Between a CrowdStrike software glitch that recently brought many global industries to a temporary standstill and security breaches at major enterprises such as UnitedHealth and Ticketmaster, the digitized systems of our world and the mechanisms designed to protect them have been brought unavoidably to the fore.
But if you are a small business owner or an ordinary individual without a sophisticated IT background, the topic itself — cybersecurity — not only causes your eyes to glaze over, but it even incites a bit of an internal panic every time it comes up in conversation.
With these recent breaches affecting companies and industries that we use every day, those of us who are cybersecurity-hesitant can no longer simply ignore it or hope that others will handle the problem for us.
For this reason, Blaze News spoke with two experts who have both spent decades in the cybersecurity field and who have dedicated their lives to making cybersecurity as easy as possible for laypeople.
The first, Rob Coté, owns a small cybersecurity company in southeastern Michigan called Security Vitals. The second, Mike Lipinski, is in charge of cybersecurity at the major accounting firm Plante Moran. In the past, he has also worked as a vendor and in consulting for IT- and cybersecurity-related companies.
What IS cybersecurity?
Since the 1990s, Hollywood has done a masterful job making cybercriminal behavior such as hacking seem mysterious and esoteric while making efforts to outdo and outsmart cybercriminals look heroic and sexy. Blockbuster hits such as “The Net” and “Hackers,” both released in 1995, wove together a narrative filled with romance and digital arcana, making cybersecurity seem accessible even as the cyberworld in the movies still feels hopelessly foreign.
The reality is much more mundane, and also more serious, particularly for small business owners.
43% of all cybersecurity attacks happen to businesses with 500 or fewer employees. Of those affected businesses, fully 60% will go belly-up within six months of the attack.
And while incidents involving big-name companies like Ticketmaster and UnitedHealth remind us of the importance of cybersecurity, they can also sometimes deceive us into thinking that cybersecurity is a problem only for industry giants and not for the little guy.
Both Coté and Lipinski vehemently pushed back against that assumption.
“Size doesn’t necessarily dictate sophistication and security,” Lipinski added.
Small businesses as ‘easy opportunities’
One of the most common responses Coté says he receives when pitching cybersecurity services to owners of small and medium-sized businesses is that their businesses have too little information and too small a digital footprint to be attractive to cybercriminals. “Nobody cares about our data,” they say, according to Coté.
Unfortunately, such modesty can lead to all kinds of trouble. Coté told Blaze News that bad actors are looking for “easy opportunities” and “the path of least resistance.” Since large enterprises already have heavily fortified cyber environments, many cybercriminals don’t even bother with them.
Instead, cybercriminals will often target vulnerable environments that are easy to infiltrate, and they do so for two main reasons.
First: Almost every business, regardless of size, harbors sensitive data. Everything from credit card transactions to digitized personnel files carries critical information, all of which must be stored somewhere, often in the nebulous cyber zone known as “the cloud.”
Such stored data makes small companies especially vulnerable to ransomware, which Coté defined as “a technology that will lock up your data, and without the key, you can’t access it.”
Once ransomware villains get hold of a company’s data, they then demand money, often via cryptocurrency, before they will return it. However, even paying the ransom does not even ensure that the data will be restored. After all, “you’re dealing with criminals here,” Coté noted.
And with new privacy laws, businesses render themselves vulnerable to lawsuits for failing to protect this data against ransomware and other cyberattacks. “There’s a lot of things now that are being expected of all of us to protect the information that I may have on you or you may have on me,” Lipinski explained.
The other key reason that cybercriminals pester seemingly small businesses is because of their associations with larger companies. Coté cited Ford Motor Company and Target as two recognizable names that contract with much smaller firms to outsource some of their business practices.
“You may be humming along thinking, ‘We’re fine. We’re just a small business,'” Coté said. “The reality is this … they have direct connections with the larger company.”
OK, so what can be done?
While Ford and Target have plenty of revenue with which to invest in cybersecurity, most small businesses do not.
But according to Coté and Lipinski, that should not mean small businesses do nothing. Both said there are plenty of affordable options that can help owners protect themselves.
Such options include network scanning and monitoring, both of which are services that cybersecurity firms provide to their clients. In other words, businesses do not necessarily have to spend sometimes hundreds of thousands of dollars onboarding cybersecurity staff. They can outsource these responsibilities to experts at much lower cost.
Coté told Blaze News that some cybersecurity platforms covering 10 total devices can cost as little as a few hundred dollars a month.
Lipinski hesitated to estimate what cybersecurity might cost since different companies have so many different needs. “I’ve got small businesses that spend well over six figures a year just on cybersecurity protection,” he told Blaze News, “and I’ve got other very large businesses that have thousands of employees that may spend less than that.”
But regardless how much one spends, the real cost of cybersecurity, to borrow an apt phrase from Hamlet, lies “in the breach rather than the observance,” both Coté and Lipinski indicated. While business owners must balance security with functionality, a breach in security brings almost all business operations to a grinding halt — and forces owners to give a public account for the error.
“How do you quantify the value of reputational damage?” Coté asked rhetorically. “You just can’t.”
Lipinski agreed, advising owners to conduct a “business impact analysis” when assessing their companies’ risk. Those who can’t afford to have operations suspended for two or three weeks should strongly consider more involved cyberattack prevention, he said.
Secondary consequences to breaches
Business owners quickly understand the hit that their bottom line and their professional reputation can take with just one security breach. What they may not consider are some of the indirect consequences that are likely to occur as well.
Lipinski noted two such indirect consequences. One is that other financial institutions may impose safeguards on business clients in order to protect themselves.
