Here are some questions for your business to consider as 2018 dawns:
- Do you have a database of healthcare information?
- Do you process credit card transactions?
- Are you in the payroll or money transfer business?
- Are you doing research that foreign governments would be interested in?
- Are you in a business that a “hacktivist” group or nation-state may find objectionable?
If you can answer yes to any of the above questions, congratulations, you are in the highest-risk group. The remaining companies fall into three large groups, including those that have:
- A significant regulatory environment to operate within (healthcare, banking, insurance, etc.)
- Data that others could monetize (trade secrets, credit card numbers, personally identifiable information (PII), data on publicly traded companies that has not yet been made public, etc.)
- Data that is important and necessary for the company to operate
How Ransomware Changed the Cybersecurity Game in 2017
Before the proliferation of ransomware, the third category (comprising of all companies that do not fall into the first two categories) would not have been included. The problem is that 2017 proved that cybercriminals have figured out an important new angle to their business model: companies that don’t have information that is valuable on the black market still have information that’s valuable to the company itself.
The bad guys are finding a way into a company, encrypting as much data as possible, and then extorting money from you to get your own data back. On Dec. 18, the U.S. government pointed the finger for the massive WannaCry ransomware outbreak last May at the North Korean government, so now the definition of “bad guys” using ransomware includes nation-state level attacks. This is not good news for those of us in small and medium-sized businesses (SMBs).
Prepare Your Business for Cyberattacks in 2018
The cybersecurity needle will move toward the SMB sector in 2018 and toward those that do business in countries that other countries find undesirable. From hospitals that need their enterprise resource planning (ERP) system to treat patients, to accounting firms needing tax engine software to process their clients’ tax returns, every company wants to prevent business disruptions. Ransomware attacks are designed to disrupt your company’s ability to function until you pay up.
Furthermore, the Petya virus outbreak last June was launched through a hack of one of the major tax payment engines used by Ukraine. Simply put, another government (likely the Russians) wanted to make companies think twice before doing business with Ukraine, and they succeeded. Just ask DLA Piper, Merck and Maersk.
This begs a question, “How can I assess my cybersecurity risk?” The truth is that you can't. This is similar to assessing your risk of contracting a certain disease or of having a tornado damage your home. These things happen infrequently, and as such, it’s impossible to say that a given company will experience a cybersecurity incident of X dollars in total damage every Y years. A better way to prepare for a cyberattack is to take the following steps:
Accept that your company is a target of cybercriminals who would hope to profit from your success.
Assess your relative risk. The areas to take into account include company size, your industry, the number of countries you do business in (especially those known to support government-sponsored hacking) and the strength of your cybersecurity defenses.
Assess your own risk tolerance, assess the potential damage to your company that a hacker could inflict, and assess what cybersecurity countermeasures you have employed. If you employ strong countermeasures, your risk will be far lower than many of your competitors, even if putting an actual number on it is challenging.
One of the best ways to quantify your cybersecurity risk is to price out a cybersecurity insurance policy. For example, if your building’s fire insurance policy costs $10,000 per year for $1 million in coverage, then the insurance company thinks you will have a large claim on that policy less than once every 100 years. Otherwise they would lose money selling you the policy. If it costs $250,000 for the same coverage, your risk of having a fire is much higher than that.
The cost of a cybersecurity insurance policy will help you determine the relative risk of a cyber incident in comparison to another type of business incident, such as a building issue (fire/flood), an operational issue (the loss of a key executive in your company) or a liability issue of some sort.
The new year is likely to bring a wave of nation-state level attacks that will hit businesses that have ties to the country being targeted. It isn’t fair, it isn’t right, but it’s reality.
Businesses that aren’t keeping their systems patched with the latest security updates from various software and hardware vendors will also fall victim to these criminals. Cyberwarfare is becoming our war as businesspeople. It isn’t government on government anymore.
Thankfully, the vast majority of cybercriminals can be stopped. They are looking for easy targets. All companies are susceptible, but with the right cybersecurity defenses, such as multifactor authentication, a strong anti-virus package and a solid data backup routine, cybercriminals will deem your company too much effort to hack. This is your opportunity to make cybersecurity a competitive advantage for your company.