Posts

Small Business Cybersecurity: 5 Steps to Stop Cybercrime 

Cyber Security Tips to protect your business - John Sileo

Small Business Cybersecurity Gone Terribly Wrong 

On August 12, 2003, as I was just sitting down to a tea party with my daughters and their stuffed animals, the doorbell rang. Standing there when I opened the door was a special agent from the economic crimes unit at the district attorney’s office—ready to charge me for electronically embezzling (hacking) $298,000 from my small business customers. The DA’s office had enough digital DNA to put me in jail for a decade. 

I was the victim of cybercrime, and I should have known better. You see, earlier that year my personal identity was stolen by cybercriminals out of my trash and sold to a woman in Florida. This woman purchased a home, committed a number of crimes, drained my bank accounts and filed for bankruptcy—all in my name. I learned all of this one day at the bank, right before I was escorted out by security guards.

The experience of losing my money, time and dignity motivated me to protect my personal information assets with a vengeance. Unfortunately, I didn’t apply my newfound cyber vigilance to my small business, which is how I ended up losing it. 

Like a lot of small business owners, it never occurred to me that my $2 million company would be targeted by cyber criminals. I figured we weren’t worth the effort, especially compared to large multinational companies like Target, Marriott, Google and Facebook. My naivete cost me my family’s business and two years fighting to stay out of jail. 

The fact is, cyber criminals are increasingly going after small and midsize businesses (SMBs) precisely because they are easier targets than larger organizations. According to the Ponemon Institute’s most recent Global State of Cybersecurity in Small and Medium-Sized Businesses report, 76 percent of  small and midsize businesses experienced a cyber attack in the past 12 months. The same report found that only 28 percent of companies characterize their ability to mitigate threats, vulnerabilities and attacks as “highly effective.” 

Not all hacking results in criminal charges being filed against the victim, as in my case, but that doesn’t mean there aren’t significant costs involved. According to last year’s Ponemon Institute study, companies spent an average of $1.43 million due to damage or theft of IT assets. On top of that, the disruption to their normal operations cost companies $1.56 million on average. 

In other words, your organization’s chances are greater than 50/50 that it will suffer a serious cyber attack in the next year or so and that the attack will have a significant negative impact on profitability. The good news is that you can eliminate much of the risk with a reasonable budget and some good leadership.

5 Small Business Cybersecurity Strategies

In my experience, good entrepreneurs begin with the following steps:

Identify All data is not created equal. Bring together the key players in your business and identify the specific pieces of data, if lost or stolen, that would make a significant impact on your operation, reputation and profitability. This could be everything from customer credit card, bank account or Social Security numbers to valuable intellectual property.

Evaluate Understand your business’ current cyber security readiness. During this step, I recommend bringing in an external security firm to conduct a systems penetration test. A good Pen Test will give you a heatmap of your greatest weaknesses as well as a prioritized attack plan. Have a separate IT provider implement the remediation plan, if possible, to provide an objective check on the security firm’s work. 

Assign Engage stakeholders from across your organization, not just those within IT. Assign a detail-oriented, tech-savvy leader other than yourself (if feasible) to oversee the analysis and implementation of your cyber strategy. Other players essential to this conversation are your lawyer and your accountant/auditor, who can help you build a breach response plan for when data is compromised. In today’s digital economy, theft and loss are part of business as usual and they should be planned for—like any other risk to your organization.

Measure Just as with any other business function, cyber security needs to be measured. Your security or IT provider should be able to suggest simple metrics—number of blocked hacking attempts (in your firewall), failed phishing attacks, days without a breach, etcetera—with which to keep a pulse on your data defense. 

Repeat Each one of these steps should be re-evaluated and updated on a regular basis. I recommend taking a look at your security during your slowest season annually. Strong cyber security thrives in the details, and the details in this realm change every year. 

The bottom line is that SMBs can no longer ignore the very real threat of cyber crime, including crime perpetrated by an insider (in 2018, 34 percent of data breaches involved internal actors and 2 percent involved partners). I learned both of these lessons the hard way. It takes an average of 73 days for organizations to contain an insider-related incident; my case dragged on for two years, during which I spent every day fighting to keep myself out of jail. 

