Nobody wants our data - it is of no importance to anyone else, right?
A company called us and was interested in us taking over their computer support and security. Their email had been compromised and the bad guys had gone in and was watching the interaction between the owner and the bookkeeper. After a few months, they told the bookkeeper to wire a $40,000 payment to their vendor to pay a particular bill that was in their system. In the email was the wiring instructions from the Owner - but it was not the Owner that sent the email. They lost the $40,000 and could not recover it.
We’ve got cyber insurance! We are safe?
Let’s say that you get hit with Ransomware and you have Cyber Insurance in place. The Ransom is $300,000 and they claim to have all your client’s information. For instance, you are a CPA firm and have Social Security numbers and all that stuff. Provided you have met all the requirements Cyber Insurance requires, such as 2FA, Documented Employee Education, Password Security, and all that. Are they going to cover the reputation loss with your customers? What about any customers you lose because of the attack? What about your reputation in the community or lost potential business that you could have gotten but since you got the bad press in the news, they did not go with you? Your goal is to not have to use the Cyber Insurance.
It is like having Health Insurance. You have it but it is better to not have to use it. So you take better care of yourself and stay healthy that way you do not need to use the insurance.
Isn't computer security expensive?
Computer security doesn't have to be expensive but you get what you pay for. How sensitive is the data you have? How much money do you have in the bank? How important is your reputation with your customers and in the community? How big of a hit could your company afford to take and survive? How much is expensive?
These and more questions contribute to the answer to the original question. Obviously a Bank would needed to have more security than a Heating and Air company but depending on the financial strength of the company will determine their ability to survive an attack. The bad guys will target high value businesses but they also look for any business or computer they can access and exploit any situation available.
If we get hit and have to pay a ransom, we will just pay it. Don't most companies?
You could and a lot do, depending on many factors:
- Do you trust the hackers - only 80% get their data back. You are taking their word that they will return the data or not sell it on the dark web.
- Can you afford the ransom? It could be a few hundred dollars or millions depending on your business.
- How strong are you financially? will it put you out of business?
- How confident are you that they will not come back to you for more money after you pay them?
Paying the ransom just encourages more of the same. Avoid the situation all together.
We haven't been hacked yet so we must be OK?
You believe what you are doing is working because you have not been hacked. We have a customer that felt that way. A few years ago this law firm did not believe they needed to be concerned about security. All they wanted us to do was to backup the server. They did not have any of the security protocols in place like a firewall, antivirus protection, 2FA on their email, monitoring updates, server security standards, they even had Windows 7 computers for 3 out of the 5 users (3 years after end of life for Windows 7).
They got hacked, an employee opened an email attachment and the bad guys took all their data and encrypted all their data. After paying lawyers, an advanced security company, us for replacing all the computers and adding all the security process and equipment, it cost them over $30,000 not counting the ransom that they paid. The ransom demand was $300,000 but they paid only $25,000 with a promise that the bad guys will not sell the information on the dark web.
We have a backup so we are OK?
NO. That was true five years ago but not today. When you click on a link or open an attachment it may be instant, days or months before anything happens. In the meantime they can be copying data, monitoring your systems, gathering passwords, any number of things. Then, when the time is right, they hit. You can restore your backup, if they have infected it but they may have all your information and the real threat is selling it on the Dark Web or exposing it in public, or worse.
They can't get us, all our data is in the cloud so we are safe, right?
How did your information get into the cloud? You entered it from your computer or moved if from your computer. Having your data in the cloud does not mean it is safe, it just means that it is not local. Here are some examples of how data in the cloud is not safe:
- If they get your password to your cloud environment using a keylogger on your computer or some other way, they have full access.
- You are assuming that your cloud provider cares as much as you do about your data. They may, or may not.
- How financially sound is your cloud provider. Even big companies go out of business and you could lose your data that way.
- What is someone uploads a file to a shared folder that is infected and it infects your data in your cloud environment.
There are many more possibilities to consider. The cloud is not as safe as you think.
We are too small, why would anyone care about us?
Size does not matter, opportunity matters to the bad guys. Sure, they go after the big companies but the bigger the company the longer it takes to target the attack. They may take years to gather all the information to create the perfect situation where they can score $100,000,000. BUT in the meantime they need small, easy targets to "put food on the table" so to speak. That is where the small, easy targets come in to play.
Besides, what is small? Do you have one computer in your home office? Is that small? Do you have $100,000 in the bank? Is that small?
We had an individual call us and tell us that he got a message on his screen that told him he needed to call this number, that "Microsoft" needed to help him clean up his computer - he called them. With his wife telling him constantly to hang up, he continued to talk to the bad guys and gave them access to his computer. (this is a true story) They then proceeded to tell him that it appears that the infection could have impacted his bank account and could he log into the account. HE DID. They stole $100,000 out of his account.
Was this a "too small" situation?