It’s almost become a routine now to hear about a new cyber-attack wreaking havoc around the world. Most recently, the WannaCry ransomware attack infected over 200,000 computers worldwide, destroying files if victims didn’t pay to have the virus removed. But these large scale, headline grabbing attacks are not the only ones businesses should be worried about – not by a long shot.
The Hiscox Cyber Readiness Report found that almost half of US companies experienced two or more cyber incidents in the past year. Small businesses are disproportionally affected financially and are less proactive than their larger counterparts when it comes to preventing a cyber-attack.
To get more insight on this topic, we connected with Theresa Payton, CEO of Fortalice Solutions, recently named a Top 5 Most Innovative Cyber Company in the DC, Maryland, Virginia area. She’s also an author and one of the stars of the CBS reality series, Hunted. Theresa was formerly the White House Chief Information Officer under President George W. Bush.
Hiscox: How real is the cyber-crime threat for small business?
TP: The threat is real. Even if you have only one customer, you can be the target of cyber criminals. All serious companies manage risk at the executive level, and cyber is one of the top business risks across all sectors today. We see specific threats to companies of every size across every industry.
We see everything from sophisticated nation-state-based attacks against critical infrastructure sectors, which are widely reported, to attacks on small and medium-sized companies that are seldom reported.
Recently, there has been an uptick in phishing and social engineering attacks targeted at small and medium-sized companies. Many attackers are using Open Source Intelligence techniques to mine information leaked in breaches of sites like Yahoo! and LinkedIn. They use other information to draw connections between company employees – to determine who the CFO and Accounts Payable staff are, for example – to perpetuate financial and wire fraud.
Hiscox: What trends are you seeing? Are there any industries that are particularly vulnerable?
TP: I’m most concerned by cyber threats that leverage open source intelligence (OSINT) on key individuals, corporations, and large events to orchestrate targeted and sophisticated attacks. These attackers will piece together large amounts of publicly available information and use it to exploit their targets. Companies of all sizes need to start thinking like the adversary and pursue their own OSINT-based countermeasures.
In our practice, we see the majority of attacks affecting the top five sectors most recently identified by IBM:
- Financial Services
Most attacks are focused on obtaining data, including personally identifiable information and personal health information, and money. Business disruption is not far behind.
Hiscox: How does a business know if it’s been hacked?
TP: Unfortunately, many companies find out about a breach from law enforcement or from their own customers. Right now the average breach is on-going for 211 days before it is detected. Behavioral-based analytics and analysis of data patterns and data traffic anomalies can speed detection times. The best method is for your employees to alert you to something that doesn’t seem right. Training staff to tell you about suspicious emails, computers, or file activity can be a huge boost to your cybersecurity program.
Hiscox: How can a small business protect against an cyber-attack?
TP: We see most small businesses acting resiliently and doing a little bit of prevention and protection. Too often, however, we see compliance driving security. Compliance is a necessary evil and important for keeping regulators happy, but it does not constitute a dynamic cyber-security program that can keep pace with threat actors.
To get beyond compliance and assess where a business is, we recommend asking these questions:
- Do we track our organization, physically and digitally, using OSINT techniques? In other words, are we acting as an adversary would?
- Have we defined the top two assets that would destroy us if they were compromised or stolen? Have we made sure all human and technology processes consider these two assets first?
- Have we set up geofenced locations for large physical events or concentrated places of work or travel for our executives? Do we monitor for chatter that could target our people or critical data?
- What are our worst physical and digital nightmares? Do we have a disaster plan to address these scenarios?
- Do we have regular tabletop exercises against our worst nightmares? If there are multiple stakeholders, do we have a simple, straightforward memorandum of understanding in place to define roles and responsibilities?
Hiscox: How can business owners help their employees understand the role they play in preventing a cyber-attack?
TP: In the past two years, 95% of breaches were due to human error. Of those, 78% involved tricking the user into allowing access to sensitive information. The employee is a vital line of defense. Their vigilance can prevent your company from being victimized by a breach or wire fraud.
Hiscox: Many companies take steps to mitigate their exposure but are still vulnerable. What are the blind spots they may be missing?
TP: A safe corporate organization is one with a multifaceted cybersecurity program that blends old school risk management and compliance with innovative techniques. This approach provides a robust way to manage dynamic and complex cyber risks. Time-tested techniques include performing a traditional risk management assessment against the NIST Framework or other industry standards. Newer, innovative techniques are based on designing cybersecurity capabilities that anticipate the adversary, shifting the organization away from defense. The top three blind spots are wire transfer fraud, ransomware, and extortionware.
Hiscox: How can insurance companies help their clients?
TP: The insurance industry needs to modernize coverage. Offering identity theft protection is a year 2000 strategy. Businesses need insurance that covers them for 24 x 7 customer service, crisis and PR communications assistance, lawsuits, and more.
Hiscox: What should businesses look for when they purchase cyber insurance?
TP: First, know your top two most critical assets. Then define your digital disaster nightmare. Identify what you can do to mitigate the nightmare. Get insurance for those things that you cannot mitigate.