By John Sileo –
On August 12, 2003, as I was just sitting down to a tea party with my daughters and their stuffed animals, the doorbell rang. Standing there when I opened the door was a big, burly special agent from the economic crimes unit at the district attorney’s office—ready to issue a subpoena for my arrest. In a calm but ominous voice, he told me I was going to be charged for electronically embezzling (hacking) $298,000 from customers of my small software company, and that the DA’s office had enough digital DNA to put me in jail for a decade.
I was the victim of cyber crime, and I should have known better. You see, earlier that year my identity was stolen and sold to a woman in Florida. This woman purchased a home, committed a number of crimes, drained my bank accounts and filed for bankruptcy—all in my name. I learned all of this one day at the bank, right before I was escorted out by security guards.
The experience of losing my money, time and dignity motivated me to protect my personal information assets with a vengeance. Unfortunately, I didn’t apply my newfound cyber vigilance to my professional life, which is how I ended up standing on my front step holding a tiny teacup and shaking like a leaf.
Like a lot of small business owners, it never occurred to me that my $2 million company would be targeted by cyber criminals. I figured we weren’t worth the effort, especially compared to large multinational companies like Target, Marriott, Google and Facebook. My naivete cost me my family’s business.
The fact is, cyber criminals are increasingly going after small and midsize businesses (SMBs), precisely because they are easier targets than larger organizations. According to the Ponemon Institute’s most recent Global State of Cybersecurity in Small and Medium-Sized Businesses report, 76 percent of small and midsize businesses experienced a cyber attack in the past 12 months. The same report found that only 28 percent of companies characterize their ability to mitigate threats, vulnerabilities and attacks as “highly effective.”
Not all hacking results in criminal charges being filed against the victim, as in my case, but that doesn’t mean there aren’t significant costs involved. According to last year’s Ponemon Institute study, companies spent an average of $1.43 million due to damage or theft of IT assets. On top of that, the disruption to their normal operations cost companies $1.56 million on average.
In other words, your organization’s chances are greater than 50/50 that it will suffer a serious cyber attack in the next year or so, and that the attack will have a significant negative impact on profitability. The good news is that you can eliminate much of the risk with a reasonable budget and some good leadership.
In my experience, good leaders begin with the following steps:
Identify
All data is not created equal. Bring together the key players in your business and identify the specific pieces of data, if lost or stolen, that would make a significant impact on your operation, reputation and profitability. This could be everything from customer credit card, bank account or Social Security numbers to valuable intellectual property.
Evaluate
Understand your business’ current cyber security readiness. During this step, I recommend bringing in an external security firm to conduct a systems penetration test. A good Pen Test will give you a heatmap of your greatest weaknesses as well as a prioritized attack plan. Have a separate IT provider implement the remediation plan, if possible, to provide an objective check on the security firm’s work.
Assign
Engage stakeholders from across your organization, not just those within IT. Assign a detail-oriented, tech-savvy leader other than yourself (if feasible) to oversee the analysis and implementation of your cyber strategy. Other players essential to this conversation are your lawyer and your accountant/auditor, who can help you build a breach response plan for when data is compromised. In today’s digital economy, theft and loss are part of business as usual and they should be planned for—like any other risk to your organization.
Measure
Just as with any other business function, cyber security needs to be measured. Your security or IT provider should be able to suggest simple metrics—number of blocked hacking attempts (in your firewall), failed phishing attacks, days without a breach, etc.—with which to keep a pulse on your data defense.
Repeat
Each one of these steps should be re-evaluated and updated on a regular basis. I recommend taking a look at your security during your slowest season annually. Strong cyber security thrives in the details, and the details in this realm change every year.
The bottom line is that SMBs can no longer ignore the very real threat of cyber crime, including crime perpetrated by an insider (in 2018, 34 percent of data breaches involved internal actors and 2 percent involved partners). I learned both of these lessons the hard way. It takes an average of 73 days for organizations to contain an insider-related incident. My case dragged on for two years, during which I spent every day fighting to keep myself out of jail.
In the end, I found out the cyber criminal was my business partner. A man I loved and trusted like a brother stole and used my banking login credentials to embezzle from our clients, and he used my identity to commit his cyber crimes. He exploited my trust, and then he cut the rope and let me take the fall.
I should have known better. So if you think your company is too small to be targeted or you’re too smart to be victimized, think again.
_________________________________
About the Author: John Sileo is CEO of The Sileo Group, a cybersecurity think tank based in Colorado, and an award-winning author and Hall of Fame keynote speaker who specializes in making security entertaining and actionable. He has shared his experiences on “60 Minutes,” “Anderson Cooper” — and even while cooking meatballs with Rachael Ray. John graduated with honors from Harvard University.