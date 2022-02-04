Businesses are more vulnerable than ever to cyber attacks, and even small businesses are more exposed than they may think.
That’s why it’s crucial to have a plan in place specifying what you’ll do in the event of a cyber breach, cybersecurity experts say.
“Ransomware is really prevalent and is happening all across the region,” said Rodney Gullatte Jr., certified ethical hacker and CEO of Firma IT Solutions and Services. “You don’t hear about it because it’s not Lowe’s or Home Depot or Forever 21 or Uber or Yahoo. I think since people don’t hear about it enough, they don’t think it’s going to happen to them.”
But hackers with malicious intent are more sophisticated and professional than ever — and have tools that can sweep up businesses like fish in the internet.
Small-business owners need to take the threat seriously, because many businesses fail after a cyber attack, Gullatte said.
Businesses can and should take steps to guard against cybersecurity breaches, and having offsite, cloud-based backups of your data is important. So is two-factor authentication for all your online accounts.
But if you’re on the internet, you’re at risk, said cyber-risk attorney and consultant Doug DePeppe, owner of EOS Edge and OnCall Cyber, a cyber crisis team subscription service.
“The bad guys are developing scanning capabilities,” he said. “They’re just looking for vulnerabilities across the internet. … There’s no prevention unless you unplug from the internet — and even then, there are attacks that have been successful for unplugged systems.”
Scanning botnets are sold as a service, and malware as a service is available on the darknet, he said.
“So [cybercriminals] can both scan for vulnerabilities and have the tool set to exploit them,” DePeppe said.
Planning for a cybersecurity breach begins with a thorough risk assessment, said Shawn P. Murray, president of Murray Security Services and cyber lead for the Pikes Peak Small Business Development Center.
“It starts with your most critical business processes,” Murray said.
Once you identify critical assets and business processes, you can then align them to your most critical assets that allow you to be productive, and formulate a backup plan for those assets, he said, “so if they went down, you’d be able to recover.”
A cybersecurity continuity plan isn’t a document that is written once and then sits on a shelf.
“Performing an assessment once a year is the industry best practice,” Murray said. “You don’t want to be figuring it out once you have a disruption.”
RISK ASSESSMENT IS KEY
In this digital age, 80 percent of most organizations’ business processes, across all industries, rely on technology that includes computers, mobile devices, servers, cloud services, email, printers and point-of-sale systems, Murray said.
Besides technological assets, a business also has information assets that can be classified and aligned to the devices that process, transmit and store them.
When assessing risk, you want to look for interdependencies. “You may have four critical processes that, if disrupted, could affect 1,000 employees,” Murray said.
Cybersecurity planning starts with an inventory of these critical assets, which builds into a business continuity plan and disaster recovery plan, including establishing recovery point objectives (RPO) and recovery time objectives (RTO) for each critical process. The RPO is the maximum downtime you can bear before you will go out of business. Completing a business impact analysis should happen before developing your business continuity or disaster recovery plan.
There are three ways to conduct a risk assessment, Murray said:
1. Interviews with employees and owners. Observe what’s going on; look for poor cyber hygiene, such as employees walking away from a computer and leaving it on, passwords taped to the side of a computer or server, and the like.
2. Review of documentation and requirements to comply with specific regulatory requirements, for example, the payment card industry data security standard, which is governed by the credit card industry; compliance with specific federal laws such as HIPAA, and state privacy laws including the Colorado Privacy Act, and international privacy laws if you do business outside the United States; and plans, policies procedures and risk associated with the way you conduct processes.
3. Technical scans of your network to look for flaws, such as systems that haven’t been hardened; closing unnecessary ports; and making sure your system is configured securely.
Once you’ve identified vulnerabilities, you can decide on your course of action. Murray said risk can be accepted or avoided by eliminating the issue.
“We have seen organizations transfer or share risk during the pandemic,” he said, for example, through cyber insurance policies that can help meet vulnerabilities the company can’t take care of. However, insurers have raised the due diligence standards, such as patch management, firewalls and training programs, that clients must meet before they’ll pay — and the price of policies has soared.
Other businesses choose to hire a managed security service provider, he said.
After identified risks are mitigated or modified, “some element of risk still resides,” Murray said. Businesses can track their progress on a risk register, and after taking care of the most critical issues, can continue to lower or mitigate risk as they are able to spend more time and money.
