© 2023 Delaware Business Times
[/vc_column_text][vc_column_text][caption width="100%" align="aligncenter"] [/caption][/vc_column_text][/vc_column][/vc_row][vc_row][vc_column][vc_column_text]
Amid the ongoing reports of massive data breaches and cybersecurity attacks, small businesses continue to struggle with protecting their internal networks and their customers' personal information. A recent report from Continuum says that 77% of respondents expect to outsource at least half their cybersecurity needs over the next five years. Cyber attacks cost small businesses in the survey $53,987 on average, including $41,269 for companies with 10-49 employees. Five local experts came together in early September to discuss the challenges and offer solutions.
DBT: How has the landscape changed over the last few years?
John Boykin: I think one of the false narratives is companies that say, "We're not an e-commerce company, this doesn't impact us." This impacts all businesses.
Jake Blacksten: A lot of our small businesses come to us and say, "Well, I'm just a mom- and-pop shop, I sell biscuits, so cybersecurity doesn't apply to me." If you take credit card information, you collect data so it applies to everyone. We have to keep reminding small businesses that they're not immune.
Keith Chisarik: I would say that cyber-attacks are much more sophisticated than they were a few years ago. Fighting them requires more expertise, training, education and diligence than ever.
Jim Garrity: It's a lot like dynamite fishing right now. It's very, very easy to penetrate environments so you have to make sure that you're partnered up with people that can help you develop sound strategies.
Matt Denn: On the legal landscape, a lot of the change has been responsive to the comments that you just heard about the increased nature of the threat and the sophistication of the threat. Previously, a lot of the state statutes, including Delaware, were focused on the responsibilities of data holders after a breach occurred. There has been an increased focus, both on the statutory front and on the enforcement front, over the last couple of years, on what's being done preventatively and what steps businesses and individuals are taking before a breach occurs to try to ensure that A) it doesn't and B) that there can be an effective response, if it does.
What's the fastest growing area of concern for businesses?
Boykin: Social engineering, where they're not actively stealing your money and your funds but doing invoice manipulation or sending phishing emails where they're actually tricking people into parting with their funds. We have people who are transferring hundreds of thousands of dollars to bank accounts that aren't where the money is intended to go. What we'll see a lot of times is someone is getting into one of their vendors' system and then sending an ACH change information request so when the client gets a legitimate invoice, they'll pay it, but it's going to a different bank account.
What do you advise people to do in that case?
Boykin: Have the appropriate insurance coverage that will indemnify them in that situation, but more important, create a policy/procedure that requires your team to confirm any outgoing ACH by phone.
Garrity: That was one of the big concerns of a new client recently. I walked into mortgage lending one day, and said, "OK, I'm brand-new. When do we get paid, every two weeks?" I was asking some very basic questions and then went to a different department and asked, who's our payroll provider? I waited a couple of weeks and then one morning, I sent what looked like a legitimate ADP email about paychecks with a link so they could look at it online. But behind the scenes, the backend hyperlink went to another website. I had an internal web server that posted a page that said, "You've been hacked." And, then our help desk started blowing up with calls.
Boykin: It's attacking the human element. You can have all the technical capabilities in place, but we can't get rid of the human element.
Chisarik: Roughly 90% of breaches occur through social engineering, spear-fishing or email attacks. I stress ongoing training with my clients. Many will provide training once per year, to comply with their insurance, but if a new employee comes on board, they miss the training session. Spear fishing is a targeted email attack designed to get you to either click on a link or give up some information either through intimidation tactics. Fear is something that attackers use a lot. It's like, "Hey you've done something wrong," and it says in the email, "If you don't do this, your boss is going to find out, or we're going to put it out on the internet that you were doing things that you weren't." They ignore all their training and it's almost instinctual. It's human nature, to want to protect yourself and people really prey on that.
Blacksten: Physical security is just as important as network security. Everyone trusts a person with a computer claiming to be IT. They walk right in and are granted access to everything simply because employees don't have the proper training to verify a person's credentials. We train on password security, email phishing, data segregation, but the most difficult part to overcome as humans is the over-willingness to trust people. Verifying that the IT person was called to fix your computers is key. Double-check that something is broken and needs fixing. We also find a lot of our small businesses are very eager to connect everything. They're hooking up their cameras, door locks, lights all on the same network they do business. You name it, they're hooking it up to Alexa or Google. If you don't have a secure network, which small businesses usually don't, then you are granting hackers access to everything. Small businesses want to offer public Wi-Fi but they don't separate it from their internal network. An attacker just has to connect
to the free public Wi-Fi then in one hop they are in the business network. Small businesses try to compete with the chains and offer all these amenities, yet they don't have the experience nor the knowledge to combat the issues that could come with it.
Garrity: Creating separation from your own internal Wi-Fi is one thing, but guest Wi-Fi is still a responsibility for companies that offer it. If you walk into some coffee shops that aren't particularly tech-savvy, a lot of times you'll see a guest Wi-Fi network, but the easiest thing you could do as a technology professional is to start to scan that network to see who's doing what. You can actually isolate each guest Wi-Fi used so that I can never scan anybody but myself and the outside internet.
