My name is Jon Jaroska, and I would like to give you an update on one of the top threats to ongoing viability of your business.
If you ask most small business owners what keeps them up at night, it’s often going to be risks that threatened to interrupt their business operations. Things like losing a good employee, unexpected financial burden, or maybe a lawsuit. But increasing number of small medium businesses are learning that a successful attack on their computers, software, and/or data can be devastating. So we’ll look at what’s happening that makes security so critical for companies like yours. So let’s get started.
So today we’re seeing disturbing trends that are driving the risk of a successful attack higher than it’s ever been before for businesses like yours. Online criminals have been learning how to circumvent basic security measures. And it’s pretty scary. In a nutshell, they’ve rapidly become a lot more sophisticated. Plus, there are increasing numbers of cyber criminals these days. And now they’ve started targeting businesses like your small ones. Why? Because they know that big companies have invested millions in security measures, and chances are pretty good that the smaller businesses are not going to be nearly as well-protected. That makes a small business a much easier target. And believe it or not, your business’s data is just as valuable to the those criminal criminals. At the same time, security is growing increasingly complex with layers of protection required to withstand rapidly evolving types of attacks. There’s far more to protect than in the past. There’s more data, more apps in the cloud using your phone, more mobile apps, and they all need protection because the threats change so quickly.
So here’s just a few recent examples of some smaller businesses hit by attacks. So information from about 7,000 patients were exposed when an unauthorized person gained access to this Colorado Healthcare. Several days after computer systems were paralyzed by a ransomware attack, a small Florida company worked with the FBI and an outside consultant to restore phone lines, email, online utility payments. But in the end, they called an emergency meeting, the city leaders, and they approved paying the hackers almost half a million bucks. The cyber thieves on this one ran a hundred thousand stolen card numbers through the payment system of Innovative Higher Ed Consulting. It was a two person startup in New York. The startups payment processor, Bank of America, sent a $27,000 bill to them for reversing all of the credit card charges, and they had nothing to do with it. They closed five months later.
So we mentioned the security already, but let me take time to make sure we’re all on the same page. So cybersecurity is the combination of technology, people, and processes, three-pronged, to protect your digital assets such as credentials to your bank accounts or your computer. So it’s vastly different than IT, the basic IT security services of the past, like antivirus and email encryption. And that’s because the cyber threat landscape today demands a whole new level of security, controls, and capabilities. So while managed IT services can include security such as antivirus and firewall and email, that’s only a fraction of what you need to put in place.
So what bad actors want your data? So you may be thinking, “Well, what use would they have for my data?” Well, okay. So the ability to pay your employees. Access your bank accounts and drain them. You could be… The financial institutions and banking, credentials, transfers, and withdrawals from your account. You could… Maybe the physical equipment. Someone could walk in the front door and steal a printer, a laptop, very expensive computer equipment, or your payment and POS systems. They could steal your credit card data and sell that on the dark web. And then, of course, you get your project and customer data that they can sell.
So unlike a decade ago, when software virus meant that one employee was impacted and potentially unable to use their computer for awhile, today’s attacks are far more insidious. They’re long-lasting and they’re very destructive. They come with financial, operational, and reputational repercussions, not to mention the potential for non-compliance penalties for companies in regulated industries like healthcare or financial services. The result is that nearly a third of small to medium sized businesses believe that a successful attack could lead to business losses, with almost half of those businesses believing that they would potentially close their doors permanently in the event of an attack.
And while the cost of recovery, lost customer trust and business, work stoppage and more vary from client to client, the average amount of damages continues to escalate dramatically each year. So I’m just going to roll through these here. Almost one and a half million damages in 2017. Right?
So we need to redefine our approach to security. It isn’t a problem to solve. It’s a risk to be managed, and it’s ongoing. It’s not a one-time deal. Just like you’d manage other risks in your business, like your losing your employees and financial struggles, and maybe even a flood, lightning, or a fire. A securities risk that needs to be part of your ongoing business strategy. And it’s my job to support you in understanding where your risks are and how to manage them.
Okay. So there’s three ways to treat it. You can just accept it and take no action and roll the dice. And you might do this if the risk is deemed very low, or you’re not likely to cause serious damage to your business. You can transfer it to another entity. There are plenty of companies out there that take on that risk for you. Or you can remediate it by putting measures into place to reduce or eliminate it. And this is where I come in. This is appropriate when the risks can not be accepted, avoided, or transferred.
So as a small business, how can you start protecting your assets? First, you need to understand which risks your business faces, which assets do you need to protect most in your business, and what’s your risk exposure? We can help you identify the greatest areas of risks for security data breach. Keep in mind that the most critical risks are not only within your IT organization, but in your processes, policies, and procedures that can leave you open to phishing and social engineering attacks. Just the other day, I know someone personally, close to the family, Facebook got hacked. Here you have it. Sent out millions of friends requests. My dad sent something the other day in the email, too. Right?
So how do we do this? There’s a proven approach to protecting your business, is the NIST cybersecurity framework. It’s a US government agency whose metrics and framework support the smallest of technologies to the very largest and most complex. It’s very robust and it has a specific set of controls designed to help small businesses assess their strengths and vulnerabilities, and improve their security posture. It also helps ensure consistency by giving everyone a common language and measurement. Right?
So we follow a five step framework. We identify your company assets. We protect those assets. We detect anomalies and events. We respond with a plan to mitigate the damage. And we recover your systems and data and make improvements. You can read through this. These are kind of some stats. The problem is that many small businesses haven’t been able to follow in this framework, or they haven’t allocated the resources or made it a business priority to address security. This is the problem. These stats show that many small businesses are behind the curve when it comes to being prepared.
So we can’t afford to find out after a breach where you’re vulnerable. That’s why we recommend performing a cybersecurity risk assessment of your business. It measures your operations against the NIST cybersecurity framework and tells you how well prepared you are for a cyber attack. Here’s how it works. We interview you with questions across all of your policies, procedures, and infrastructure based on the framework. We aggregate the findings into an easy to understand report. To show the top risks and impacts. We discuss the top risks and which ones are most important to your business, and then we develop a plan of action that fits your timeline and budget. The entire process only takes about an hour to complete, and it’s very affordable.
Because security risk management is an ongoing process, we reassess your risk in six months to see the impact of the work that we’ve done and what new risks may have arisen. From this assessment, you’ll get an action plan for protecting your business. The plan helps you understand the problem or risk, the severity of the risk, the solution, and there’s always a cost to take action. We have the right expertise, experience, industry knowledge, technology and services to help you get from where you are now, with potentially too much risk, to a place of stronger security with an acceptable level of risk.
Okay. So, next steps. We hope that this helps shed some light on the state of cyber threats and for businesses like yours and what you can do to protect your business. From here, let’s discuss our next steps. You need to spread the word to everyone you know and schedule a call for yourself today. Here’s the link, and I hope you take action today. Thank you.
All right. Thanks John. Anybody have any questions for Jon? Kevin?
Jonathan, what is the… What’s the worst mistake a small business can make? Clearly we got to talk to you, but what’s one thing that you see a lot?
I would say the very first thing is to have an email… A Microsoft Office email license. Without Microsoft… So, you’ve got your Gmail, your Bing, your Yahoo, your… Whatever. You’re self hosted. That’s probably the number one mistake. You go from a level of… On a scale of a hundred, not having or hosting your own is 0.3 on the security scale. Going to a Microsoft email account with your basic Microsoft subscription, you go to like a 60 on the scale. So it’s 0.3 to 60. That’s the number one mistake, I think.