Risk assessment and continuity planning can be complex and overwhelming, but “you don’t have to figure it out on your own,” Murray said. The Pikes Peak SBDC offers online resources for various industries as well as webinars and consulting for small businesses who want to assess their risk and develop a plan. To get started, visit pikespeaksbdc.org.
EMPLOYEE TRAINING
Employee education is paramount, Gullatte said, because mistakes by employees can open the door to attacks.
He related the story of a client who received a notification when she opened QuickBooks that the company’s file was corrupt. It was a legitimate message, and it referred her to a QuickBooks tool hub she could access to fix the file.
“Instead of clicking the link for that file inside QuickBooks, she went to Google and searched for QuickBooks tool hub,” Gullatte said. She clicked on a listing in the search results that said “QuickBooks tool hub” in big, bold letters.
“That was totally fake,” Gullatte said. “It brought up a very beautiful, convincing QuickBooks branded site that asked for her name, email or phone number. She put in the owner’s name, email and the phone number to the business.”
Someone purporting to be from QuickBooks then called the office and asked her to go to a website that would give them remote access to her computer.
“She did it,” Gullatte said. “These hackers sound real nice — no accent, they sound like me. They’re very articulate.”
They asked for more information, including usernames and passwords that would have given them access to the company’s QuickBooks data. Fortunately, the employee did not have that information, but eventually the hackers demanded $75,000 to restore the company’s files, and she realized something wasn’t right.
“It’s your employees that are the weak spot,” Gullatte said. “You have to constantly keep training them.”
Gullatte listed five steps companies should take immediately in case of a cyber attack:
1. Disconnect all machines.
2. Disconnect the main internet feed.
3. Turn off all computers.
4. Call a cyber attorney, your IT service provider and your insurance company.
5. Seek help from a cybersecurity expert.
After the breach, you will have to notify clients about it by mail and provide them with at least a year’s worth of identity theft protection. Another requirement is to call the Colorado attorney general’s office within 30 days of the breach, Gullatte said.
“I know of companies that don’t do that,” he said. “If people got hurt by your breach, they’re going to come get you.”
Notifying the FBI cyberwatch hotline, 855-292-3937, also should be part of your plan.
“They try to find trends in cyber attacks nationwide,” he said, noting that in connection with the above case, the FBI said QuickBooks attacks were occurring all over the world.
Consulting a cyber law attorney for breach coaching has emerged as an insurance industry best practice, DePeppe said. “Activities performed by cyber law counsel are protected under privilege,” he said. “Otherwise, the investigation that’s conducted … reveals errors and omissions, and if there’s harm and there’s a lawsuit, all that detail is discovered by the plaintiff.”
Through OnCall Cyber, DePeppe recently launched an incident response team — like AAA for the internet — that helps restore the integrity of the breached environment and data and get the system back up. The team is trained in what DePeppe calls the InfoSec triad — confidentiality, integrity and availability.
“The breach coach orchestrates the incident response and works hand in glove with the incident response team,” he said.
“Having both of these components in advance is critical,” he said. “You don’t want to be going through the Yellow Pages when your networks are locked down.”
Attackers move quickly, and you may have as little as 20 minutes to act, he said, “so knowing what to do and having a plan in place is critical.”
Moreover, “a written instant response plan is becoming mandatory under various governance regimes,” DePeppe said. The Federal Trade Commission’s safeguards rule, for instance, recently was expanded to include not just financial services, but their service providers as well.
Several organizations provide frameworks for instant response plans — for example, the National Institute of Standards and Technology Cybersecurity Framework and the SysAdmin, Audit, Network and Security framework.
Both cover basic preparation, including inventory of assets and execution strategies depending on the severity of the breach.
“You want to be able to rehearse it … and update it, and continue to engage in process improvement,” DePeppe said.
It’s an ongoing process because software vendors like Microsoft are constantly coming up with new patches, and attackers are constantly finding new ways to penetrate computer systems.
“There will be small businesses out there that just don’t have the appetite or the budget, but they want to do something,” he said. While there will be some cost, it is possible to reach a reasonable security standard.
“You just don’t want to be the low-hanging fruit,” he said. “If you have multifactor authentication, a firewall, you’re patching, you have a reputable cloud provider, and you watch your practices, and you train your staff, you have raised your cyber hygiene.”
