by Nick MorganSo, for those of you who have been following me on this creative journey I want to say thank you! However, this piece is going to be a little different style of writing for me. “Nick, please tell me this is not another baseball story”…… Well, today is your lucky day! I want this piece to be less about me, and more about you. The whole point of this is about you and your knowledge. I want this to be informative and as much as I would love to inform you more about my baseball career😉, I’m going to do my best to refrain from that and stick to informing you on the repercussions that you will face if you are putting your business, employees and customers at risk.
I would like to start this off by stating, I think that it comes to no surprise to anyone when I say Cyber Crime is at an all-time high around the world. “Nick, we obviously watch the news and we have been seeing all the articles on the web…… what’s the point?” The point is, I’m not here to tell you about the influx of attacks and the precautions that need to be taken. (Refer to my other stories “Firing on all Cylinders” / “At your own Risk” if you want that information). The news, the articles, all the stories, they only tell you which companies have been hacked. I am here to paint a picture for you of what happens AFTER your company is hacked.
Anecdotal Story worth Telling
I recently heard from a prospect of mine (let’s call her Robin), and she owns a successful business. Although I won’t be naming her company or even the industry she is in, I believe this story can explain the risks that are out there today. Robin reached out to inform me that her company had been hacked. The hackers had encrypted her company data and they were holding it for ransom! My first thought was to ask about their current IT situation and how they had been handling that side of the business before the attack. Robin told me that they did have an IT employee, but after talking with her I realized that this was just the typical “Break / Fix” style of managing technology. “Break / Fix” IT employees are usually there to do their best to keep the office up and running and respond to user or equipment problems. I explained to her that although these functions are important, this is a reactive approach to technology management. This type of break / fix approach usually never involves regular maintenance or proactive, defensive changes to the network to maintain the safety of data. When I began to ask more questions, Robin came to the realization that their current IT employee did not have the expertise that our consulting department has in the area of IT Management as well as Cyber Security Posturing. (I would like to reiterate that I’m not being critical about this particular IT employee. Managing an entire network and all of the devices in a company is not a task that can be delegated to one or even two IT employees. That is why at General Informatics we have a company full of Cyber Engineers who all work together to ensure we are proactively managing the entire technology environment for our clients. Robin also said “They (the hackers) want to be paid in Bitcoin! How am I supposed to get Bitcoin?” While it has gotten easier to deal in crypto currency, it is not as easy as writing a check. The next question was “How do I know that once I pay them, that they will give me my data?” The answer is YOU DON’T! The hardest part of the story was telling the prospect that we would have circumvented this from happening or at a minimum had their data backed up. We could have rolled back to the day before the hack and then mitigated any remnants of ransomware that might have been on the machine. We would do an airlock – mitigation clean and then we would have been able to get them back up and running.
Now this particular solution would solve the dilemma of getting your information back and not having to pay the ransomware, however, this is only the BEGINNING of your problems and expenses. Now let’s get into the real stuff………..
Reality
There is a funny saying in the Information Technology Industry that I will share with you all. “You always feel that you are secure enough…. until…. you aren’t.” A recent study interviewed business owners whose companies have been hacked and they were all asked the same question. “Looking back, how much would you have spent on Information Technology to avoid what has happened?”. Across the board all the answers were the same “ANYTHING.” You see, it is way more than just “Can’t we just pay to get our information back? Is it just a fine we pay?” Questions like these are the point of this article. The reality is, until you understand the repercussions of your business being hacked, you can never truly understand the importance of your security measures.
Lawsuits
This is obviously the first thing that comes to people’s minds when a company is hacked. Let me stop you right here if you are thinking “I don’t really deal with confidential client information.” Although that may be true, what about the employees that work for you now? You have all their personal information somewhere inside your system (Bank accounts, credit cards, social security numbers, etc..). Every company has either internal or external confidential information inside of their business and this information needs to be protected from getting into the wrong hands. When things like that do get into the wrong hands…. I can tell you that there is almost ALWAYS legal action from the party involved. During the lawsuit there will be an extensive amount of investigation into your company’s policies and procedures that deal with technology and security for your business. This is where I CANNOT STRESS ENOUGH that your company needs to be on the right side of this investigation. If the investigation finds that you have been negligent to create an environment of safety through proper, documented policies & procedures of how data is stored and processed, then it is safe to say that the law and any judgements will likely not be on your side.
Not So Fast
Let us not have this entire article only focus on the negatives! What do you say about a little good news? For instance, if credit card information was stolen and used fraudulently after an attack, your company does not have to reimburse the card owner for the amount charged!! As a matter of fact, the bank is responsible for that and will pay the credit card holder back for you. I know right? How awesome is that? NOT SO FAST! The bank may be reimbursing the cardholder, but if your company was hacked and that credit card information was in your system at the time of the attack, the bank will be seeking reimbursement from your company.
There is more?
Lawsuits? Bank Fines? This is the only the beginning. Not all information taken from a cyber-attack is used immediately. There is a strong possibility that your company will have to cover everyone whose data resides in your system and is potentially compromised. I am talking about Social Security Insurance and Credit Monitoring for 2 years that covers every person whose information was put in jeopardy during the attack (employees and customers)! As you can see, the next few years for a company after a cyber attack are going to be very expensive.
The Toughest Test
On top of all the legal fees, fines, and expenses after a cyber-attack, the toughest thing for a business to overcome is the damage to its reputation… it’s hard to return to how things were before the attack. Once your company is attacked, the reality is that the news trucks will be in your parking lot! People from all around the area will be seeing your company in a very negative way. The media will be buzzing about the latest cyber criminal attack and your company’s name will be front and center for everyone to see. Here is the problem with that. How do you go about doing business after that? Reputation becomes everything and whether you are a Business to Business or a Business to Consumer type company, everyone will be extremely hesitant when it comes to doing business with you. Odds are, they will be looking for other companies to do business with as all they can think about is their information possibly being stolen from you again. As a business owner you know how hard it is to gain your customer’s trust the first time…… Imagine having to try and win it back after losing it? This reputational risk is one of the main reason’s companies cannot recover from Cyber Attacks. Large businesses around the world spend millions of dollars on public relations and marketing efforts to try and restore their reputation and win their clients back. After all the other costs associated with a cyber-attack that we have already discussed, how much more do you have to dump into reputation management?
Take Away
I know what you are thinking……. and yes! This is a completely different style of writing for me, but I am very passionate about this topic. Being in the Technology industry and working for a Managed Services Company, one of the things we manage for companies is their Cyber Security! I cannot stress to you how important it is to make sure you have trained professionals monitoring your network and your environment at all times. YES, ALL OF THESE THINGS CAN HAPPEN TO YOU! Yes, you will still be targeted even if you are a small or medium sized company. There is a reason why 60% of small businesses were attacked in 2020. Whether you are a small, medium, or large corporation, you need to invest in your Cyber Security. The risk is simply too great to ignore. As a country we need to change the mindset of “It’s not going to happen to us” to “We will be ready for when they come for us!”
If you have read all of this and want to know more about how your company would hold up right now against a potential attack….. Please reach out to me! nmorgan@geninf.com
At General Informatics we offer a wide range of Network, Security, and Vulnerability Risk Assessments to allow you to put your current Cyber Defense measures to the test.
Don
Posted on May 18, 2021 at 1:27 amAlways a good read Nick