It can take an entrepreneur years to save or raise the capital to start a business and build a brand, but a single data breach can wipe out all that work in a matter of moments.
“One of the things that usually happens is no one worries about cyber until they get in a bind, which means they either were attacked, had a data breach or lost some sensitive information, such as account information or credit card numbers,” said Henry “Paco” Capello, information systems program manager at LSU’s Stephenson Disaster Management Institute. “By then, the problem is so big that it’s going to cost tens of thousands of dollars.”
A financial and/or credibility hit like that can kill a new or small business, he said.
The sad thing is, even the smallest firm can easily plan for and minimize the impact of a cyberattack and do so on a very small budget, Capello said. But few people realize this.
The institute and its Center for Business Preparedness hope to change that.
“One of the things we wanted to share is that we want small businesses to know we’re a resource for them,” Capello said. “We’re looking for what kind of training they need, and we’re going to set it up and provide it for them.”
Some of the basic steps every business should take include requiring:
- Complex passwords, eight to 20 characters with upper- and lower-case letters and special characters.
- Changing passwords every 90 days.
- Limiting access to sensitive information and implementing an authentication system. Lower level employees don’t need the same access as the owner or administrator.
Cyberattacks are becoming more and more common. For businesses, it’s not a matter of if but when.
The National Cyber Security Alliance says 1 in 5 small businesses will be hit by cyber-criminals.
According to software and security giant Symantec, the mining (which includes the oil and gas industry), government and manufacturing sectors are even more likely to be hit. Their odds of being attacked are being attacked are 1 in 2.7, 1 in 3.1 and 1 in 3.2 respectively.
A study by PwC, formerly known as PricewaterhouseCoopers, found that 7 percent of U.S. companies lost $1 million or more as a result of cyberattack, and 19 percent lost between $50,000 and $1 million.
In 2013, there were 614 publicly disclosed data breaches affecting 92 million records, according to the Identity Theft Resource Center. So far in 2014, there have been 480 breaches affecting 17.5 million records.
IBM and the Ponemon Institute’s 2014 Cost of Data Breach Study found the total average cost for 61 participating U.S. companies was $5.9 million. Those costs included detection, notifying customers, post-attack activities such as addressing victim, regulator and plaintiff attorneys’ concerns about the breach, and loss of business.
“The potential economic fallout from the cyberthreat cannot be underestimated,” according to a June white paper from the Insurance Information Institute.
The Insurance Information Institute white paper cited most of those reports. The paper also says the number of breaches and records exposed is much higher since many, if not most attacks, go unreported.
Capello said the No. 1 method of attack involves malware disguised as social media.
“People are just putting entirely too much information on social media, and then when employees use social media at work, they make themselves available to what we call phishing attacks,” Capello said.
A social media user may get something that looks like a legitimate email, such as a job offer through a contact on LinkedIn.com or a networking opportunity with a high-profile executive. The latter is a version of phishing known as “whaling” because the attack targets an officer in a business, such as a president or vice president, who has access to more sensitive information. But the social networking link actually leads to malware.
“When they click on the link, they immediately allow me access to their machine. Once I’m in their machine, I have access to their accounts,” Capello said. “The higher the person is in the organization ... the more personal information I’m going to be able to get my hands on.”
The Stephenson Disaster Management Institute was founded in 2007. The institute focused on emergency management, helping businesses apply the lessons and practices learned from hurricanes Katrina and Rita in 2005, as well as other natural disasters. More recently the institute has moved into the unnatural disaster arena, an underdeveloped area, through its cybersecurity initiative.
Capello said once a company loses sensitive information, it can never get it back.
Instead a company’s clients have to change their information and deal with the potential identity theft, Capello said. The company that lost control of the data also loses its credibility, customers and even the entire business.
The Stephenson Disaster Management Institute and Center for Business Preparedness is working to educate companies about “information assurance,” a term that includes understanding the risks of cyberattacks, as well as the best practices and procedures for communicating using technology, and backing up data. For example, one best practice is encrypting information when sending it from one point to another.
The center is also working with employers to emphasize educating workers about the importance of cybersecurity.
“You don’t have to spend a penny to educate your employees,” Capello said.
But it does take a little time.
Educating employees can be as simple as making sure they know not to open an email unless they know the person who sent it.
It’s also important to explain to people the reason or reasons for a rule, Capello said. In today’s society, it’s not enough just to say social media is not allowed at the company or on its devices.
People want to know why, and employers owe it to their workers to be honest, Capello said, because the workers are just as vulnerable to cyberattacks at home.
If the employee is doing work at home on a company laptop or it’s a “bring-your-own device” situation, the employer has to be aware of what that worker might be bringing back to the office.
“I’d like to tell everyone out there, before you go investing in cybersecurity and all these appliances and everything, don’t do it,” Capello said.
The first step is to do a risk analysis. Determine the risks. Figure out if that’s phishing or a targeted attack, one aimed at a specific user or company.
Once the risk assessment is done, a business can determine what sort of protective steps to take.
Capello said the center is in the early stages of its outreach to the business community and is still trying to figure out what it needs to do to help area businesses succeed.
One thing the Center for Business Preparedness is doing is helping companies come up with business-continuity plans so if they do experience a disaster, they can recover quickly, Capello said. The center wants to help businesses become resilient. The idea is to have a game plan if a hurricane hits, the power goes out or something else unexpected happens.
The center’s resources are limited so any programs for businesses will take place if the center knows there is a need and businesses want the program, Capello said.
“We’re not ‘Field of Dreams.’ We don’t want to build it and they come ... If (businesses) see a need for it, yes, we want to build a program for them. We want to educate them. We do provide that training opportunity for them,” Capello said. “It would be nice to be able to offer it to them for free but we can’t. If I bring cyberexperts in here, I have to pay them.”
On the plus side, the center has a great bench of cyber-expertise on which to draw, Capello said. The center hopes to lower the cost for training programs by partnering with corporations and individuals interested in the different areas of technical training.
Follow Ted Griggs on Twitter @tedgriggsbr.