In 2016, 50% of all small and mid-sized businesses experienced a cybersecurity breach. Of that 50%, 66% were out of business within six months. To help entrepreneurs address this growing problem, ChooseWhat is launching a new series on cybersecurity and small business.
To launch the series, ChooseWhat writer Annie Hartnett speaks with Mike Fitzpatrick, President and CEO of NCX Group Security, and Distinguished Fellow at the Ponemon Institute, a think tank that conducts independent research on privacy, data protection, and information security policy.
The Bad: Understanding the Problem
Annie: Tell me about your work and why you think this conversation is so important.
Mike: This conversation is important because businesses are getting snippets of what they need to know to protect themselves and their families from the threat—especially CEOs and business owners, whether of Fortune 500 companies or small businesses.
When I first started the business in 2002, I’d conduct seminars with the FBI and I’d ask, “How many of you have actually conducted a security assessment?” And one or two hands would go up in a room of 30 people. Here it is 2017 and I have talked to over 350 CEOs this year and asked that same question and a total of seven hands have gone up. These are substantial operations with between 100 and 800 employees. Why isn’t the message getting through?
The statistics and the research are very clear. In 2016, 50% of all small and mid-sized businesses were breached somehow. We also know that of the 50% breached, 66% are out of business within six months. The average cost of a cybersecurity breach in the U.S now is 7 million dollars. That’s not even one of the big breaches—that’s 10,000 to 100,000 identities. That’s not an Equifax. The actual black-market value for a credit file, if you use the FBI statistics, is $1200. If you take the 1200 times 143 million, that’s the black-market value of the Equifax breach. They could sell that information for more than $171 billion.
If you’re a micro-, small- or mid-size business, you’re a target because the bad guys know that you don’t have the resources and that you probably haven’t secured your data. They know that they could come and hit you and get away with it because you don’t have anything in place to say whether you’ve been hacked or not! We know from research that 62% of all businesses have no information risk management plan in place.
CEOs ask me: What do I have that anybody would want? They want your resources, they want your intellectual property, they want credit cards numbers, databases, etc.
As a guy whose passion is protecting businesses, it’s frustrating when I hear CEOs say that their priority is cybersecurity, but then I see their actions and it doesn’t match.
There’s some level of denial going on then?
Well, it’s kind of like the sixties when everybody smoked. When I started NCX group, there weren’t cyber security firms. We were one of the first of our kind. And now in 2017, it is undeniable that there are cybersecurity threats. How do you NOT secure your business knowing that there is a breach talked about at least every day?!
The Ugly: Hackers
Are they hacking into the web site or the email or the server? How does this work?
All of the above. I just started a new podcast called Bite Size Security. Its mission is to give a 2-3-minute talk on a specific issue of cybersecurity. So, the one I just did is on physical security. Without physical security, you don’t have data security. You can talk your way into different companies and the technology or whatever defenses they have put up are useless. When I can talk my way into the industrial control room of a water district, for example, did technology help? No.
The Equifax breach was through their web portal where they didn’t patch their Apache Web Services for the last two revisions.
So, it was just a matter of failing to update?
Yes! You go back to the Sony breach in 2014, the “North Korea” breach, what I find fascinating—and I know this because—oh I can’t say why I know it—they used the same vulnerability that a hacktivist group used three years earlier. Sony never fixed it.
Wow! So even a huge corporation like that couldn’t keep their act together in terms of cybersecurity?
Well, you must realize—and this is what businesses struggle with—is that a lot of the technology that we use today was initially designed for brick and mortar buildings. But that’s not how we work today. That changed ten years ago with the iPhone. We’re now mobile. And the technologies that we use now have been stretched and that stretching creates gaps. And the more digital we become, the more difficult it becomes to secure everything.
One of the biggest threats today is phishing that delivers ransomware. In 2016, phishing increased by 260%. Ninety-one percent of all breaches now start with a phishing attack.
Yes. I can put a link in an email and send that to you, and if you click on the link, I’ve got you. We did an experimental phishing attack with a company that we had worked with and that had security in place—we had done their security. Everyone these days is on LinkedIn and it’s easy to see who the CIO, CEO, or CFO of a company is. So, we grabbed the company logo, we put together a signature, we spooked their domain, we had the CIO’s name and information, and we sent out an email that looked like it was coming from inside. The first email went to a group pf 250 and basically said, “We were hacked last night. You need to change your username and password. Use this link. Thanks.” The second email went out to another group of 250 and it said, “We’re testing this app. Would you download it and give us your thoughts?” So, within twelve hours, the first email was opened by 90 people. Eighty people attempted to change their username and password. After the second email, 65 people tried to download the new app—because people love to be helpful.
So interesting! Is the fix as simple as I think it is—just don’t click on links that you get in emails?
Well, it looks like it’s coming from the CIO of your company! And as a hacker, I now have 80 user names and passwords. And I have complete control of 65 different systems. I have my choice of how I’m going to take you apart.
Can you then come in through the back door to their computer?
I don’t need to come in through the back door. I own that computer!
How many people’s computers are owned in this way, and they don’t even know it?
It’s hard to tell. Information sites these days are distributing malware. Botnets [networks of private computers that are infected with malware and controlled as a group] are used to launch other attacks around the world. When he was with the FBI cybercrime unit, a friend of mine, brought down the largest bot network in the world—15,000 computers! But that’s just a drop in the bucket.