In the end, I found out the cyber criminal was my business partner. A man I loved and trusted like a brother stole and used my banking login credentials to embezzle from our clients; he used my identity to commit his cyber crimes. He exploited my trust and then he cut the rope and let me take the fall. 

And I should have known better. So if you think your company is too small to be targeted or you’re too smart to be victimized, think again. 


About Cyber security Keynote Speaker John Sileo

John Sileo is the founder and CEO of The Sileo Group, a cybersecurity think tank, in Lakewood, Colorado, and an award-winning author and Hall of Fame Speaker who specializes in providing security-awareness training to small businesses as well as large organizations. He has shared his experiences on “60 Minutes,” “Anderson Cooper” — and even while cooking meatballs with Rachael Ray. John earned a BS with honors in political science from Harvard University. 

 

Just Wait for the Cavity: Dental Cyber Security

Dental Cyber Security is kind of like, well, being a dentist. You’re in your patient’s mouth. The red flags are clear as day: calculus buildup going back to pre-fluoride Woodstock days. Severe dentin erosion, onset of gingivitis, gums retreating like Arctic glaciers. But there is no actual decay yet. No cavities to drill or crowns to fill, no stains to cap or roots to tap. Absolutely. Nothing. Profitable!

So what do you tell the patient? That’s easy…

“Looks good! Come see me when that molar finally cracks.”

Of course that’s not what you say, but that is roughly how it sounds to me when a practice director tells me that they invest minimally in ongoing preventative cyber security because nothing truly bad has happened yet with their practice data. In other words, Just Wait for the Cybercrime Cavity and spend ten times as much recovering.

But I would never advise you to wait for the cyber decay, and you would never advise your patients to hold off on brushing, flossing and regular dental checkups. Nor should you wait to implement regular dental cyber security. We are both in the prevention business and we are building long-term relationships that have a great LTV. There are enough patients to keep us both in business with bad hygiene, so we can focus on doing our job well and stopping the problem before it takes root. That preventative mindset will save you approximately $380 per patient record, which is the average cost of breach recovery in the health industry (excluding reputation damage and customer attrition).

Here are what I consider to be the 5 Most Pressing Cybersecurity Vulnerabilities in Dentistry:

  1. Outdated operating systems (Windows XP/2000) and unpatched operating systems, software and apps
  2. Weak spam filtration and barely-existent employee training that leads to email-based phishing attacks
  3. Poor data backup and recovery planning that allows ransomware to lock and destroy patient and financial data
  4. Lack of solid encryption on data at rest (on servers), in transit (to patients, vendors) and in the cloud (practiced management software) that allows easy access to hackers
  5. Credential hacking of cloud data due to lack of 2-factor authentication and password managers

When your practice begins to protect patient data in the same way that you ask patients to protect the health of their mouth, you have just discovered a critical competitive advantage for patient acquisition and retention. Your patients want to know that their data is safe in your hands. Here are some additional resources to help you take the next steps in protecting your practice data:

What are the greatest gaps you see in Security Awareness Programs? Please share your brilliance below.


John Sileo loves his role as an “energizer” for cyber security at conferences, corporate trainings and in industry study clubs. He specializes in making security fun, so that it sticks. His clients include the Seattle Study Club, the Pentagon, Schwab and many organizations so small (and security conscious) that you won’t have even heard of them. John has been featured on 60 Minutes, recently cooked meatballs with Rachel Ray and got started in cyber security when he lost everything, including his $2 million software business, to cybercrime. Call if you would like to bring John to speak to your members – 303.777.3221.

Security Awareness Programs Like Mushy Overnight Oats?

To diagnose your under-performing cyber security awareness programs, all you need to do is look at my breakfast today. My daughter introduced me to overnight oats. “It’s the perfect breakfast, Dad – full of energy, takes no time at all, packed with simple, healthy ingredients like oatmeal, almond milk and peanut butter”, she said. “That’s what I need!”, I said, “All of the power with none of the fuss”. So I took her recipe and promptly ignored it. I added cottage cheese, chia and some lemon – because if it was already good, I was going to  make it even better.

What I got was curdled mush that crawled out of the bowl like John Cusack’s dinner in Better off Dead. The theory of overnight oats was brilliant. It was my execution that made me gag.

