Small business is all about managing risk since no risk can be prevented with 100% certainty. But what if I told you that there is one risk which puts 60% of businesses that encounter it out of business? You'd get better odds at Vegas playing craps! Furthermore, what if I told you that it is virtually certain you will encounter some form of this risk and that you might already have and not even know about it? Worse yet, I'll bet most people reading this are barely, if at all, prepared for it.
It's the risk of a cyber attack.
Although cybersecurity most often makes it into the headlines because of large breaches at companies such as Target, JP Morgan, and Netflix, or Nationstate attacks such as the Sony/North Korea email breach or the alleged Russian attacks meant to compromise the US election system, the most frequent threat is actually to small and medium sized businesses.
And if you happen to be an especially innovative small company your risk actually goes up because it's very likely that your innovations are tapping the power of technology and the Internet, increasing what cybersecurity experts refer to as your attack surface.
I know what you're thinking, "But I've got firewalls, VPNs, up-to-date anti virus software, malware detection, trustworthy employees and besides, I haven't been attacked, yet." And there's the operative word, "yet."
It's going to happen to you and if the prevailing attitude at your company is that it won't then you're playing with fire. In my consulting and the graduate courses I teach on Cybersecurity at Boston University what I have found to be most frightening is the lack of awareness about the magnitude of the cyber threat and the complacency towards being proactive in managing the risk, especially among small businesses.
Research conducted by the National Cyber Security Alliance found that:
- Almost 50 percent of small businesses have experienced a cyber attack.
- More than 70 percent of attacks target small businesses.
- As much as 60 percent of hacked small and medium-sized businesses go out of business after six months.
Symantec, which tracks cyberthreats through a global network of 98+ million sensors, discovered more than 375 million new unique malware variants in 2016, 98 million bots, 1.1 billion identities compromised through breaches, and an overwhelming 76% of all scanned web sites having vulnerabilities that make them targets for attacks.
According to Symantec, "Perhaps what is most remarkable is that these numbers no longer surprise us. As real life and online become indistinguishable from each other, cybercrime has become a part of our daily lives. Attacks against businesses and nations hit the headlines with such regularity that we've become numb to the sheer volume and acceleration of cyber threats."
(If you want to understand the full extend of the threat I'd strongly suggest you red the full Symantec report.)
Being numb to the threat creates your greatest vulnerability because it lulls you into believing that there is nothing you can do.
So, what can you do in the face of such overwhelming odds? I talked to Symantec's Samir Kapuria, Senior Vice President and General Manager, Cyber Security Services about the state of cybersecurity. Here are some of my key takes-aways.
A Battle Plan For Action
During the Gulf War Stormin Norman Swarzcopf said that the most important thing to have was a plan for action rather than a plan of action. The difference being that your plan has to malleable so that it can adapt to the actual threat. The same applies to cybersecurity. While, it's critical to have the right defenses in place to address viruses and malware, that represents only about 5% of the threats. It's even more important to have a plan that details how you will respond in the face of a cyber attack that includes unknown threats.
The fact is that vast majority of damage done in cyber attacks is due to an inability of the party being attacked to respond because they have not adequately planned out and practiced a cyber response strategy. This is where your brand is most susceptible to long term or potentially irrecoverable damage. When you look at why 60% of small to medium sized businesses that suffer a significant cyberattack never recover and go out of business, it's almost always because they failed to accept the importance of having a plan in place.
"It's like putting a guard at the front door to ward of bank robbers without giving him or her training on what to do in the event of an actual robbery!"
In many cases that's because while they had all of the right defenses, such as anti-virus, malware detection, encryption, and firewalls they did not have in place the right systems and processes to deal with an actual attack and it's aftermath. It's like putting a guard at the front door to ward of bank robbers without giving him or her training on what to do in the event of an actual robbery! In the case of a business it usually means that they do not have a fully redundant system for accessing their applications and data, both live and online as well as regular offline backups stored in multiple onsite and offsite locations. Stop and think about it. If your ecommerce system, web site, email, or customer data was suddenly inaccessible because of an attack would you be able to get back up and running within minutes, hours, or days, or at all?
