If you own a small or medium business, your chance of being a victim of cybercrime in the next year is one in seven. City of Surrey cyber security manager David Izzard sheds light on some eyebrow-raising statistics and offers some practical advice on protecting yourself.
If you’re not creeped out by cyber-villains, you’d better get with the times. Especially if you own a business.
David Izzard, cyber security manager for the City of Surrey, knows the score.
“Sixty per cent of all small and medium businesses that experience a breach fail, and the vast majority are out of business in six months,” he warns. “You’ve gotta take cyber security seriously as a small or medium business.”
Last year, Izzard and his five-member team stopped 94,000 malicious web attacks on city hall in six months and well over 100,000 malware attempts in that same period.
“We also have some systems that you guys won’t have,” he told business owners at a recent community safety breakfast, sponsored by the Downtown Surrey Business Improvement Association.
“We call them advanced threat detection systems so this actually detects malware that hasn’t been seen anywhere in the world and it’s unique, targeting just the city. In the three months that we installed that system we were able to stop 113, I believe is the number.”
By October, city hall hopes to launch a website where residents and business owners can learn how to be more cyber secure, in keeping with October being Cyber Security Awareness Month.
“Hopefully it’s up and live by then,” Izzard says.
While his job is to protect city hall from online crooks, it’s also his mission to convert small and medium-sized business owners to the conviction that failing to be cyber secure is a sure way to court financial peril, and the volume of research he’s amassed bears that out.
According to the Canadian Chamber of Commerce, nearly half of all small businesses have fallen victim to cybercrime and a Symantec internet security threat report issued this year indicates that small and medium-sized businesses were the targets in roughly 65 per cent of all attacks in 2015.
“They are a favourite target,” Izzard warns. “They have less security. Your chance, as a small or medium business, of being attacked in the next year is one in seven. One in seven.”
According to a study on data breach preparedness by the Ponemon Institute, 45 per cent of senior executives surveyed say their business experiences cyber attacks hourly or daily. Forty-three per cent of U.S. companies in 2014 experienced a data breach, and in 89 per cent of those, greed was the motive.
The statistics for 2015, Izzard says, are expected to come in at “well over 50 per cent.”
“Our world has fundamentally changed in the last five to 10 years. Cybercrime is on the rise and it’s growing at an astonishing rate. The vast majority of these breaches now have a financial motive, so it’s no longer state-sponsored, terrorist attacks or espionage.
“It’s really fundamentally about making money,” he explains. “In fact, it is so profitable, you can now make more money in cybercrime than you can in the drug trade.”
Ponemon’s research reveals that Global IT security spending has increased by 11 per cent over the past decade and, according to a SecurityLabs report, new malware is created every 3.5 seconds.
A Sophos security threat report indicates 30,000 websites are hacked every day and McAfee Labs’ threat report for 2015 reveals that ransom-based computer attacks have increased by 127 per cent. That’s when cyber criminals seize a company’s data and hold it hostage, or shut down services until the company they’ve targeted pays a ransom to have the lock released.
“Cyber criminals are now offering cybercrime services, digital services, to other would-be attackers,” Izzard notes.
“What makes this so scary, at least from our perspective, is you no longer need a lot of technical knowledge – you don’t need to be a computer geek to launch a cyber attack. All you need is motivation and a little bit of money…you can buy some custom malware and you can launch an attack. That’s actually what we’re seeing more and more. In fact, the number one attacker is actually organized crime.”
Izzard notes that cyber criminals basically want to accomplish one of three things, if not all of them.
First, they want to steal data – customer information, employee data, financial information and intellectual property.
This, he says, is “very valuable on the black market.”
They also might want to use a company to attack others, be it the company’s customers, staff members or business partners. And third, they want to extort money from companies by taking their data hostage for a ransom.
Security breaches can be vault-busting expensive. The average cost of a breach in Canada is $7.8 million, factoring in attacks against large companies.
Izzard presents a catalogue of profound corporate victimhood, with multi-million damage having been done to Home Depot ($56 million), Sony Pictures Entertainment ($100 million), Anthem ($100 million), Heartland Pay Systems ($140 million), TJ Maxx ($162 million), Sony PlayStation ($171 million), Target ($191 million), Hannaford Bros ($256 million), Ashley Madison (potentially $587 million) and so on.