“If you have a breach, and those credit cards are stolen, your payment processor, your bank, is probably not going to allow you to take credit cards any more,” Lipinski said.
Another potential consequence he gave actually relates not to the business itself but one of its contractors. Using payroll as an example, Lipinski claimed that businesses must have protections in place to guard against breaches from one of their service providers.
“It’s not unforeseen that they go down and have an outage for two or three weeks. So what does that do to your business?” he asked.
“Do you have a backup solution in place? Do you have funding in your bank? Can you cut manual checks? Do you know what people should get paid?” are all questions managers and bosses must consider when outsourcing vital company operations, Lipinski said.
‘Probably one of the weakest vectors’: The value of employee training
Another vital aspect of cybersecurity is staff training. “People are probably one of the weakest vectors,” Coté said without judgment.
In an ideal world, all employees would immediately recognize when they’ve been approached by bad actors. Such criminals often attempt to convince employees to reveal critical information, a scam referred to as phishing, or to respond to fake emails, known as spoofing.
However, cybercriminals have come a long way from posing as Nigerian princes who just need a small up-front payment in exchange for a much larger reward down the road. Now, they often employ sophisticated disguises to conceal their antics.
For instance, criminals will sometimes send along an email using the name of a company boss and changing just one character of his or her email address to avoid detection. Coté gave the hypothetical email address robcote@companyabc.com as an example.
“Let’s say I change the O in company to a zero,” he said, turning that email address to robcote@c0mpanyabc.com.
“You may not even notice that when the email comes in.”
Even the savviest employees can fall victim to such schemes.
Though hardly savvy, I — a former contract employee of a cybersecurity firm who has a strong connection to a cybersecurity professional — fell for a phishing scheme several months ago when a cyberattacker sent an alert to my phone, posing as Amazon, just as I was expecting an Amazon package with expedited shipping. Thankfully, I realized my error before I divulged sensitive information.
Coté said he has heard similar stories. He referenced a case in which an intelligent, hardworking employee who was used to making company purchases on behalf of her higher-ups bought several gift cards after receiving a spoofed email from a person pretending to be her boss.
Gift cards are a particularly clever idea for cybercriminals, Coté said. Once the seal protecting the card’s information has been shared, the buyer has “no recourse.”
Another burgeoning threat related to such scams is AI voice-modeling. Such AI models have advanced so much that they now practically have become “voice verification,” Lipinski claimed.
And capturing enough of someone’s pitch and cadence to generate a model is easy, Coté said. All it takes is a quick phone call for a criminal to establish a voice profile that can then be used to fool employees into sharing data or unwittingly handing over money or other valuables.
Other staff-related vulnerabilities
In addition to employees falling prey to bad actors, employees can also occasionally be bad actors themselves. Those who have been disciplined or who have received a lucrative job offer from a rival company may have a motive for sabotaging business operations at their current company.
One way to track potentially malicious behavior is to scan for unusual logins, Coté said.
“If [so-and-so] is always online between 8 a.m. and 9 p.m., and suddenly she logs in at 3 a.m. to your corporate environment and downloads two terabytes of data,” he said, she may be up to no good.
In some cases, unusual behaviors are not actually malicious, Coté noted. It’s easy to imagine benign circumstances under which an employee might conduct some business tasks at strange hours.
“It may have been that [so-and-so] was getting ready to leave town and needed two terabytes of data for a presentation for your company,” he suggested, “but you don’t know if you’re not looking.”
As with anything, cybersecurity tools and services come with drawbacks, many of which are borne by employees. Lengthy passwords are difficult to remember, and multiple sign-in requirements become annoying.
Lipinski advised owners to balance security concerns with the weight of cumbersome protection measures. “As a security professional, what pains me to say is there is a such thing as too much security, because if you put too many things in place and I prevent you from doing your job, then it’s not effective at that point,” he explained.
“You’ve got to find that medium.”
IT vs. cybersecurity
Another point both Coté and Lipinski made was that IT and cybersecurity personnel perform two entirely separate functions, and small business owners would be wise not to entrust one person with handling both responsibilities.
“IT’s job is to make things work, give you the tools that you need to do your job, to keep the applications and the network and the internet up and running,” Lipinski argued, “where cybersecurity is an overlay above that that’s looking at how we’re doing certain things and trying to determine if there’s a better or more secure way to be able to protect those assets or that data or those people.”
“IT people don’t understand cybersecurity,” he continued. “They think differently. They act differently. Their roles are different in the organization.”
Coté compared the two divisions to two company financial officers who perform completely different tasks, even though they both work with money. “Why do you have a CPA and why do you have a CFO?” he asked.
“The CFO manages your financials internally. The CPA checks up on the CFO to make sure that he or she is doing it right and they’re not funneling money out.”
Silence does not mean security
Both Coté and Lipinski cautioned that just because a business has never suffered a major cybersecurity breach does not mean that it is secure. Coté went so far as to say that a breach is almost “inevitable.”
Perhaps even more worrisome is the fact that most cybersecurity attacks are not detected in real time. “A data breach, on average, takes nine months to discover,” Coté asserted. “So … you could have been breached six months ago. You just haven’t figured it out yet.”
Coté went on to liken preventive cybersecurity measures to insurance. “It is really a form of insurance because there’s no way to say if I invest $10 on cybersecurity, I’ll save $100,” he said.
“Until you get attacked, you don’t have a good baseline for knowing what it’s really going to cost you.”
Lipinski also reiterated something that all business owners, whether they understand cybersecurity or not, already know: The buck stops with them.
“I can’t give you all of my risks,” he said, speaking of business owners. “I have to understand what I still own and what I’m going to do about it.”
“I gave you a part of my problem. I still own the other part.”