In today’s climate, it’s necessary for both small businesses and large global enterprises to have comprehensive cybersecurity plans. In this blog, I’d like to discuss how vulnerable small businesses can be to modern cyber threats, and share how global enterprises are largely unprepared for the EU General Data Protection Regulation (only 14 months away).
A 2017 small-business cybersecurity story
I was sure that it was a “bum dial” when the name “Simon R” appeared on my phone close to midnight last Monday. Simon’s son plays football on the same team as my son but, although we share a Whatsapp group, he’d never actually called me before so I was sure it was a mistake. Unfortunately, it wasn’t!
“Hi, sorry it’s so late. I’m just not sure whether you can help me, but I didn’t know who else to call and I’m not sure what to do. My company has been hacked!”
Before this call, we had previously chatted at football matches a few times, and we had been to some of the same parties, but almost all of our shallow knowledge of each other came virtually, through social media. So with that limited information (and a fair amount of misunderstanding), Simon identified me as an appropriate person to contact for advice on his cyber breach.
When a small company gets hit with an encrypting ransomware attack
It wasn’t good news. His company was the victim of an encrypting ransomware attack. The three machines in his office had had all their files encrypted, and on initial investigation, all that could be found was a small text file indicating that the attackers would like to be paid through the Bitcoin Digital currency. Simon was a designer, not a computer expert, and unfortunately, he had completely underestimated how reliant his business was on the computers in his office. He had not considered a cyberattack as a significant risk at all. After all, he just used the computer for e-mails and research … right?
Unfortunately not. All his business accounts were on those computers: all his employees’ human resources information and salary detail, and all e-mails from clients (many of whom had sent ideas and designs with confidential information that he needed to work on). Gradually, he started to realize the enormity of his situation
The value—and difficulties—of backups
I explained that under no circumstances should he pay any ransom and that I would find a “real” cybersecurity expert to speak to him about the possibilities of decryption. However, I warned that decryption may not be possible, and he may need to just accept the situation and restore everything from backups. The silence at the other end of the line spoke volumes.
Computer backups had not been seen as a major priority for his company. When his backup tapes were full, someone was required to walk all the way across the office to agree to the “overwrite” prompt on the screen. Nobody had ever really been given responsibility for this task, and soon it simply stopped being done. The most recently available backup was 11 months old!
A week later, the situation is still not resolved, but is being managed. He has now engaged a computer management firm that will, in future, provide all network and application support, manage security and backups, and provide training to his team on an ongoing basis. He has had to accept the loss of tens of thousands of pounds and, more importantly, suffered significant reputational damage. For a small company fighting for a larger share in a busy market, Simon and his team were completely blindsided by this.
“I just don’t understand why someone would target me,” Simon said. “Surely there are more lucrative targets.”
The risks for small businesses
That, I think, is the biggest misunderstanding amongst many small business owners. The idea that someone would target them seems so unlikely that cybersecurity is a minor concern. The fact is that his company was not targeted, but simply received a mass spam phishing e-mail that someone in his office opened. That was the door opener. So he was not the victim of a targeted attack, but had simply not prepared to defend against random, hopeful, low-complexity, high-volume attacks.
According to Symantec, cyberattacks against small businesses increased from 18% in 2011 to 43% in 2015. Attackers are realizing that there is money to be made from smaller companies whose executives put little thought into their own protection. The most important things are usually the simple things—a cybersecurity policy, education of employees, and, of course, strong passwords.
The truth about passwords
Using the very limited information I thought I knew about Simon, I asked if I could try to guess his password. As a Facebook friend, I knew that he had just turned 52, had a wife called Sara, three young boys, and a dog called Sonic. I knew that he went on a skiing holiday once a year, had parents who lived in Spain, and that he voted differently from me in the last election. He was a fan of U.S. basketball, Spanish football, and cricket, and had a frustrating tendency to misspell the words “their” and “there.” He often played something called “Boom Beach” on his iPhone and repeatedly shared “People are Awesome” YouTube clips. As a LinkedIn contact, I knew that he grew up in Cardiff and went to University in Leeds, started his career in recruitment consulting, and for the last 12 years ran a small, 8-person design company in north London.
Within two minutes of my guessing, he admitted that I had mentioned an approximation of his, his wife’s, and his corporate domain passwords. Honestly, he’s not alone—for 20 years, security consultants have continued to highlight the importance of complex passwords, yet it still seems that this message is not getting through.
Common passwords and public information—two password don’ts
You can easily download a list of the 10,000 most common passwords from this site to try a “brute-force” attack, but you probably wouldn’t need that many. The figures are shocking:
- 1.6% of users have a password from the top 10 passwords
- 10% of users have a password from the top 100
- 30% of users have a password from the top 10,000
Also, using personal, yet relatively public information is vulnerable due to social media. Almost everyone today has a Facebook page, a Twitter account, and various other forms of social media. People post their birthdays and their kids’ birthdays online. They give anyone who cares to look a glimpse at the most common dates and people in their lives – not a terrible thing, but it should make you wary of using that same information to safeguard vital systems and data.
This experience was a painful learning experience for Simon— the realization that even the smallest companies must consider cybersecurity as a major business risk. How could he have missed something so big?
“I’m so embarrassed,” he said. “I’m sure that if I ran a much bigger company, this would have been a much higher priority for me.”
I didn’t say anything because unfortunately, I think that he’s completely wrong. Even large companies don’t prioritize cybersecurity correctly. Right now, we have the perfect example of how cybersecurity continues to be underappreciated by the majority of global companies.
The underprepared global company and the EU General Data Protection Regulation
A small number of companies are rushing to prepare for the biggest overhaul of data protection regulations ever: the EU General Data Protection Regulation (GDPR). Only 14 months away, with massive fines promised and huge hurdles to overcome. Yet although a few companies are desperately seeking answers, figures suggest that the majority of companies are still totally unaware of what it entails or its myriad implications.
Perhaps some companies still persist with the myth that this is an IT issue and not a C-suite problem. A recent global survey by Dell makes worrying reading and to conclude, I’d just like to point out some of the findings.
- More than 60% of respondents say they are aware something is going on with GDPR, but they know little or nothing about it.
- Only 4% of respondents outside of Europe said they are very knowledgeable about the details of GDPR, while just 6% of those in Europe said they are very familiar with the requirements.
- Fewer than 1 in 3 companies feel they are prepared for GDPR today.
- Nearly 70% of respondents say their organization is definitely not or don’t know if their organization is prepared for GDPR today, and only 3% of these have a plan for readiness.
- Less than half of respondents say they feel confident they’ll be ready when GDPR kicks off in 2018, while only 9% expect to be fully prepared in time.
This article, GRC Tuesdays:Cybersecurity In 2017—Don’t Be Afraid, Be Aware!, originally appeared on the SAP BusinessObjects Analytics blog and has been republished with permission.