Cyber Espionage Infiltrates American Small Business
The last thing an architect could imagine is that his company’s proposal for a new commercial building site along a stunning San Francisco Bay view would lose to a competitor with a similar design and infrastructure, a lower bid, and a leaner delivery schedule. It happened. And cyber-espionage was the culprit.
New technology spans the globe as small businesses find themselves victims to espionage as someone steals their sales pipelines, customer lists, corporate secrets, and corridors to their Fortune 1000 clients without their knowledge. It was Robert Mueller, former head of the FBI, who stated in 2012 that “there are only two types of companies: those that have been hacked and those that will be.” A well-known attorney updated that comment recently when he warned his colleagues that “You are a company that has been hacked or a company that doesn’t know you were hacked.” This is a reality check for all business owners.
Security is a challenge for small business
America abounds with small businesses; they make up 99.7 percent of all U.S. firms with paid employees and account for almost 48 percent of private sector employment, according to the 2016 data from the Small Business Administration. They’re truly the lifeblood of the nation. Small businesses can effect change more quickly, adapt to new technologies sooner, and often define the forefront of their fields. However, small business is still a constant struggle; like salmon swimming upstream to spawn, some won’t make it.
In addition to being the masters of their crafts, small businesses must persistently focus on the milestones of success: profitability, customer loyalty, scalability, finding and keeping a valuable team of employees, achieving authority and reputation in their industries and, of course, hitting sales goals. Excelling in these endeavors leaves little mindshare, energy, and budget for anything else, but in an age where all businesses must have a growing online identity and presence, the door is wide-open for new threats to success.
It’s a great challenge to keep company data safe while simultaneously making it accessible to the staff who need it, when they need it, where they need it. Indeed, once a business is using technology and choosing not to focus on security, it’s impossible meet these goals. Take Sony Pictures as an example. It geared its corporate network infrastructure toward making the lives of its armies of employees easy rather than keeping their corporate data safe. The result: The doors were invitingly open, and it rolled out a red carpet, welcoming the extensive cyber espionage perpetrated by the Guardians of Peace group in 2014[2a,2b].
Consider also the massive 2013 Target[3a] credit card data breach when hackers could penetrate Target by hacking a small business vendor[3b], stealing that company’s access to Target’s corporate network and using that to infiltrate Target’s systems.
Indeed, the 2016 data from the Ponemon Institute shows that of the small businesses surveyed, 55 percent experienced a cyber-attack in the past 12 months, and 50 percent suffered a data breach in that same period. It’s true that if someone hasn’t attacked you, then, either you just don’t know it or you’re in danger of becoming a target soon.
Half of small businesses surveyed suffered a data breach in 2016.
The rise of cyber-espionage
As business leaders realize the need for an active defense against potential cyber-crime, their attention seems to focus on preventing credit card fraud, protecting financial transactions, and securing patient health records. Unless they’re in information technology, they often overlook other vulnerabilities or give them much less attention. This is a perceptual issue stemming in part from the extensive media publicity around the large credit card and healthcare breaches of recent years. It also arises from legislation, such as the Health Information Portability and Accountability Act (HIPAA), and industry guidelines, such as the Payment Card Industry (PCI) standards that businesses must follow to accept credit card payments. Indeed, this attention isn’t unwarranted since 39 percent of all breaches reported in 2016 actually involved heathcare and financial organizations.
However, the media exposure and the 39 percent statistic do not tell the whole story. Most healthcare and financial breaches are from internal issues such as the misuse of access credentials, physical theft or loss, and human error. Rather than looking at breaches in general, it’s extremely useful to focus on the fact that 62 percent of all 2016 breaches involved hacking, and 75 percent involved people outside a company. 75 percent of breaches had financial motivations, and 21 percent involved cyber-espionage.
One in five breaches in 2016 was a direct result of cyber-espionage.
Cyber-espionage cuts across all industries with the highest incidents in manufacturing, the public sector, professional services, and education. External agents target an organization and go after valuable information and corporate secrets. Indeed, 88 percent of all cyber-espionage incidents reported in 2016 resulted in data breaches; cyber-espionage attackers are generally successful. While the number of cyber-attack incidents in 2016 was small compared to other security incidents (like denial of service attacks, privilege misuse events, etc.), cyber-espionage was still the second largest cause of data breaches. Only direct attacks on company web applications resulted in more breaches.
Cyber-espionage was the second largest cause of data breaches in 2016.
Cyber-espionage is also the fastest growing form of data breach. Everyone knows hackers are out there; the data tells you they’re active and attacking increasingly more companies, going after sensitive corporate data. A strong, well-prepared defense is the only way to mitigate the extent of the damage that an eventual attack may cause on your organization.
Why the HIPAA law continues to leave healthcare vulnerable
Unlike most industries, healthcare is blessed and cursed with laws designed to help organizations protect sensitive data and patient healthcare details. HIPAA became law in 1996 and was subsequently revised by the HITECH (2009) and Omnibus acts (2013). With HIPAA in place for so long, why are we constantly hearing about healthcare breaches? Breach reports keep rolling in to the Department of U.S. Health and Human Services (HHS). For July 2017 alone, there were 29 separate reported HIPAA breaches (there were probably 10 times as many unreported or unknown ones) affecting hundreds of thousands of medical records.
It’s been 21 years: What’s the problem with the healthcare industry?
