Cyber-security breaches are frequent, frustrating, and becoming more massive with each new headline. The worst data breach in healthcare history was the Anthem breach of February 2015. More than 78.8 million records were stolen by a foreign government that does not have strong diplomatic relations with the United States. Those records included the names, birth dates, Social Security numbers, and home addresses of all individuals that ever did business with Anthem — or even applied for a policy. The more recent Equifax breach has dwarfed that number, with 145.5 million people impacted.
Some companies know they are in the crosshairs of the best cyber criminals in the world.
• Do you have a database of HIPAA data that would be valuable on the black market?
• Do you process over 1 million credit card transactions per year?
• Are you in the payroll or money-transfer business?
• Are you developing a technology that foreign governments would be interested in?
• Are you in a business that a hacktivist group or nation-state may find ethically questionable?
It’s highly unlikely that a car-care business owner could answer yes to any of the above questions. If you can, however, congratulations, you are in the highest-risk group. Most companies are not in the highest-risk category. They fall into three large groups, including those that have:
• A significant regulatory environment to operate within (healthcare, banking, insurance, etc.)
• Data that others could monetize (trade secrets, credit card numbers, personally identifiable information (PII), data on publicly traded companies that have not yet been made public, etc.)
• Data that is important and necessary for the company to operate
Before the proliferation of ransomware, the third category would not have been included. Many in the cyber-security field used to lambast salespeople selling cyber-security tools that said, “Everyone is a target.” The problem is that cyber criminals have figured out an important new angle to their business model: companies that don’t have information that is valuable on the black market still have information that’s valuable to the company itself. The bad guys are finding a way into your company, encrypting as much data as possible, and then extorting money from you to get your own data back.
In today’s world, everyone is a target. From hospitals that need their enterprise resource planning (ERP) system to treat patients, to accounting firms needing tax engine software to process their clients’ tax returns, every company wants to prevent business disruptions. Ransomware attacks are designed to disrupt your company’s ability to do business until you pay up.
That begs a common question, “How can I assess my actual cyber-security risk?” The truth is that you can’t. This is similar to assessing your risk of contracting a certain disease or of having a tornado damage your home. These things happen infrequently, and, as such, it’s impossible to say that a given company will experience a cyber-security incident of X dollars in total damage every Y years. A better plan of attack is the following:
1) Accept that your company is a target of cyber criminals who hope to profit from your success, either by stealing your valuable information, or by encrypting your valuable information and ransoming it back to you.
2) Assess your relative risk. The areas to take into account include company size, your industry, and the strength of your cyber-security defenses.
3) Assess your own risk tolerance, assess the potential damage to your company that a hacker could inflict, and assess what cyber-security countermeasures you currently have employed. If you employ strong countermeasures, your risk will be far lower than many of your competitors, even if putting an actual number on it is challenging.
QUANTIFY YOUR RISK
One of the best ways to quantify your cyber-security risk is to get quotes for cyber-security insurance. For example, if your building’s fire insurance policy costs $10,000 per year for $1 million in coverage, then the insurance company thinks you will have a large claim on that policy less than once every 100 years. Otherwise they would lose money selling you the policy. In fact, they are probably guessing that you will have a large fire once every 500 years so that they make a good profit on the policy. If it costs $250,000 for the same coverage, your risk of having a fire is much higher than that. The cost of a cyber-security insurance policy will help you determine the relative risk of a cyber incident in comparison to another type of business incident, such as a building issue (fire/flood), an operational issue (the loss of a key executive in your company), or a liability issue of some sort.
It’s imperative to realize that regardless of size, reach, and financial level, your company is a target for cyber crime. All that really matters is if a criminal feels there is a good return to be had on their investment of time and money. If your defenses are poor, then their effort level is low. If you have strong defenses, then the return must be high for the adversary to expend significant effort to breach your systems. Many attacks are non-specific. They search for a particular vulnerability across many companies and report back success. If you are found to be vulnerable, you will probably be attacked. Criminals will try to monetize their efforts in many ways. Your data is valuable to you, and they can monetize this via ransomware.
Thankfully, ransomware and the cyber criminals who use it can be stopped. They are looking for easy targets. All companies are susceptible, but with the right cyber-security defenses, such as multi-factor authentication, a strong antivirus package, and a solid data backup routine, cyber criminals will deem your company too much of an effort to hack. This is your opportunity to make cyber security a competitive advantage for your company.
Bryce Austin is the CEO of TCE Strategy, an internationally recognized speaker on emerging technology and cyber-security issues, and author of Secure Enough? 20 Questions on Cybersecurity for Business Owners and Executives. With over 10 years of experience as a chief information officer and chief information security officer, he actively advises companies across a wide variety of industries on effective methods to mitigate cyber threats. For more information on Bryce Austin, please visit www.BryceAustin.com.