Many security awareness programs choke on their own ingredients because, like my overnight oats, they don’t follow a recipe when they plan the program. The have no overarching security “end” in mind at the beginning, to paraphrase Stephen Covey. Empowering the human element of cyber security is the cultural ingredient that many organizations overlook. Think about tweaking your recipe a bit to make it more than palatable.

A Recipe for Effective Security Awareness Programs

One byproduct of serving as the opening keynote speaker for hundreds of security awareness programs around the world (in addition to the bottomless pit of mileage points I’ve earned), is that I have dined amidst training programs, OVER and OVER again, that leave me hungering for more substance and lots more flavor. Here is my simple recipe for a filling, enjoyable and effective Security Awareness Program:

Ingredients (For a Culture of Security that Cooks):

  • (1-3) C-Level Executive(s) who “Believe” (Ownership)
  • (1) Cross-Functional Business Case w/ Compelling ROI (Strategy)
  • High-Engagement Content Rooted in Personal Security (Methodology)
  • (6-12) Regular, Engaging Follow-on “Snacks” (Sustenance)
  • (1) Feedback Dashboard to Measure “Diner” Response (Metrics)

Ownership. Failing to have a highly-communicative Chief Executive leading your initiative is like expecting a 3-Star Michelin rating from a fast-food cook. You must have high-level “buy-in” for your program to work. I’m not talking about the CISO, CRO, CIO or CTO here – that would just be preaching to the choir. The missing cook in awareness programs tends to be a security “believer” from the executive team. Successful security awareness programs are clearly led, repeatedly broadcast and constantly emphasized from the top of the organization, all with an attitude of authenticity and immediacy. Whether served up by your CEO at an annual gathering or by your Board of Directors to kick off National Cyber Security Awareness Month, your security champion must become an evangelist for defending your data.

Strategy. Don’t expect to randomly add security ingredients to the bowl and blindly hope they mix well together. You’ll just end up with curdled oatmeal. Approach your program strategically, and devise a recipe to protect your intellectual property, critical data and return on information assets. You are competing for resources, so build a compelling business case that demonstrates the organization’s ROI in business terms, not buried in techno-babble. What did it cost your competitor when ransomware froze their operation for a week? How much would the training have cost to avoid the CEO whaling scheme that lost a similar-sized company $47 million? What do the owners of  compliance, HR and I.T. have to add to the meal? The most successful security awareness programs have a budget, a staff (however small) and cross-departmental support. Involve the business team and other stakeholders up front to leverage their expertise before rollout.

Methodology. Here is a litmus test for the potential effectiveness of your security awareness program: Does it begin by focusing on the critical information assets and devices inside of your organization? If so, it’s probably doomed. Why? Because your employees are human beings and they want to know how this affects them personally before they willingly invest time to protect the corporate coffers. Excellent security awareness kicks off by making data protection personal – by building ownership before education. From there, the training must be engaging (dare I say fun!?) and interactive (live social-engineering) so that your audience members pay attention and apply what they learn. Death-By-PowerPoint slides will permanently put behavioral change to sleep. Highly-effective programs build a foundational security reflex (proactive skepticism), and are interesting enough to compete against cute puppy videos, smartphone farm games and our undying desire for a conference-room cat nap.

Sustenance. Best practice security awareness training, like a five-course meal, doesn’t end with the appetizer. Yes, kickoff is best achieved with a high-energy, personally relevant, in-person presentation that communicates the emotional and financial consequences of data loss. But that is only the beginning of the meal. From there, your team needs consistent, entertaining follow-up education to keep the fire alive. For example, we have found short, funny, casual video tips on the latest cyber threats to be highly effective. And lunch workshops on protecting personal devices. And incentive programs for safe behavior. And so on. Culture matures by feeding it consistently.

Measurement.If you don’t measure your progress (and actually demonstrate some), no one will fund next year’s dining budget. What are your Security Awareness Training KPIs, your key metrics? How did successful phishing attacks decline as a byproduct of your program? Has user awareness of threats, policy and solutions increased? How many employees showed up for the Cyber Security Awareness Month keynote and fair? How department-specific are your training modules – or does one size fit all? When you can show quantitative progress, you will have the backing to continue building your qualitative culture of security.

