The Daily Transcript recently conducted a cybersecurity roundtable discussion with particular focus on San Diego’s prime demographic, the “small business” — especially with regard to doing business with the government.
Upshot: the whole “weakest link of the chain” analogy applies. In other words, if you’re relatively unsophisticated cybersecurity-wise but you do business with much larger, more target-rich entities (e.g., government), then you are actually a prime target yourself.
Bad guys prefer to enter via unlocked back doors than hassle with triple-security front doors; it’s the path of least resistance and least detection.
The icing on the cake is that most (85%) of small businesses think that they are not at risk. This is not simply ignorance, this is actually denial.
Emphasis in red added by me.
Brian Wood, VP Marketing
Many small businesses do not understand the importance of cybersecurity, and as a result, they are putting larger companies and government agencies at risk.
A group of cybersecurity professionals with public and private sector clients recently met at a roundtable discussion at The Daily Transcript sponsored by Taranet Inc. and Foley & Lardner.
About 85 percent of small business owners believe a data breach is unlikely, and many are not implementing simple security measures to help protect their customer or employee data, according to a 2012 survey by The Hartford Financial Services Group Inc. (NYSE: HIG).
“It takes all of us, whether we are at home or work, to come together to make it a safe environment for everyone,” said Liz Fraumann, executive director at ESET Foundation.
The problem isn’t the technology itself, but rather an information imbalance.
“We are not getting attacked with sophisticated technology,” said Andrew Serwin, partner at Foley & Lardner, explaining the scenario small businesses face. “They are using the box cutters of technology to attack us. They are creating an asymmetric threat by taking our weaknesses and using it against us.”
Small businesses are getting attacked more often because they don’t have the governance to protect themselves.
“They don’t know what they need to do to stop the problem,” Serwin said.
Lon McPhail, president, chief technology officer and founder of Cerver Systems, says the cybersecurity sales pitch needs to change to get more businesses on board. Simply saying a $15,000 investment will prevent hackers doesn’t cut it.
“But if I am spending $15,000 to prevent someone from stealing my intellectual property, I will pay,” McPhail said.
It’s an easier sell to a CEO if they realize cybersecurity will improve their bottom line.
“It’s understanding how to run your business better, whether it’s protecting IP or preventing a cyberthreat,” said Serwin. “Using information in a superior way to make decisions.”
John White, cyber insurance broker at GS Levine, works with CEOs to find out what their cyber issues are and then crafts that into appropriate insurance policies for cyber coverage.
CEOs also need to make sure their employees are trained and educated to combat cyber threats.
“Small businesses are not taking time to educate staff on best practices, of ‘here are some things you should do,'” said Fraumann. “The first line of defense is the person behind the keyboard.”
If an apparent security issue arises, there should be a procedure and policy in place to take action.
“That’s where half of all data breaches come from. Internal employees,” said White.
Having a protected security environment is not just an internal issue, however.
“It’s external as well. When you implement good security practices, you build confidence in your customers with their private information and credit card information,” said Cass Kelly, CEO of Taranet.
For companies with government clients, having a secure network should be a no-brainer.
Defense Secretary Leon Panetta warned Oct. 11 that the United States was facing the possibility of a “cyber-Pearl Harbor.”
“You have to have approved accounting systems and have to be able to show you can protect the government’s information, which you will be custodian of at some point in the execution of the contract,” said Benito Hobson, director of business development at Integrits Corp.
David Dodd, president and founder of pbnetworks, was asked to build a security policy for a small company getting a government contract. He was surprised by what he found when he took a look at their network.
“It’s really eye opening when you find out they share the C drive on a computer that’s in a foreign country,” said Dodd. “They are like, ‘that’s how you we transfer files.’ And you want to do business with the government?”
State-sponsored terrorist organizations target big defense contractors, he explained, but they reach them through the small companies that do business with them.
“If you said to a small business, ‘would you leave all available cash sitting in your conference or board room?,’ They’d say no, yet they are willing to leave really sensitive information that’s the core of the business,” said Serwin.
Hobson has seen erroneous behaviors in the private sector, citing a network assessment he did on a health care client.
“The receptionist was pleasant as punch and had her screen turned toward me. All I had to do is take a picture with my phone and I had someone’s medical records,” said Hobson.
Whether they know it or not, CEOs and chief information officers are taking on liability by skimping on cybersecurity.
“They are accepting risk on behalf of the organization, making decisions … based on current cybersecurity risk,” said Kelly.
The companies don’t just risk a breach by going light on security; they also risk damage to their brand.
“The business doesn’t always understand the full scope of risk they are dealing with,” said Serwin.
In October, Barnes & Noble (NYSE: BKS) said a data breach at 63 of its stores may have compromised the credit card information of its customers. In September, 37,000 accounts of Domino’s Pizza (NYSE: DPZ) customers, including their names, contacts, passwords and other information, were leaked online.
That loss of data can be a deciding point for customers to go elsewhere.
“Reputation has a huge dollar amount associated with it,” said Fraumann.
Even employees who go through training are bound to download or open infected links that promise $500, for example.
“Once they do it, no one else in the company knows because nothing is popping up. In the meantime this malware is searching through their files,” said Marcia Charest, vice president at Torrey Pines Bank.
Dodd suggests showing employees a presentation of someone clicking on a link and demonstrating how easy getting hacked is.
“Get them interested in it and tell them this is what you don’t want to do unless you want to give away all your information,” said Dodd.
McPhail said the answer to getting employees to care is creating a habit.
“Habits are controlled by addictions to a reward,” he said.
The CEO could give employees bonuses for avoiding a breach for a certain period of time, for example, or create a competition with a neighboring company to beat their secure record.
“Those kinds of things people care about and will fight to be the best and do the right thing,” said Kelly. “People are motivated by a variety of things, not just the immediate gratification of money.”
Cybersecurity even bleeds into the social media realm, especially among high-risk clients like banks. Torrey Pines Bank has a policy where employees have to let the company look at their Facebook pages.
“I am concerned about the fact that people are so willing to share personal information on there. At one of our sister banks, someone’s wife was almost taken hostage because she shared all this information,” said Charest, who handles fraud and robbery at the bank.
When an employee posts about disliking the CEO, his or her address or their salary, that can compromise the security of a company.
“We’ve got to teach employees that you’ve got to think about what you put out there because people look for vulnerabilities,” said Charest.
Marcia Charest, Vice President, Torrey Pines Bank
David Dodd, Founder and President, pbnetworks
Liz Fraumann, Executive Director, ESET Foundation
Benito Hobson, Director of Business Development, Integrits Corp.
Cass Kelly, CEO, Taranet Inc. (sponsor)
Dave Maquera, President, Edge Wave
Lon McPhail, President, Chief Technology Officer and Founder, Cerver Systems
Andrew Serwin, Partner, Foley & Lardner (sponsor)
John White, AVP of Commercial Lines, GS Levine