It’s very sobering to talk to you, Mike.
I don’t mean for it to be! But business owners must understand: This isn’t a game! The threat is only getting larger.
Last year, there was a hospital in Athens, Georgia, that was breached. And they had 200,000 identities exposed. There is a notification requirement, by law, and a credit monitoring requirement. So, the hospital figured out how much it was going to cost to provide that monitoring—about 48 million dollars. And there isn’t any cyber insurance on the planet that’s going to cover that amount of money.
So, the CEO sent out a letter to all affected parties asking to them to buy their own credit monitoring because if the hospital did it they would have to close their doors.
It goes back to the question that CEOs ask me: What do I have that anybody would want? They want your resources, they want your intellectual property, they want credit cards numbers, databases, etc.
We’re talking about extinction level events for small- and mid-sized businesses. Business owners work too damn hard, put way too many things at risk to lose it all over something they can prevent.
The Good: Security Solutions
What are some simple steps I can take to begin to secure my business from hacking?
Annie, I know you want to simplify it, but it’s a complex issue. Cybersecurity is people, process, and technology. Too many companies are focused just on the technology part, and the reality is there is no technological silver bullet that is going to save you.
First, you have to realize that there is a constant threat and it’s never going away. Your data is going to be important to somebody somewhere. You must realize that the threat is real and you must do something about it. I come from a time in Texas when people didn’t lock their doors and windows. But that’s not the real world that we live in anymore. The hackers today are not kids having fun. Hackers today are state-sponsored actors, state-sponsored terrorists, organized crime—bad people.
As a small business owner, I have NO defense against a state-sponsored hacker or bad guy—do I?
Well, you can do some basic things.
- Train and educate your people as much as possible. They’re your first line of defense. You have to train all your employees about the threats—phishing, malware, etc. I’m doing a podcast today on corporate culture. Again, the greatest vulnerability within companies are people. People love to be helpful, and if you ask them to do something for you, they will likely do it. The only way around that is to train your people to be a little bit more suspicious, to validate.
- Establish an ISSC, that is an Information Security Steering Committee. The reason companies are successful with information security is that they incorporate it into their DNA, their corporate culture, to protect customer data and employee data. I recommend folks establish an ISSC consisting of someone from the executive team, IT, HR, and legal. That group decides what your corporate culture around cyber security is going to be.
- Have a set of policies and procedure that determine your corporate culture around cybersecurity. What’s your appetite for security risk? People have policies and procedures and an employee handbook for holidays, vacation time, and so on. You must have a set of policies and procedures when it comes to information security.
- Do your updates as soon as they become available. Update your operating systems and software. It’s amazing to me how many companies are not doing the basic blocking and tackling, so to speak, from a patch management standpoint.
- Understand that compliance is not security. Smaller businesses must have a cybersecurity program to do business with larger companies now. If you don’t, you won’t get the contract. The federal government, the DOD, they have compliance requirements for all contractors—whether you’re a prime- or sub-contractor. But those companies that focus just on meeting some compliance check box, fifteen years of experience tells me that they will be hit at some time.
- Do an annual security assessment every year—it’s like going to the doctor for a check-up.
I’ll use another healthcare analogy. Information security is not an IT issue. It is people, process, and technology. IT personnel are like general practitioners; they take care of colds, flus—viruses—breaks, fixes. Security, on the other hand, is the cancer oncology. We both go to med school, but you shouldn’t call an IT professional for a security issue because security is an entirely different skill set. We look at the world differently.
So, it sounds like it’s got to be second nature?
It’s got to be the air that you breathe. Security isn’t one thing. It’s a business process or program that had definable, repeatable goals. Typically developing a security program may take 2 to 3 years. It’s a never-ending journey because you have to adapt to the new threats. But you must first have a program in place that makes it easy to adapt. We write new content every week. If you go to my Twitter, there are 8-10 stories a day that we find interesting and think businesses need to know about.
So, someone starting a business should just make cyber security one of the processes that they figure out if they want to grow at all. They should plan for it from the beginning.
Yes, I started doing cybersecurity for Fortune 500 companies, and it was bad. They were so vulnerable, and I thought: If it’s this bad for big companies, how bad must it be for small- and mid-size companies—because they don’t have unlimited budgets! That’s what led me to take a chance, crawl out on a branch, and start NCX to provide world-class services to small- and mid-size companies.
Our clientele is an interesting mix—primarily healthcare, banking, finance, critical infrastructure. But we also have retail clients, real estate clients and clients in all industries. We have one client with only fifteen employees, but they are publicly traded on the New York Stock Exchange. And then we have clients who are Fortune 50 companies—global leaders in everything from logistic to metals and steel. So, it’s a diverse universe!
It sounds like you enjoy your work.
Can you leave me with a closing thought for small business owners?
If you realize that it’s critical to your longevity, you’re going to be successful with security. It goes back to one thing my dad would tell me all the time: “Either have a plan or plan to fail.”
For more on cybersecurity, follow Mike on Twitter @ncxceo
For more on NCX Group, follow them on Twitter and Facebook @ncxgroup
For more guidance on the small business startup process, follow ChooseWhat on Twitter @ChooseWhat and on Facebook @HelpingSmallBusinessesMakeBigChoices
For more on politics, cybersecurity, and lady’s arm wrestling, follow Annie on Twitter @anniehnet