“I’m too small to be a target.”
“They won’t get any money out of me.”
“They are only after the big fish.”
“I don’t have a budget for security.”
Ever said the above about your business when it comes to securing your data/network or planning your risk? You’re not alone. Millions of small business owners around the globe say that. The problem is that they couldn’t be further from the truth. As we see a rise in ransom-ware and cyber attacks, it’s the small business owners who are normally the easiest/first to get breached. Part of the problem is that when a breach to a small business happens, you normally don’t hear about it in the paper. It’s time to take control of your risk and figure out your ALE (Annualized Loss Expectancy).
Why small businesses?
The answer is simple. Lack of security controls, no or poor backup routines, and the likelihood of them paying a ransom are why so many small/medium businesses are a target. It’s easy money for a ransom-ware attacker. Ransom-ware is a $1 Billion dollar industry according to 2016 numbers and 2017 looks to be a better year for them. It’s even spawned it’s own sub-market, Ransom-ware As A Service. Think about it. Would you pay $400 to get access to your data and keep your business going? Most business owners would say yes and this just fuels the business of ransom-ware.
Attackers are also going after small businesses in order to piggyback to bigger fish. It happened with many major breaches. Target’s breach was due to an HVAC vendor. Using the smaller, less protected business partners in order to gain access to more secure systems are part of an attackers repertoire and is actively being used in today’s modern world.
It Won’t Happen To Me
At a recent conference in Washington DC, EDC was part of a round-table discussion about security for the SMB market. With around 20 business owners and managers at this meeting, we were able to freely discuss breaches that we have come across. In total, we estimated that just 20 of us saw around $250,000 in ransom-ware payouts in 2016. The worst story was one of a 6 person health practice. After the ransom-ware payout and HIPAA fines, the practice was out $140,000 or almost 2 years of profit. This doesn’t include loss of business and the money spent on marketing to gain back lost patients. What was the estimated cost of implementing backups and security practices for this one client? $5,000.
Another story? One title firm was out tens of thousands of dollars on a wire fraud scheme that turned out to be part of an international hacking ring. It involved a breach at a bank and a mortgage lender from out of state. It was a very high level attack and the FBI stated the money was unrecoverable.
You know what those 2 attacks have in common? They both happened in south Louisiana.
What Can You Do About the Risk?
Expect that you will get breached and come up with a plan to limit your breach. Come up with a plan regarding how much you are willing to spend vs lose yearly due to cyber crimes. Look at the slide below:
This comes from the US Cyber Consequences Unit. They are a think tank from DC who assists the government with learning future attacks based on trends. Scott Borg basically said you should accept the risk of an attack and come up with a game plan to help lower that risk. At the end of the day, it’s spend money to save money/your business. The ability to come up with risk and mitigate or accept it is crucial in today’s business. That’s especially true with the connected world we do business in.
If you have any questions or want to talk more about your security liability, contact EDC and we will work with you on getting your network to an acceptable, secure level.