The topic of cyber security becomes more complicated on a daily basis. The more businesses learn, the more they realize they don’t know.
There is, however, a starting point for businesses of all sizes that are beginning to realize their vulnerabilities and invest in protecting their networks. According to the Bureau of Labor Statistics, 50 percent of all cyberattacks are committed against small businesses. This is troubling when the same source states that 80 percent of small- to middle-size businesses do not have any data protection or email security in place. It is human nature for all of us to wait until the last moment before making the decision of investing in cyber security, however, according to a 2016 Ponemon Institute study, the average cost for a data breach is $4 million.
In South Florida, a local clothing retail chain was recently shut down at the corporate level, and at the store level, for approximately 72 hours due to ransomware. They did not have the appropriate personnel training in place nor multiple layers of security and backups to mitigate a cyberattack once their employee clicked on the phishing email. Other local breaches have also occurred at hotel chains, condominiums, financial institutions, universities, doctor’s offices, casinos, professional firms and governmental departments.
One of the most valuable first steps a business can take is making the decision to “mature your security posture” by getting the advice of a cyber security consultant about how to improve your security position. The business might undergo an assessment of exactly what is needed to secure the business and deter a cyberattack. To use a simple analogy, think of the components of a house. For security reasons, a house has doors with locks, windows with locks, a peephole to see who is at the front door, insurance policies in case of a disaster and more. Additionally, added protection could include an external gate, alarm system, cameras, watch dog or burglar bars. These security add-ons not only minimize the chance of an intruder getting in, but they also act as a deterrent.
The same applies to a computer network. It requires many different layers of protections from audiovisual programs, hardware, multi-factor authentication, spam and phishing filters, network monitoring via personnel and behavioral analytics, training, policies and procedures, network segmentation, air-gapped backups and disaster recovery plans. As in the house example, a business should have multiple layers in place to protect their network. The extent to which they do depends on their budget, their level of sophistication and their willingness to adopt new technology. Adoption among small- and medium-size businesses is slow and requires additional education.
The act of social engineering, the art of manipulating people so they give up confidential information, is still the root cause of cyber crimes. A cyber breach commences with a phishing email that a user clicks on which establishes a foothold in the network for the hacker. Proper education for employees can minimize some of this risk.
Hackers today are using more advanced methods of attack beyond phishing emails. Flying a drone to the window of a business and sending a beam through the window to one of the wireless (IOT) printers to establish a connection and then pulling out the information is one example. It allows the hacker to establish a connection via an IoT device in the target’s office. The Internet of Things (IOT) refers to devices that have a web portal and software, and the ingredients to be hackable.
Other common types of cyber breaches include hackers “camping out” at coffee shops and restaurants close to their target company. They often create a Wi-Fi hotspot with the same name as the store’s Wi-Fi hotspot and lure employees who frequent the shop often into selecting their Wi-Fi source, giving them the ability to track data traffic and steal employee credentials.
After the three “distributed denial of service” cyberattacks throughout the day on Oct. 21, no one should be shocked by the capabilities of hackers. People carry many IOT devices every day — iPhone watch, iPhone, iPad and laptop, and that’s not counting what they have in their house. Today, there are more than five billion IOT devices online, and this number is predicted to skyrocket to 50 billion over the next five years. It’s time for businesses to take this complicated topic seriously by being proactive and developing a plan that invests in establishing multiple security layers and incorporates ongoing employee education.
Regan Marock is CEO of SPC Cyber Security Services in Miami and Fort Lauderdale.