If you are a business owner in Massachusetts and cybersecurity has not been front of mind or you have not taken steps to protect your business, customer and employee data, this article is for you? Why? Because, since 2010, you are REQUIRED by Massachusetts law to have measures in place to protect customer and employee data!
Do I have your attention now?
Cyberattacks are evolving, are you?
Let us step back for a moment and consider what does a cyberattack look like? Consider the following real life scenarios:
Scenario 1:
You run an auto repair shop. Your customers will wait and pick up their cars for smaller routine jobs such as oil changes, tire rotations, state inspections, etc. As a customer perk, you offer free wi-fi so that your customers can catch up on work while they wait. If the free wi-fi you offer is not a separate guest network, any customer could potentially access your business devices that are on the same network. They could install malware or they could steal your customer and/or employee data and you may be none the wiser that the data was exfiltrated.
Scenario 2:
You run an accounting and tax prep company with about 10 employees. Your customers are individuals and small businesses that have done business with you for years. You know them by name, you name them by face. It is tax time. Late one afternoon, around 5:30pm when everyone is getting ready to head out, one of your long time customers calls and tells you that they have changed banks and they need to give you the new bank details where tax refunds need to be deposited. It sounds like your customer, talks like your customer and you believe it is your customer on the phone except it is not. It is a scammer using artificial intelligence (AI) tools to clone your customer’s voice.
Scenario 3:
You run an Etsy shop from your home. One morning, when you log in to your computer, you find a message telling you that your computer is locked and cannot be unlocked unless you pay a ransom in bitcoin to a specific bitcoin wallet. You are unable to process orders, unable to ship products, nothing – your business has come to a full stand still! You are left wondering what has happened and how it could have possibly happened with no way of even investigating. You are a victim of ransomware!
Scenario 4:
You are a florist. It is end of month and about the time when you receive invoices from your vendors. You open your email and see an invoice from your vendor and you open the email. It looks like it came from your vendor. Same logo, same style, everything. Nothing looks suspicious. You click on the ‘Pay now’ link and are taken to a page which has your vendor logo. You enter your credit card number to pay and see a ‘thank you for your payment’ screen. You shut down your laptop. You are now blissfully unaware that you were a victim of a targeted phishing attack until you get the actual invoice from the real vendor!
It does not matter if you are a small business with a 100 employees or just a one person shop. Cybercriminals do not care. In this age of access to cheap computing resources, easily available data about each of us and our businesses, launching highly targeted large scale cyberattacks has become orders of magnitude easier and cheaper. The numbers speak for themselves:
- Small businesses accounted for 58% of cyberattacks in 2020 and the number of breaches on small businesses is grew by 150% between 2020 and 2022.
- Small businesses spend between $853 to $653,587 on cybersecurity incidents (Source: Verizon 2021 SMB Data Breach Statistics)
- In 2021, the average time to identify a data breach was 212 days (Source: IBM)
- 60% of small businesses that were a victim of a cyberattack went out of business in less than a year.
- 59% of small business owners believe they are too small to be targeted!
- Nearly 74% of data breaches involve a human element.
- 87% of small businesses collect or process customer or employee data
- Only 21% of small businesses have security plans and 30% have no plans at all
In summary, from a criminal’s perspective, attacking a small business is lucrative, it is easy, there is less chance of discovery and it is low cost since most are undefended!
Developing a cyber defense mindset
Let us be clear about one thing right up front when we talk about cyber defense. There is no such thing as iron clad defense. It is a risk reduction game. Anyone can drive a truck right through your front door but you DO lock your doors religiously every day don’t you? Pause for a moment to think why you do that – the answer is simple, to reduce the number and kinds of attack that your home can be exposed to. The same applies to applying various tools and methods of cyber defense in your company. Your primary objective is one thing and one thing only:
Increase the cost of attack and cost of data exfiltration for the criminals.
In other words, do not be the easiest target to attack and do everything possible to be the most expensive target to attack. Remember, it takes intent, tools, time and skills to launch a cyberattack. The more you can increase the time it takes to attack you and the sophistication of the tools and skills it takes to attack you, the better your cyber defense.
With that said, as a Massachusetts business owner, there are two things you need to consider in your cyber defense strategy:
- Comply with Massachusetts law (201 CMR 17)
- Make it harder for a criminal to attack your business
201 CMR 17 was passed in 2010 and applies to every business or individual that may have customer or employee data in either physical or digital form i.e. size of business DOES NOT MATTER. The good news is that the government has not been very energetic about auditing businesses for compliance. The bad news is that if a business does have a breach and they were found to be not compliant, there could be heftier repercussions. As much as this sounds restrictive, this law is a good thing. The government realized that the requirements of this law may be beyond the technical and financial means of many businesses and put together an easy to understand compliance checklist. The key requirement is the protection of data which involves ensuring physical protection measures (for data that is in physical form such as paper) or encryption for data that is in digital form. The law also requires companies to consider defensive methods to prevent access to the data in the first place.
When it comes to defending against cyberattacks, it takes three things: tools, people and process. But first, it is critical to gain a clear understanding of what are your crown jewels that need to be defended. Some examples include:
- Employee social security numbers, phone numbers, addresses, emails, etc
- Customer details such as name, credit card numbers, bank account numbers, Venmo IDs, email addresses, health records, legal records, etc.
- Any intellectual property that your company many possess that may or may not be yours
Once you have a good understanding of your crown jewels, you have three basic steps:
- Encrypt and store securely as much of that data as possible so that even if someone breaches your defenses and gets to the data, it is nothing more than gobbledygook
- Think about your office (or home office) network as your fortress and set up defenses such as firewalls but also provide access to relevant information only to those people in your company that need them. Also, get a clear understanding of your full computing infrastructure. Remember, that television in the doctor’s office waiting room is a computer too, so is the video conferencing system and so are the lightbulbs, smart speakers, etc in your home (if you are in a home office). And so are all the apps and websites you use on a daily basis or may be present on your devices (sometimes by default!). Here are some handy resources including a handy checklist:
- Develop good cyber hygiene not just for yourself but for all of your employees. The best part about this step is that you can go a long way for free! In this day and age, there are tons of online resources and videos on sites such as YouTube on this topic. I talked about this very topic on a previous blog I wrote on MBN.
Conclusion
The number of free attack tools that are available to criminals from password crackers to network scanners to open source malware continues to grow. Adding to that is that computing power is now cheap due to cloud based services. And now, we have entered the age of Artificial Intelligence (AI) where even low skilled criminals can create high sophistication attack tools. A criminal may choose to attack your business in order to get to your customer. That customer could be a child, a member of our armed forces, a person with a debilitating health condition. Cybersecurity is not optional nor can it be an afterthought any more. Yes, there is some leg work involved and definitely some cost but the alternative could be losing your business in less than a blink of an eye.
This is a contributed piece published by Vikram Venkatasubramanian, founder and CEO of Nandi Security, Inc, the makers of Kavalan, an Intelligent Digital Safety product that protects homes and small businesses from cyber threats and privacy violations across unlimited devices. Vikram has over 25 years of experience in the technology industry including 15 years in the cybersecurity industry. Vikram has a Masters degree in Mathematics from IIT, Chennai, a Masters degree in Computer Science from the University of Missouri-Columbia and an MBA from Cornell University. When not busy defending homes and small businesses from cyberthreats, Vikram is an avid cricket and soccer fan.
Interested in submitting a contributed piece? Fill out our contact form.