Counting the True Cost – Cyber Security Breach

Protecting yourself against cyber security is in the news every single day of the week. Yet every day I hear another story about a small business that has had a breach. When talking to the owners, the anger, frustration and disbelief is evident to see. The shock is expressed in the following words; this is costing me so much, it’s the inconvenience, it’s the damage to my reputation and worst of all I am losing customers and I know they will not come back.

What is the cost for small to medium business?

  • The statistics on the cost to small business are hard to establish but one can only suspect that if big business is $142 per compromised record (Ponemon Institute Research report 2016) that is something similar for small to medium business.
  • From my personal experience, I know a podiatrist whose business incurred a breach of their booking system that it took three months before their business was back to normal. Even after this time they continued to lose customers. The Ponemon Institute Research Report 2016 clearly indicates that the loss of business customers is the largest financial consequence for an organisation that experiences a data breach.
  • A breach becomes more costly to resolve the longer the breach remains undetected.

Is a small to medium business subject to fines?

All businesses no matter what size are subject to the very stringent privacy laws of Australia. These laws place a significant accountability on businesses to keep customers’ private information secure or face potentially large fines as well as bad publicity and damage to their reputation.

Why is small to medium business a target?

This may be obvious but every cyber- criminal is looking for a soft target, in effect every small to medium business has more information (data) to target than an individual consumer and, because of resource restrictions and lack of knowledge they have a less secure environment than a larger organisation. This is not only in terms of software but also in having security policies that are effectively implemented. For example; passwords, network access, usage of personal devices and external storage devices such as USB sticks.

Too often small business owners are not proactive because they do not believe they have anything worth stealing.  This is not the case as every small to medium business holds customer credit card information, customer personal details such as bank details and emails.  Every bit of information is useful to a cyber-criminal who can make money, for instance, by selling an email address.

Are the hackers and criminals becoming more sophisticated?

The short answer to this question is YES. The 2015 Australian Cyber Security Centre Threat Report 2015 identified that the number of cyber criminals with capability will increase, that the sophistication of the current cyber adversaries will increase making detection and response more difficult, ransomware will continue to be prominent and there will be an increase in electronic graffiti such as web defacements and social media hijacking. This is all occurring because every day no matter what size business you are there is a greater reliance on technology to run and conduct a business. This represents opportunity to the cyber-criminal.

How to minimize and protect your small to medium business against cyber – attack?

Suggested guidelines for protecting your business are:

  • Complete a risk assessment so you are aware of the areas you are most vulnerable. The suggestion would be to complete this with an It expert or use an assessment provided by the Australian Taxation Office.
  • Educate your staff about the various types of scams such as ransomware. Ransomware is a piece of malware that is often sent via email and when executed it kidnaps your machine via encryption that blocks the user from accessing their machine. The kidnapper then demands payment for the decryption key. Ransomware is often referenced as Cryptolocker, Cryptovirus or Cryptotrojan. Examples include Australia Post deliveries, Australian Taxation Office, Microsoft support etc.
  • Ensure you have policies that are enforced around passwords
  • Use up to date security systems such as anti-virus software, ensuring firewalls are in place, proper controls around network access.
  • Ensure you are backing up your data and protecting sensitive data in accordance with the privacy laws of Australia.
  • If you have limited capability and resources, consider the proactive approach of engaging an IT service provider on a managed services contract.
  • Have a remediation and recovery plan to a cyber security breach.
  • Take insurance against a security breach

From a technology viewpoint aim for the following:

  • End user security – workstations and laptops all have anti-virus malware protection, scheduled back up and regular preventative maintenance.
  • Centralised user control and back up – critical company information and local files need to be protected and still require regular back up, possibly with offsite duplication or in the cloud.
  • Unified threat management and content filtering – can offer maximum external threat protection and enhanced business productivity to your internal network.
  • Disaster recovery and data restoration – business continuity can only be guaranteed with adequate backup and recovery procedures in place

The four key elements in thinking about preventing cyber security breaches are to know your environment, to secure your environment, effectively control your environment and proactively monitor your environment.

The best approach is to make sure that the challenge of cyber security is at the forefront of the business owner’s mind and that of employees.

References:

Australian Taxation Office

Australian Cybercrime Online Reporting Network

Ponemon Institute; IBM sponsored 2016 Cost of Data Breach Study Australia