The authors wrote the HIPAA law to be extremely flexible. It allows individual organizations to choose for themselves the best way to meet the security and privacy requirements and recommendations (such as encryption, access control, auditing, training, etc.). HIPAA, however, provides little guidance about what, specifically, an organization must do. The HIPAA privacy rule doesn’t even require the organization to eliminate every risk to patient data; it instead offers a balanced approach so organizations can, in many cases, consider the risk level versus the cost or impact of mitigating that risk in determining what they’ll address. As a result, the HIPAA law has vast gray areas in terms of is or isn’t acceptable based on the situation at hand, the cost of risk mitigation, and the level of risk itself.
If this ambiguity wasn’t enough to cause problems (and it’s more than enough!), it was only in the past two years that HHS has actively investigated breach reports and imposed fines on organizations. Prior to the HITECH act of 2013, there was no legal penalty for non-compliance. Before 2015, the penalties were not being imposed.[6,7] A general apathy toward following the types of security procedures that would protect organizations, especially smaller ones, from breaches resulted from the legal ambiguity and the lack of oversight. Companies would rather spend their time and money in other ways. That apathy has also resulted in healthcare being unique among industries as having the highest percentage of breaches resulting from internal issues—misuse of technology, lost hardware, and human error.
Only now that the HHS is ramping up its auditing program are organizations of all sizes really starting to examine their risks and taking steps to become more secure. This is happening from the top down. Larger organizations with established IT departments and budgets are moving faster toward true compliance, while many small businesses still have no idea what they need to do or even what their risks are. Even with this positive trend toward compliance and higher security standards, most healthcare organizations are still making a myriad of mistakes and compromises that leave them very vulnerable to attack and data breaches. The largest organizations are often even more vulnerable than smaller ones that exert more actual control over their personnel and technology.
“All your communications [are] belong to us”
Data flow and data storage are the lifeblood of modern organizations. They are also the arteries from which attackers suck the oxygen from our companies. Every communications channel introduces its own security risks and exposes data in different ways and through different systems.
Even brick-and-mortar, mom-and-pop businesses are dependent on digital services, with the tendrils of company data and exposure reaching out through more channels than you may think: email, text/SMS messaging, chat, VOIP, video conferencing, online file storage and sharing, credit card processing, corporate websites and databases. Don’t forget venders or an online company that may handle customer data stored in customer relationship management (CRM) systems and email marketing platforms, company financial documents, bookkeeping and payroll. Finally, social media and social apps extend a company’s reach to their clients’ mobile phones: Facebook, Twitter, Pinterest, YouTube, Yelp, TripAdvisor, etc. All these avenues have been, can be, and probably will be attacked and compromised—repeatedly. We hear about it all the time. Even the smallest businesses aren’t immune; often they’re the most vulnerable due to their general lack of security consciousness.
Every vendor and social media account is a source of risk and a potential avenue of attack.
Unlike an actual brick-and-mortar business, which is easily protected with locks, alarms, cameras, guard dogs, doors, and the like—and where criminals must be physically proximate to the business to have an impact—an organization that places those tendrils on the internet are all individually vulnerable 24/7 to attackers from around the world and similarly vulnerable to corporate espionage.
It really is a slippery slope. As companies struggle for market share and sales, they clamor to take advantage of every technology that can affordably assist them to these goals. Each one of these steps can and does increase the company’s risk profile. It’s a troublesome tradeoff that thoughtful best practices must accompany to minimize the potential threats each new vendor and each new venture poses.
A proportional response
The first step that any expert will recommend to a small business owner concerned about security and cyber-espionage is: Examine your risk. Take an inventory of everything sensitive to your business, e.g., corporate secrets, customer data, sales data, your financial information, your future plans, and the credentials to accounts with other vendors and social media. Where does this data go? Where is it saved? What vendors have access to it? Can you trust these vendors? A risk analysis is a detailed trip down the rabbit hole of “what” and “what if.” It is critical to understanding what damage a determined attacker could potentially do to your business. The next step after a risk analysis? Make changes to lower your risk. It’s an iterative process that never ends.
Understanding your risk and making changes to lower your risk—this is a routine you should repeat yearly.
Most small businesses do not have staff with expertise to fully evaluate their own risk and to mitigate the risk uncovered. The common result is gaps in security defenses that attackers can drive trucks through, load up with data, and drive off leaving that business in breach (even if they don’t know it yet). It’s happening every day. Indeed, 61% of breaches in 2016 affected companies with less than 1000 employees.[5,10]
The best thing a small business can do is to hire expert help. Choose a company to assist with your risk analysis and an auditing of your exposure. Outsource as much of your technical operations as possible to third-party organizations that focus on security. This reduces your operational expenses, reduces your risk, and offloads much of the responsibility for any breach to these organizations. Having the right people involved who can identify your vulnerabilities and who can recommend or provide solutions is invaluable and extremely cost-effective compared to the alternative: becoming the next media headline.
 Annual report of the U.S. Office of Economic Research for fiscal year 2016. [https://www.sba.gov/sites/default/files/OER_Annual_Report_FY2016.pdf]
 Ponemon Institute. The 2016 State of Cybersecurity in Small & Medium-Sized Businesses. [https://keepersecurity.com/assets/pdf/The_2016_State_of_SMB_Cybersecurity_Research_by_Keeper_and_Ponemon.pdf]
 Verizon. 2017 Data Breach Investigations Report. [http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/]