Cyberattacks targeting small businesses (SMBs) are becoming more prevalent every day. According to Keeper Security’s “The State of SMB Cybersecurity” report, a staggering 50 percent of small and midsized organizations reported suffering at least one cyberattack in the last 12 months where the average cost of a data breach involving theft of assets totaled $879,582! In fact, the global cost of cybercrime will reach $2 trillion by 2019, a threefold increase from the 2015 estimate of $500 billion.
We frequently get questions or are involved in conversations with our clients regarding the protection of their sensitive data. In the past year alone, we have seen a huge increase in security breaches, attempted theft of data and identity theft. As this becomes a bigger problem, it is critical to stay informed.
What are the most common cyber crimes and how you can help protect your business with minimal exposure? We’ll discuss each below.
The three most common cybercrimes are:
Ransomware attacks have become more sophisticated. Historically, they have been delivered through spam emails that were easy to identify. They are now targeting industries and specific people. For instance, a financial advisory firm will get an email that states “Here are my investment statements for your review, let me know if you are interested in taking on a new client”. Once they click on the attachment or URL, the malware will begin to encrypt files on the local drive and possibly attempt to connect to network drives and do the same. Users usually are not aware they have been infected until it is too late. They will no longer be able to access the files and at some point will receive a message demanding a ransom payment in exchange for decrypting the files. Organizations may end up paying the ransom if they do not have good backups and getting the data back is critical.
Phishing attacks rely on social engineering to gain access to sensitive data. It is an age-old scam of thieves tricking people into giving them sensitive information so they can gain access to sensitive data. The targeted data includes but is not limited to: email account access, banking usernames and passwords and personal info such as names, social security numbers, address and date of birth. Once they have the data it can be sold on the black market, used to hijack a bank account or used to gain access to more data. The term used for this kind of data is “PII”, or Personally identifiable information. Most states, including Ohio, have specific laws regarding the security of PII. According to the Verizon DBIR, 30 percent of phishing emails are actually opened, and 12 percent of those targeted click on the infecting link or attachment.
Data theft occurs when a cybercriminal gains access and steals sensitive data. The theft can occur by hacking into a system, stealing hardware or internal theft. Some of these crimes target larger organizations. Data thefts can be very expensive and damaging. Two widely publicized thefts include Target and United States Office of Personnel Management.
Now, we’ve compiled our list of the top 4 actions your business needs to take to help protect yourself and your data:
Examine your IT infrastructure
You may want to consider investing in a security audit. At a minimum, you should do an internal assessment to ensure all your machines are patched with the latest software updates, verify your firewall is working properly and all the updates are current, require complex user passwords and monitor systems using antivirus software.
Educate your users
Constant user education is required. Remind people of the value of the information they have access to and their responsibility to protect it. Most breaches stem from user carelessness or lack of education. At a minimum, on an annual basis, hold mandatory security classes and require users to read and sign off on the internal company policies. Continue to communicate to them the new scams and threats that arise throughout the year.
Be ready to respond to any incident
Have an action plan in place in the event that an incident occurs. The action plan can be written or verbally communicated. The important part is that the users know who to contact and how. That contact person or team will need to be knowledgeable and have the ability to make quick decisions to do everything needed to rectify the issue and minimize the damage. It is impossible to have a plan for every potential incident, which is why it is so important the right person is notified as soon as possible. If you don’t have this capacity within your organization, you should contract with an outside company that can meet your needs.
Purchase cyber insurance policy
Spending on cyber insurance has swelled, primarily in the U.S., from $1 billion two years ago to $2.5 billion in 2016. Experts expect dramatic growth in the next five years as the insurance concept spreads globally. The last line of defense is the insurance policy. We believe a cyber-policy is a necessity for any business that has a computer connected to the Internet. From the potential cost of protecting clients whose data has been stolen, to the hours or days you could be shut down, the cost of a breach can be crippling to a SMB. We have been involved in numerous engagements assisting clients after a data loss and it is very costly.
So, the last question we hear is “could this happen to our business?” The answer is yes and the chance continues to rise every day. Of the 1,000 IT leaders polled for Invincea’s “2016 Cyberthreat Defense Report,” three-quarters reported that their networks had been breached in the last year, and 62 percent said they expect to suffer a successful cyberattack at some point this year. Although we don’t provide IT services, we do consult with our clients very frequently about their technology issues, and often, their concerns with protecting their accounting data.
Concerned about the possibility of cyber attacks at your business? Contact us and let’s talk!