The vast majority of companies do not conduct adequate cybersecurity training for their employees. Given that the single greatest cyber risk is social engineering, which is basically using people to voluntarily but unknowingly allow an attack to occur, it's critical that you put every employee through a bootcamp on how to avoid and recognize cyber threats.
This can be as innocuous as a bogus spear-phishing email, which is what compromised and provided access to Hillary Clinton's campaign chairman John Podesta's Gmail account during the last election cycle. And email has become the overwhelming weapon of choice for attackers. Or it may be a bit more nefarious, such as using a personal relationship with someone to gain access to sensitive data.
"95% of all attacks involve some form of social engineering."
You may laugh at this and say, "Not in my company, we're much too vigilant." Yet, 95% of all attacks involve some form of social engineering. So, ask these questions: How often do you train your employees on the threat of cyber risk and basic ways to avoid it? Even something as simple as better adherence to better password protocols is enough to avoid the vast majority of cyberattacks. Yet, 75% of small business employees leave their computers unsecured. On average we each get one email containing malware each day! Have you trained your employees on the risks of email threats?
Third, and this is the most important and yet least utilized defense, conducting simulations of a cyberattack, or cybersims. This might be as simple as periodically sending out phishing emails to employees to see who actually clicks on a bogus link or opens an attached zip file, or setting up internal hackers who will try to break into your systems as an attacker might. There are many sophisticated ways to do this but pretty much anything that gives you an opportunity to expose vulnerabilities and to then have the opportunity to respond will give you an edge and the ability to learn how to deal with an attack while it is going on.
"Getting into the attacker's mind is critical if you are to be able to defend yourself from a cyber attack."
For example, last week I attended, and keynoted at the awards ceremony for one of the most sophisticated and realistic cyber war games scenarios I've seen. The games were part of a five-year effort undertaken by Symantec to increase the visibility of cyberthreats. They involved over 1500 people from around the globe who were tasked with a series of cyber challenges culminating in a five day marathon where finalists had to hack into a self driving vehicles, the irrigation systems of a farm, and the seed store of a nation state. The event actually had working prototypes of each systems being hacked on site. If you hacked the irrigation system in a glass case housing corn stalks would turn on until it drowned the plants. In past years the games have included hospital room set ups complete with a simulated patient, and a scaled down version of a field of oil tanks which would even explode when hacked.
Your simulations do not need to be anywhere near as sophisticated but their purpose should be the same, to give people a visceral experience that actually creates the sort of anxiety, chaos, and damage of a real attack. Don't discount this. Simulations have a profound effect on how we think about a problem. By way of example consider that from 1940 until 1990 the number of aviation accidents that resulted from pilot error was stuck at 65%. Today it's at less than 30%. Why? The advances that occurred in flight simulators gave pilots the ability to work under scenarios that were nearly impossible to experience in anything but the real thing.
That same effect applies to pretty much any simulation. Having done simulations for dozens of organizations, from board rooms to the front lines, I can tell you that nothing is more disturbing or has greater impact than allowing someone to actually live through the implications of an attack.
Simulations also change the way you think about cybersecurity, shifting your mindset from a defensive posture to that of an attacker. Getting into the attacker's mind is critical if you are to be able to defend yourself from a cyber attack. You can only defend yourself against the threats you know. Thinking like an attacker allows you to better understand the possible threats and how you will react to them ahead of time.
This War Is No Game
By the way, what amazed me most at the Symantec CyberWar games was that the recipients of the gold medal all looked young enough to barely be of drinking age and even included a 17 year-old intern! But don't let that fool you into thinking this is some sort of video game where you can simply press the reset button. The consequences are very real and can be devastating to any business, but especially a small and medium sized business.
With estimates placing cybercrime somewhere between a 500 million to trillion dollar industry, this is a very real threat. You will encounter it. The only question is, "How will you respond?" Of course if you consider 4 out of 10 to be good enough odds for your business then just sit back and keep rolling the dice.
Disclosure: My keynote at the Symantec CyberWar Games awards ceremony was a paid engagement.