sale on the dark web. There are other aspects that they know are valuable to YOU and they will exploit that if they can. Their goal is almost always to make money and this reality applies to all businesses of all sizes. In 2019, 74% of businesses were the target of a cyber attack, this trend is forecasted to increase in the coming years.7 As well, 28% of data breach victims will be small businesses.8 By maintaining security precautions and following the NIST cybersecurity framework, it is indeed possible to minimize the number of times that you have to deal with these attacks. But every business will at some point deal with it, either because a hacker thinks they found a weakness in your armor or because they want what you and your business have.
What makes a business valuable? It is the result of many pieces coming together, both tangible and intangible. Ultimately, these pieces form something that is greater than the sum of its parts. Many aspects that determine how profitable and valuable a company is can be disrupted by a data breach. Stability and smooth operations, recurring income, loyal customers, and a good reputation for your brand are all things that can be damaged by data breaches. Not only can this impact the profitability of your business today, but breaches can also hurt the overall value of your company going forward. Things like your brand value, cash assets, Personal Identifiable Information (PII) and Personal Health Information (PHI), social media, Google rankings, and the ability to provide for your family and the families of your employees are all at risk.
Unfortunately, when it comes to building something great, it is far harder to build than it is to destroy. You can put a lot of effort into ranking #1 on Google in your area, but an attack can lead to an infected website with malicious code. For this, Google will punish you in their search results, hurting your brand. A social media attack can also damage your reputation and cause a loss of value for your company.
Your business also has cash assets that hackers can target. Even if you can recover them, it may require you to take out high-interest loans in the interim. It could increase insurance costs going forward, even if insurance doesn’t cover the full value of the funds. Some assets might not be recoverable at all. Regardless, it means having to waste time and resources recovering your assets from a cyber attack.
On the dark web, stolen social security info, PII, PHI, and credit card information might only bring a few bucks each when sold, but can cost YOU exponentially more than that. The Center for Internet Security estimates that the average PII breach costs companies an average of $158 for each stolen record. This accounts for the cost of potential lawsuits, reduced reputation, cybersecurity protection costs, tracking, and more. When it comes to PHI, that number inflates to an average cost of $358 to the business for the loss of just one record.9 This is because a person’s health information cannot be changed. This information can be used to gain access to settlements, used as information to gain access to other accounts, used to scam victims, and more. If you have the PHI records of 1000 patients stolen, that could mean a cost of at least $358,000 to you. If you have the PII records of 1000 customers stolen, that breach alone could amount to a cost to you of at least $158,000. Keep in mind, it’s normal for us to find over 100,000 PHI or PII records when scanning a businesses’ network.
Your business is so much more than just what you do. It has so much more value than just a lease and some furniture. Your business is the financial provider for your family, and the families of your employees. That is something you can be proud of but also makes it highly attractive to hackers. They know they can use this value in an attack. This value is something that needs to be protected in our current cybersecurity climate.
After a huge breach, you will need to completely rethink your security apparatus and deal with the long process of recovering stolen assets, changing insurance rates, and rebuilding your brand’s value. With all of these things working against a hacked business, the question to ask is, “Will your brand be destroyed by a cyber attack?” Will all that immeasurable time you put into building your business be reduced to nothing? We hope not, and by allowing an expert to optimize your business security practices NOW you can make sure that the answer is a resounding, “No!” when the attack presents itself.
According to Experian, 60% of small businesses who have a data breach will not recover and will go out of business within six months.10 It is one of my biggest passions in life to help people make their businesses succeed. It’s heartbreaking that some companies will close forever — wasting all their potential — because of something they could have prevented. These realities are why I am so passionate about taking the tekRESCUE cybersecurity product to so many people.