Small business not immune from cyber crime

Editor’s note: Keith Crawford is a senior IT consultant with Little Rock-based Mainstream Technologies.

Opinions, commentary and other essays posted in this space are wholly the view of the author(s). They may not represent the opinion of the owners of Talk Business & Politics.

–––––––––––––––

It seems like every week we read about another successful cyber-attack on a large retailer, bank or even the federal government. These breaches result in massive amounts of lost data which has a financial toll on all of us.

Small and mid-sized businesses (SMBs) may get a false sense of security from these headlines that they’re too small to be a target, but this couldn’t be further from the truth. The following statistics to correct the notion that cybercrime is mostly a problem for large organizations.

Today, nearly half of all cyber-attacks are targeted at small and mid-sized businesses (41%). When an SMB is targeted, these criminals are 15 times more likely to succeed as compared to an attempt on a larger organization. If your SMB is attacked and suffers a security breach, the average recovery cost is $52,000.  If you use virtualized servers the average recovery cost goes up to $73,000.

If these stats alone don’t get your attention, then the next one will. It’s actually the reason why I’m so passionate about helping SMBs understand the cybercrime threat. Statistics shows that 60% of all businesses who do experience a breach will be out of business in six months. SMBs are the engine of the American economy and it could happen to any of us. 

OLD DEFENSES NOT STOPPING NEW ATTACKS
I dare say that if any of us is asked what we should do to protect our systems and data most of us would say, “Use a good antivirus, a firewall and use strong passwords.” These are all important and necessary but in today’s climate they’re not enough. Five years ago, the International Data Corporation stated that these types of tools miss about 30% to 50% of everything that’s thrown at them. This is especially disconcerting when you consider that this statistic is four years old.

What brought us to this point?

Technology has been in a hyper-evolution phase over the past five to six years. What we’re seeing is that software as a service (SaS) is more prominent than it once was. Some of us are running our payroll, our invoicing or any number of other applications in the cloud. Our mail might be Microsoft Office 365 or Google. We don’t need to purchase software anymore. We can just pay as we go.

We’re also using infrastructure as a service (IaaS) as a way to do more with less. IaaS services like Amazon Web Services and Microsoft Azure give us the ability to spin up a server in the cloud in a matter of minutes. Since we don’t need to buy a server anymore, our initial investment is a fraction of what it once was.

This fundamental shift and access to software and infrastructure resources have delivered efficiency increases, innovation, and flexibility that were once unheard of. Just as we’ve benefitted, so have cyber criminals. The term we use is Cybercrime as a Service (CaaS). 

CYBERCRIME AS A SERVICE
Financially focused cybercrime was once backed primarily by traditional criminal enterprises. In the early days, they had to own their own software, hardware, and platforms. They organized dedicated teams of hackers who built these tools from scratch.

These “systems” required a large upfront investment in people and resources. Since they were so expensive to both build and maintain, in order make them pay, they had to go after the “big fish,” the large enterprises, to get their return on investment. Today’s cybercrime is much more like an entrepreneurial start-up community. It’s a distributed worldwide marketplace that uses the dark web as their channel similar to the buy/sell sites we’re familiar with on the conventional web.

They don’t now need large teams of dedicated developers. If they need a tool, a virus, a botnet or any other delivery mechanism, they can buy them off the shelf and put the pieces together. If they lack experience or skills, they can learn from others in chat channels or post job ads on forums.

Today, it’s much cheaper and faster to create an attack mechanism. This makes it more cost-effective to target 40 or 50 “smaller fish” for tens of thousands of dollars rather than just target a single large organization that is more likely to have strong deterrents in place.

The cybercrime we’re facing today is dangerous, but it isn’t headline worthy.    

HOW TO RESPOND
If you’re an influencer or a decision maker, you need to be asking your IT staff or vendor, what they’re doing to protect your systems? You can’t sit back anymore and wait for someone else to ask these questions. You must be proactive and ask; what is my risk? What is being done to protect me? What do we have in place?

You must take ownership. It’s a priority that reaches to the C-suite or Board level. Risk to the bottom line is a risk no matter where it comes from. If you keep an eye on regulatory requirements, tax laws, or economic indicators, you should be paying attention to cybercrime. It poses as much a threat as any other factor.

You must understand what your risks are before you take action. Don’t start spending money to medicate a problem without first getting a diagnosis. You can spend a lot of money on shiny new toys and still not adequately defend what is most at risk.

The only way to adequately protect the organization moving forward is to develop a healthy sense of paranoia, a zero-trust mentality in policy and practice.

Cyber security requires a defense in depth approach that addresses risk and implements controls within your technology, your people, and your processes. There is no single tool you can purchase or software vendor you can hire that alone can solve this problem.

Assess and diagnose your situation before you begin to medicate. Remember your objective is to make cyber security a part of your culture.