SMB Security Simplified
- If attackers use you to attack others, there may be repercussions to your business brand, reputation and partner trust relationships.
- Many SMBs are not prepared for legal repercussions if a partner or customers are harmed.
- SMBs are not prepared for breach response in general.
- Cyber insurance is a financial risk transference, but not a substitute investment in real cyber security protection.
SMBs following this series should now be aware that there is a pretty good chance they could be a victim of a cyber crime. The numbers clearly back this statement, despite the problems with detection and under-reporting touched on previously. Last post in this series also noted that sometimes a breach is obvious, in which you and your business may be in trouble, or not-so-obvious, in which someone else may be in trouble. That is, attackers may be going through you to reach others. They can do so by recruiting your systems for bot-nets, using your credentials for third parties, and injecting your Web site with malware to infect visitors. Thus, we will all have a responsibility to protect more than just within the boundaries of our own networks. This an issues filed under transitive trust, which I discussed here.
Harm to Business Trust and Relationships
SMBs should become aware that the fallout of incidents could have ramifications for their business survival. The article, “Why Hackers Love To Hit Small Businesses — And How To Stop Them” explains how there can be a number of consequences from a single attack. Sean Miller says in it,
“When a small company’s lax security hurts a partner, the consequences can be catastrophic.”
“You’re talking about relationships and trust. If partners believe their data is insecure, it’s going to impact their willingness to do business with you.”
They say in business that it can take years to build a reputation to build up, and it can disappear quickly. Another article, “Phishing Scams Erode Trust and Compromise Brand” illustrates this point well with the case of Bill Ho, a CEO of a security company who was phished by an email from a business associate. He explains,
“That made me think about the relationship with that company,” Ho said.
“Unfortunately, Ho said, “When I think about them or talk to them, there is this thought in the back of my mind about if I work with them, how careful are they going to be with my data?”
“”First they need to realize they may never regain that trust; however, like any crisis situation, communication is important,” Ho said.
“Phishing,” said Ho, “affects more than just your hardware. It can erode trust in clients, vendors, coworkers, partners, and more. Which means a loss in clients, a loss in revenue, and a loss of confidence in said employee from an internal perspective.”
Hi-jacking Your Business or Personal Reputation
What if somebody poses as you and hi-jacks your identity and good reputation to attack associates? The post “How a Small Law Firm was Used for an Extensive Cyberattack” by a lawyer who cautions legal firms to be more diligent about cyber security risk, writes about an account that,
“… describes exactly how attackers compromised the law firm email system of rural Texas solo practitioner James Shelton and used its email system to carry out an international phishing campaign.”
This can be especially damaging to a professional shop, where brand and reputation go hand-in-hand. Shawn Tuma says in his post, that although he warns legal firms about the risk of hackers accessing their business email, he didn’t envision social engineering such as this hi-jacking someone’s professional reputation and identity to attack others. We know Shelton is a victim, but for how long will people see a question mark in their minds when they see an email from him?
The first article at the top also tells us,
“Hacks could also result in costly litigation. Although companies can buy cyber security insurance, many small businesses don’t carry it. For those that do, the policy might not cover the business partner, said Tony Fenton, associate vice president of commercial lines, middle market and field underwriting at Nationwide Insurance.”
“If a claim was submitted citing damages to a partner or customer, forensic IT professionals would first need to find out exactly what happened. Then the insurance company would determine how much of the incident it was required to cover, Fenton said.”
“A small business could be overwhelmed by the legal and financial responsibilities of a hack, Burg said, a risk that increases substantially in the event of a second breach. The train wreck that is the company’s reputation only makes matters worse.”
“Long-term consequences could be diminished value and cash flow,” he said.
Inadequate Breach Response in General
There are legal requirements for the way an organization handles a breach. The article, “Most breaches at surveyed U.S. organizations small and undetected: report” concurs that detection is a problem and points out that an Advisen Ltd. report notes many organizations are improving at taking key steps to prevent and detect data breaches, but,
“… many are not prepared for or lack the resources to manage data breach response, including the legal and regulatory requirements,”
Even when breaches are detected, “most organizations lack the internal resources to handle breach response, putting them at greater risk for costly fines and lawsuits, reputation harm and customer identity theft”
Still a Whole lot of Denial Goin’ on!
The article “SMEs need to up their security game or risk becoming a target” informs that despite some growing awareness,
“The crux here, however, is that although SMEs are mature enough to recognise these security challenges, they may not be ready yet to invest in addressing them…”
The problem of cyber security compounds with every new platform, but SMBs may be overwhelmed and under-resourced with just the basics, as first discussed here.
In his post “But, We Only Sell ______ : Understanding Security Risk via Red Teaming“, Ean Meyer says,
“This is a very common problem. Organizational leaders find themselves strategizing major movements and opportunities to grow their business, while hypothetical “what-if” doomsday scenarios are looked at as edge cases.“
Doing just the minimum set out by compliance is probably now insufficient and the problem with “good enough” security is that what was good enough a year ago, may no longer be good enough today, let alone tomorrow. Attackers have upped the ante; attacks are getting more malicious than ever. Ransomware is an obvious example. The game has changed and realistic and honest assessment of risk is required. If you are like me and weigh the potential consequences of the worst possible scenarios by asking “What ifs?”, then also take into consideration how cyber risks have tended to be underestimated. This is a problem facing everyone, not just resource strapped SMBs, and a mindshift is necessary. Why not before an incident takes place?
Can cyber insurance help?
It may help buffer a company for financial risk and help overall ability to survive, but maybe only for the most damaging cases. From the Advisen report again,
“While cyber liability insurance has proven effective in covering many cyber-related losses, the majority of small breaches often fall below cyber insurance policy deductibles that trigger coverage, leaving organizations to manage and pay for all breach response”
The cyber insurance industry is itself an extremely immature industry, currently struggling to determine cyber risks and accordingly, premiums and deductibles. It’s critical to remember that cyber insurance itself is a financial risk transference only, and not a substitute for actual cyber defences. In other words, it may help ease the pain the first time, but for repeat incidents, you might expect increased premiums and deductables, or find your self deemed a higher risk client. Thankfully, cyber insurers are requiring clients to improve cyber defences in order to be approved for coverage.
Short-term AND long-term pain
As this post illustrates, the pain resulting from a cyber attack can have lasting repercussions to your business reputation, trust relationships and overall success, should you survive the acute term hit. The best way to avoid all the hassle is to invest in cyber security protective measures as soon as possible. If you haven’t checked out the bundled protections against all major cyber security threats delivered by TUX AI yet, designed to help SMBs, you can take the quick tour from our start page, here.
< ——– Cyber security isn’t just about your data
SMBs, you do have data assets to protect! ——– >