At first blush, two major Las Vegas casinos, a consumer brands giant and a regional healthcare system, would appear to have little in common. But unfortunately, MGM Resorts, Caesars Entertainment, Clorox, and Prevea Health/HSHS have all been recent victims of separate cyber security incidents profoundly affecting each organization.
Even now, weeks following the actual attacks, these organizations and their customers continue to face ongoing operational challenges and significant financial impacts.
The question is, could the same happen to you, a small or medium-size business owner?
Although high-profile cyber attacks dominate the news, the real headline is the unprecedented surge in local and regional cyberattacks, which are causing costly, dangerous downtime and tens of thousands of dollars in recovery costs for small to medium-sized businesses (SMBs).
With the lack of news coverage, it might be tempting for SMB owners and managers to think their modest size makes them safer, as though they’re too small to be a hacker’s target. It’s the old “security through obscurity” strategy.
The big problem with this strategy is that it just… doesn’t… work. Blind faith in this “small = safe” fallacy is putting dozens of SMBs in the United States out of business every day.
Here are 3 lessons that SMBs can learn from the recent high-profile cyber attacks:
LESSON 1: It’s not a battle; it’s a war. And it’s not being fought like you think.
One of the most common misconceptions is that cyber crime is like a burglary — – a “smash and grab” affair where criminals kick in a door, rush in, take what they can, and get out. The comparative reality is more like this…
Modern cyber criminals are intelligent, sophisticated, patient, methodical, and well-funded. The “cyber-burglar”, in this case, is a master of deception and disguise, and their groundwork begins long before the actual crime.
Often, they start by interacting with your employees outside of work — — at the grocery, post office, farmer’s market, or in the employee’s favorite local restaurant – — typically posing as a friend, relative or co-worker in order to gain trust.
They study your employees’ habits and assess their personalities in search of the right blend of access, influence, and naivete.
Once the “cyber-burglar” spots their mark — — let’s say it’s your CFO, Susan — — they disguise themselves to look like her and talk like her. They drive her car and park in her spot, as they spend weeks or even months operating within your business as a trusted, high-level employee.
Pseudo-Susan watches, listens, and learns, collecting, sorting, duplicating, accumulating intelligence, and amassing leverage. And all this time, you have no idea.
Until the day you arrive at work and your keys won’t work because all the locks have been changed. You try to peer through the glass doors and windows, but they’ve been painted black from the inside. There’s no one around… just a ransom note taped to the doorbell.
The note instructs you to transfer $500,000 in Bitcoin to Pseudo-Susan’s cyber crime syndicate by noon Myanmar time the following day. Failure to do so will result in the random distribution of your company’s most precious assets across the most unscrupulous parts of the globe in a manner resembling feeding time at Gatorland.
If cyber crime were like a burglary, that’s what it would look like. We understand if this sounds like Hollywood fiction, but it’s reality and happening to SMBs every day.
LESSON 2: You can’t hide, and there’s no blending in.
According to the U.S. Small Business Administration, there are roughly 33.2 million SMBs in the U.S. As one SMB in 33+ million, you might be tempted to think there’s safety in numbers. There’s not.
Verizon’s 2023 Data Breach Investigations Report reveals that 61% of small businesses in the U.S. reported being the target of a cybersecurity attack in 2022. This is up from 56% in 2021, showing that cybercriminals are increasingly targeting small businesses.
If a Bad Actor can’t hack Jack’s Snack Shack, do they give up their nefarious ways for a new life of pro bono web development for philanthropic causes? Sadly, no. Not while there are 33,199,999 other SMB targets of cyber attack opportunity.
The financial consequences for businesses that are victims of cyber attacks have increased considerably. In 2022, the average cost of a security breach or theft of IT assets and infrastructure for an SMB was more than $200,000. Worse yet, for most SMBs impacted, that breach was a death blow; over half were out of business within six months of being victimized.
Lesson 3: Your SMB is already in the crosshairs. What happens next is up to you.
Cyber criminals specifically target SMBs because nearly every SMB holds a treasure trove of valuable data that can be exploited, including customer addresses, financial information, and trade secrets.
Unlike larger corporations, many SMBs have very modest security resources, making them a soft (easy) target for hackers. And then there’s the hacker’s leverage.
Particularly when it comes to ransomware, SMB owners often feel forced into a “do or die” situation, paying a huge ransom to regain access to their computers, business-critical data, intellectual property, inventory and banking information.
In multiple interviews with SMB owners who’d paid thousands or hundreds of thousands of dollars in ransom, a common theme was the small business owner’s desperation to avoid the liability, embarrassment and reputational damage that threatened to destroy all they’d worked to build.
Being proactive regarding your organization’s cyber security posture is the only way to stop “being the target of a cyber security attack” from becoming “the victim of a cyber security attack.” You are already a target. The $200,000 question is… will you be the next victim?
A Trusted Ally
Regardless of industry, but especially now, your business needs a trusted ally to help manage cyber security risks and improve security posture.
As a cyber security-focused, managed IT services provider (MSP), businesses of all sizes and from all industries look to ACP CreativIT and its family of technology solution providers for trusted cyber security expertise and robust, scalable, dynamic solutions to protect against significant losses.
Whether you are a retail business, a manufacturer, a bank, or an education organization, the security standards we espouse and the solutions we design can help you identify, protect, detect, respond and recover from cyber threats. We’ll also help your organization comply with relevant laws and regulations, as well as meet the expectations of your customers and stakeholders.
Your Next 3 Steps
- Refer to the 18 CIS Critical Security Controls and determine where your cyber security gaps lie.
- Prioritize your activities based on the gaps with the highest risk.