And now, back to the meal. In spite of the lemon juice that further curdled the cottage cheese and ruined my oats, I was still hungry, so I ended up choking them down, vowing to listen to my daughter next time. And I hope you will listen to me this time: Approach your security awareness program like you are planning a feast for guests who matter a great deal to you. Because your uneducated employees, unprotected customer data, and invaluable intellectual capital are exactly what cybercriminals are eating for breakfast.

What are the greatest gaps you see in Security Awareness Programs? Please share your brilliance below.


John Sileo loves his role as a keynote “energizer” for Cyber Security Awareness Programs. He specializes in making security fun, so that it sticks. His clients include the Pentagon, Schwab and some organizations so small (and security conscious) that you won’t have even heard of them. John has been featured on 60 Minutes, recently cooked meatballs with Rachel Ray and got started in cyber security when he lost everything, including his $2 million software business, to cybercrime.

Equifax Data Breach Protection Tips

How to Protect Yourself from the Equifax Data Breach

Equifax, one of the three major consumer credit reporting agencies disclosed that hackers compromised Social Security and driver’s license numbers as well as names, birthdates, addresses and some credit cards on more than 143 million Americans. If you have a credit profile, you were probably affected.

Credit reporting companies collect and sell vast troves of consumer data from your buying habits to your credit worthiness, making this quite possibly the most destructive data security breach in history. By hacking Equifax, the criminals were able to get all of your personally identifying information in a one-stop shop. This is the third major cybersecurity breach at Equifax since 2015, demonstrating that they continue to place profits over consumer protection. Ultimately, their negligence will erode their margins, their credibility and their position as one of the big three.

But that isn’t your concern – your concern is protecting yourself and your family from the abuse of that stolen information that will happen over the next 3 years.

Minimize Your Risk from the Equifax Data Breach

  1. Assume that your identity has been compromised. Don’t take a chance that you are one of the very few adult American’s that aren’t affected. It’s not time to panic, it’s time to act.
  2. If you want to see the spin that Equifax is putting on the story, visit their website. Here’s how the story usually develops: 1. They announce the breach and say that fraud hasn’t been detected 2. A few days later when you aren’t paying attention, they retract that statement because fraud is happening, 3. Sometime after that they admit that more people, more identity and more fraud took place than originally thought. They encourage you to sign up for their free monitoring (which you should do), but it does nothing to actually prevent identity theft, it just might help you catch it when it happens.
  3. I recommend placing a verbal password on all of your bank accounts and credit cards so that criminals can’t use the information they have from the breach to socially engineer their way into your accounts. Call your banks and credit card companies and request a “call-in” password be placed on your account.
  4. Begin monitoring your bank, credit card and credit accounts on a regular basis. Consider watching this video and then setting up account alerts to make this process easier.
  5. Visit AnnualCreditReport.com to get your credit report from the three credit reporting bureaus to see if there are any newly established, fraudulent accounts set up. DON’T JUST CHECK EQUIFAX, AS THE CRIMINALS HAVE ENOUGH OF YOUR DATA TO ABUSE YOUR CREDIT THROUGH ALL THREE BUREAUS.
  6. MOST IMPORTANTLY, FREEZE YOUR CREDIT. The video above walks you through why this is such an important step. Some websites and cybersecurity experts will tell you to simply place a fraud alert on your three credit profiles. I am telling you that this isn’t strong enough to protect your credit. Freezing your credit puts a password on your credit profile, so that criminals can’t apply for credit in your name (unless they steal your password too). Here are the credit freeze websites and phone numbers for each bureau. Equifax is being overwhelmed by requests, so be patient and keep trying. Even if it doesn’t happen today, you need to Freeze Your Credit!

Equifax Credit Freeze
P.O. Box 105788 Atlanta, Georgia 30348
Toll-Free: 1.800.685.1111

TransUnion Credit Freeze
Fraud Victim Assistance Department P.O. Box 6790 Fullerton, CA 92834
Toll-Free: 1.888.909.8872

Experian Credit Freeze
P.O. Box 9554 Allen, TX 75013
Toll-Free: 1.888.397.3742

John Sileo is an an award-winning author and keynote speaker on cybersecurity. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.