Keeping the Bad Guys Out of Your Business
Cybersecurity Tools and Tactics
Consider these sobering statistics: Almost 60 percent of data breaches occur at small businesses, according to the 2018 Verizon Data Breach Report. Of those impacted, more than half go under within six months of the breach, according to the National Cyber Security Alliance.
These facts were shared at a series of luncheons hosted by Zions Bank featuring Dean Sapp, chief information security officer of Braintrace, who focused his remarks on current cybersecurity threats and strategies for businesses and individuals to prevent them.
“Sometimes there’s a hesitation to talk about breach events that are very, very real because they instill fear,” Sapp told his Boise audience. “Think of this as just information that you can consume. It’s data; and with data you can make good business decisions.”
In Sapp’s experience, many hacks are carried out by organized crime units. “These are individuals that make their livelihood by stealing money from American companies, plain and simple,” he says.
Be on the Lookout for Scams
Almost every day Braintrace receives phone calls from clients whose email accounts were hacked. “Maybe they changed the routing instructions to do a closing and $75,000 went out the door,” Sapp said. “How are the bad guys getting in? Stolen email passwords.”
Passwords play an important role in preventing a breach, and simple passwords with eight characters or fewer can be cracked or guessed quite easily — especially if that password was previously disclosed in a public data breach.
“The only true strength of a password is how long it is,” Sapp says. “Complexity does not matter. For every new character, you’re adding entropy, which adds security.”
Although outside attacks account for 73 percent of data breaches, a considerable portion (28 percent) occur inside organizations. Sapp calls these “errors and omissions,” such as an information technology professional who was overwhelmed and couldn’t get security patches installed in a timely fashion.
“You need to have a plan to stop the 73 percent, but you also need to think about how to stop your employees from making bad decisions,” Sapp says, by having good technical controls, good policies and procedures, and rotation of duty.
Physical security is an important component to consider as well. “Everyone in the room should be thinking about this: Your printers and scanners all have hard drives on them,” Sapp says. “When it’s time for that unit to be sold, do everything you can to make sure it’s been forensically wiped.”
“Make sure whoever’s providing you these (wiping) services are attesting that they are securely deleting the data,” he says. “Or have them give you the hard drive and give an intern a hammer and a pair of safety glasses and have them just smash it.”
Preparing for a Data Breach at Your Business
Sapp advises small businesses to take the following steps to protect against a potential breach:
1. Get a risk assessment.
2. Follow the recommendations in the risk assessment.
3. Don’t trust IT to take care of it. They are already swamped. Follow through and get them help when needed.
4. Adopt a security framework (CIS 20, ISO 27001, NIST CSF, etc.).
5. Secure your email.
6. Use a password vault.
7. Turn on multifactor authentication.
8. Get a cyber insurance policy.
In the event of a wire fraud or business email compromise, “Your first call is to your internal legal counsel,” Sapp says. “Your second call is to the FBI. They have agents in the field … and they have the best chance of getting your money back if someone has stolen it.”
He also recommends talking to your insurance representative (if you have cybersecurity insurance), following an incident response plan and hiring an incident response firm.
Data breaches are costly, both in dollars and in customer loss. In fact, data breach is the third-most important reason customers abandon an organization, Sapp says, citing research from the Ponemon Institute.
The dollar value of the average data breach in the U.S. is $7.35 million, with breaches at “mom and pop” enterprises around $400,000 to $500,000. “That’s big enough to put a small business out of business,” Sapp says.