Despite those heady figures, Izzard says breaches are generally more costly to small businesses – about three times as much – because of economies of scale.
So what can you do to protect yourself and your business?
Hiring an online security team, and making sure your service provider takes cyber security seriously, is a good start. Or at least have somebody on staff responsible for cyber security.
“If you do use a service provider, particularly an IT service provider, ensure that they have somebody responsible for cyber security on their staff. If they don’t, that should raise red flags – it’s time to change.”
Izzard said using a cloud “is really good for small and medium businesses – embrace the cloud.”
What’s a cloud? Not those fluffy things up in the sky. Cloud computing involves storing and processing data through a network of online servers as opposed to relying on your computer’s hard drive. It can be a good way to be secure, but don’t assume all clouds are created equal.
“You want to make sure you’re using trustworthy clouds,” Izzard says, adding that Cloud Security Alliance has a “star registry” where you can see how your’s rates.
“This is a registry where these cloud providers have been third-party independently tested and verified for cyber security. If they’re not on the star registry, you probably want to avoid them.”
If you’re using Wi-Fi, make sure it’s secure, enable auto-update for all your systems and applications, and encrypt your devices so your data is protected in transit.
Izzard recommends not to open email from people you don’t know and for business owners to instruct their staff to do the same. If you’re not expecting an email, he says, chances are it’s not legit.
Never click on links contained within an email, he adds, and don’t open attachments even from people you do know.
“You might be practising good cyber security hygiene, but it doesn’t mean the folks you do business with are. If it’s something you’re expecting, you’re probably safe.”
Izzard said the City of Surrey is seeing far more links than attachments now, “and that’s because people trust links more.”
It’s also important for businesses to protect their social media accounts, he advises.
“This is your online reputation, and if you don’t protect these accounts, the cyber criminals can hold your reputation hostage and the damage they can do, in social media, is frightening.”
Millennials rely on social media for information, he notes, “So if you’ve got a bad reputation online in the social media’s face, you’re pretty much out of business when it comes to them.”
Obviously, having strong passwords is important. They should include numbers, uppercase characters, and be at least 10 characters long. Izzard suggests you include in your’s something you know, something you are and something you have. Use two-step verification on all your accounts. How does that work? Set your system up where you have to provide a second piece of information, after entering your password, to access your accounts.
Izzard says making sure all your software and systems are up to date, automatically, and immediately, and using a two-step verification will reduce your chances of becoming a cybercrime victim by about 85 per cent.
And doing all the above will not only help business, it might even attract it.
“Interestingly enough, over 52 per cent of customers would actually pay more for goods or services from a company with a good reputation in cyber security. Customers are willing to pay more,” Izzard says. “So cyber security is no longer just a business expense, it is now a strategic competitive advantage that drives market share. Being secure gets you more customers. It’s a pretty bold statement, backed up by numbers.”
Izzard said a survey done by the New York Stock Exchange found that cyber security in now so important to businesses that in 80 per cent of the companies surveyed, cyber security topics were the number-one agenda item of boardroom discussions for every single meeting. “That’s the world we’re in today.”
According to the Deloitte Consumer Review, 73 per cent of consumers would reconsider using a company that had a data breach.
“Security also now drives customer decisions.”
Izzard notes that while the vast majority of threats are from the outside, and generally involve organized crime, “There are malicious employees out there. Especially if you’ve gotten rid of one but haven’t disabled their access to your systems.”
But ultimately, Izzard has found, “grey matter” is the best defence against cyber crime.
Sure, employees can be the weakest link as criminals might try to convince them to do something. This is easier than hacking a computer. But there’s also a flip side to that coin.
“Here’s the thing: You can turn that around,” Izzard says. “Your employees can actually be your best defence. There’s no replacement for grey matter. There’s no security system in the world as good as a human being that is aware at recognizing things that are not legitimate.”
He advises businesses to teach employees about cyber security, but don’t make it about“the business.” For example, the City of Surrey launched a cyber-security awareness campaign for staff. It did not specifically focus on how to protect city hall, per se. Rather, it aimed to teach staff how to be cyber-secure in their daily lives.
“Good behaviours at home translates into good behaviours at work,” Izzard said. “Make it about the employee rather than about the company.”