Cybercrime and Your Small Business
April 2, 2018
Almost 90% of small business owners don’t feel like they’re at risk of experiencing a breach. Based on a poll by Manta1 in March 2017, that’s a big problem, especially since 12% revealed that their small business has experienced a cyber attack in the past. Small businesses are easy targets; cybercriminals know that small businesses have fewer resources to assist in security, working with a shortage of staff, or operating on a small budget. The effects of a data breach on small businesses can be catastrophic.
“Experts say these kinds of attacks can be so damaging to revenue and customer expectations that small businesses are forced to close,” according to the New York Times.2 Why aren’t more small businesses owners making breach prevention more of a priority? Partly because they can’t conceptualize or quantify the cost of a breach to the company’s bottom-line or reputation.3 Maybe understanding that the average cost of a data breach in the U.S. today is $225 per compromised record would help.4
If these statistics aren’t enough to convince you that threats to small business are real, consider this: the FBI, the Department of Homeland Security, and Health and Human Services Office for Civil Rights (HHS OCR) have each put out statements or newsletters in 2018 warning of the repercussions from cyber threats. In this blog, we’ll take a look at what each of them has to say and then outline the steps you can start implementing to protect your business.
FBI warns small business of cyber threats
In January 2018, the FBI issued a statement entitled “Small Business Information Sharing: Combating Foreign Cyber Threats.” The FBI stated that the number and sophistication of cyber threats are a huge risk to U.S. businesses, and that “the impact of a successful attack can be devastating to small businesses in particular.”5 The FBI contends that all sectors are seeing an increase of malicious cyber activity.
Business Email Compromise
The newsletter warns small businesses of business email compromise (BEC), a scam targeting businesses that work with foreign suppliers or businesses that regularly perform wire transfer payments. With these types of scams, email accounts are compromised and cybercriminals are then able to make unauthorized transfers of funds. BEC scams have been reported in all 50 states and have resulted in hundreds of millions of dollars in losses to U.S. businesses and individuals.
Aside from BEC scams, the FBI warns small businesses about ransomware. Ransomware, a type of malware, encrypts files and documents and blocks access until a ransom is paid. It’s a simple and proven model that continues to yield profits for cybercriminals. Ransomware is often embedded after a user falls for a phishing email scheme, where the user clicks on a malicious link. Remote Desktop programs can also act as a vector, or channel. Cyber thieves often use virtual currency, like Bitcoin, to facilitate their crimes. They’re increasingly using sophisticated tools that allow the malware to spread faster, causing more damage. The FBI warns that hospitals, law firms, and businesses needing immediate access to their data will remain big targets. To guard against ransomware, the Bureau encourages regular data backups to drives housed on separate networks.
Internet of Things
Also mentioned is Internet of Things (IoT) devices. These are the network of physical devices, vehicles, home appliances and other items embedded with electronics, software, sensors, actuators, and connectivity which enables these objects to connect and exchange data.They provide low-cost, real-time monitoring and automation services to users and are becoming widespread in business, government, and home networks. These devices, however, are often compromised due to lax security standards thus increasing the impact of cyber attacks on personal or corporate networks. The FBI Cyber Division is regularly coordinating initiatives for engagement with private sector partners to prevent threats and close intelligence gaps. By launching public awareness campaigns, hosting conferences and workshops, and hosting or participating in briefings, conferences, workshops, and other meetings, they hope to provide strategic-level information for decision-makers.
Read the FBI’s entire statement here, which also includes links to additional information on cybercrime.
Department of Homeland Security responds to cybercrime threat
The Department of Homeland Security (DHS) issued its own statement on cybercrime. DHS states that it’s “a serious mistake for a small business to assume [cybercrime] only concerns their larger brethren. When small businesses fail to address adequately the risk of a cyber incident, they are at risk of suffering significant financial losses, even bankruptcy.”6 Cybercriminals’ sophistication and adaptability is increasing; therefore, small businesses must make cybersecurity a top priority to grow along with the threat. DHS recommends incorporating cybersecurity into the greater corporate culture: invest in training and awareness programs that teach employees that they are a vulnerability at work and at home.
DHS recommends these low-cost actions small businesses can take to make them a less attractive target for cybercriminals:
- Segregate internal and external network with firewalls
- Remove sensitive information from public-facing portions of the network
- Maintain logs and monitor them regularly
- Create system backups
- Disable unnecessary services, and, most importantly
- Regularly update and patch software and applications
For the statement on DHS’ stance, read it in its entirety here.
HHS OCR offers advice on “Cyber Extortion”
HHS OCR’s January 2018 Newsletter, “Cyber Extortion,” hones in on cybercrime and organizations in the Healthcare sector, which are often the targets of cyber extortion attacks. OCR offers tips on ransomware and also addresses other examples of cyber extortion, including Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks. These types of attacks typically direct such a high volume of network traffic to targeted computers that the affected computers cannot respond and may appear down or otherwise inaccessible to legitimate users. Another type of cyber extortion OCR covers in their newsletter? The type when an attacker gains access to an organization’s computer system, steals sensitive data from the organization, and then threatens to publish that data. Oftentimes it is sensitive data, which could include protected health information (PHI).7
OCR recommends the following list of activities that organizations should consider to reduce the chances of being a victim of cyber extortion:
- Implement a risk assessment and risk management program
- Implement a robust inventory and vulnerability identification process to ensure accuracy and thoroughness of the risk assessment
- Train employees to better identify suspicious emails
- Deploy proactive anti-malware solutions
- Patch systems to fix known vulnerabilities that could be exploited by attackers or malicious software
- Harden internal network defenses and limit internal network access
- Implement and test robust contingency and disaster recovery plans
- Encrypt and backup sensitive data
- Implement and review audit logs
- Remain vigilant for new and emerging cyber threats and vulnerabilities
HIPAA Compliance and Cybercrime
You need to act like an attack on your organization is inevitable. Use the tips outlined in this blog to safeguard your company and strive for HIPAA compliance. How can HIPAA compliance help deter cyber criminals? HIPAA compliance rules are in place to protect sensitive patient/employee health information. For example, a risk assessment is one of the first steps organizations must take in order to become HIPAA compliant. All aspects of the HIPAA Security rule safeguard ePHI and, in turn, safeguards much of your other business intelligence. While HIPAA compliance does not take the place of cybersecurity safeguards, HIPAA compliance does enhance it. Total HIPAA Compliance has published several blogs that include important topics about cybersecurity and HIPAA best practices, most recently:
- The Importance of a Risk Assessment
- Protect Yourself from Phishing Scams
- Password Manager Reviews for HIPAA Users
- HIPAA Compliant Cloud Backup Services
Sign up for Our Blog
May 14, 2019
Jason Karn, Total HIPAA Chief Compliance Officer, spoke with Greg Manson, Direct of Audit and Compliance at Carolinas IT, about the process of hiring a Managed Service Provider (MSP). In… Read More ›Read More
April 15, 2019
Jason Karn, Total HIPAA’s Chief Compliance Officer, recently spoke with David Smith, a nationally recognized healthcare benefits consultant and regulatory expert, to discuss how fully-insured, self-funded, and hybrid employee benefits… Read More ›Read More