Are any of the threats different for very small businesses?
Garrity: Take an up-and-coming brand-new company that's got some intellectual property; that's where it becomes really dangerous.
Chisarik: We've found that a lot of small businesses don't even have the bare minimum of protection. It might be because they've got a friend or family taking care of their security. And, they often don't even start because they think that this is going to be expensive. And, it doesn't have to be, there are even free resources available.
What new developments have occurred in Delaware with respect to privacy and data security?
Denn: There was an overhaul in 2017 of the state's data privacy statute that made more specific what the responsibilities of data holders were when a breach did occur. A brand-new requirement under Delaware law is that reasonable precautions be taken prior to any incident to ensure that data breaches don't occur. It's a very general requirement. It's one that's existed under federal law for a long time. But the federal enforcement mechanisms are a lot more cumbersome than the state ones are. So, now Delaware and other states have a general requirement that businesses and other data holders take reasonable precautions. And, there's a lot of uncertainty as to what exactly that means, and how it's going to be enforced. I think that's the most significant development in Delaware. One of the issues that attorneys general in other states have been focusing on is data encryption, particularly encryption of what's called at-rest data. There is also a new Delaware data privacy statute that applies specifically to people and entities licensed under the insurance code.
Is there anywhere in particular that people who don't have enough money to go outside for a third-party provider go and get some good examples of policies?
Garrity: You can start with an organization called SANS. They have information security policies and other types of documentation that you can get started with. The Delaware Department of Technology Information does a terrific job.
Boykin: I'd say if they do have cyber-insurance in place, the carrier should be willing to help with a lot of that too.
Chisarik: Yeah, and NIST (National Institute of Standards and Technology) also provides a comprehensive framework on its website with actual step by step guides.
Blacksten: I would agree. All of Delaware SBDC cybersecurity material is offered for free. And, it's all built off the NIST framework.
Under what circumstances should a company bring its cybersecurity in-house versus hiring a third party?
Garrity: My advice is go find advisers to bounce ideas off and to ensure that what people are telling you inside the organization are the right things.
Blacksten: Small businesses typically don't have a lot of money to spend on cybersecurity. They can turn their computer on and take credit cards and that's about it. They run their business and they're really good at what they do. But that's when I would suggest that they seek outside help because that one incident where credit-card info is stolen or you send money somewhere that you shouldn't have, you're down for the count and you usually can't recover.
Boykin: You need to look at this almost how a company looks at their accounting services. Even when they have an internal CFO, they're still using an external organization to audit that information. I don't think it's smart for a business to ever just take one opinion, whether it's internal or external, you should have other advisors to double check because a mistake can be very, very costly.
Chisarik: I find in a lot of smaller businesses, the person that created the plan and developed the plan is the one approving the plan. I would call in an outside party to say, "Hey, do you see any holes in this?"
Denn: The one circumstance where I think going outside is [mandatory] is if there has been some sort of incident. The only responsible thing to do then is to bring in a team to help deal with it and you can sometimes start with one part of that team and they can make recommendations for who else ought to be involved. You may be looked at legally as to how it was addressed where you don't want to try to do it yourself.
So, if I decide to go talk to an outside provider, what questions should I ask?
Chisarik: I would start by checking certifications, experience, references. Groups that they've worked with, if somebody is working with a government agency or certified by a government agency, that can be a good indicator that they have strong credentials. Do your homework. Checking references are important.
What sort of things should a small business owner or any business owner that's getting cyber-insurance be looking for?
Boykin: Cyber, initially, was an e-commerce threat. And, most cyber-policies have been designed to protect the third party, so to protect your customer when their data's stolen, or anything along those lines. I view cyber- insurance more as a first-party coverage now. So, just like you would insure your own building from burning down, you're insuring what's at risk for you. Deal with an insurance agent or broker that knows what they're doing. Probably one of the few things Matt and I will agree on from an insurance standpoint, there's not enough education in our industry. There are people getting into our industry who can barely spell insurance. So, that's one of the issues is that all insurance carriers now are offering a watered-down cyber-product as part of their commercial package or business owner policy. That's not what business owners need. They need a specialized cyber-product that's covering the first- and third-party exposures, in addition to all of the expenses associated with it, because in many situations, those expenses of just figuring out what happened, are going to be much greater than the data or the lost income associated with it.
Tell me three or four things that they should look at when they're purchasing cyber-insurance.
Boykin: What they really want to make sure is that they have some type of social engineering or funds-transfer fraud coverage as part of their cyber-product. Cyber-extortion is a really big one, obviously. That's when they're encrypting your data and you have to pay them in Bitcoin to get it back. We want to make sure that they have invoice manipulation. They pay this bill, well now that other company is suing me, because my invoice was manipulated. That's a tricky situation. Because essentially, they have the claim for social engineering but they're coming after me for the liability of it. Another big one that we see, that a lot of people don't have, is reputational harm coverage.
Denn: Let me ask John, how much difference is there among carriers in terms of the insurance flexibility to choose who is assisting them, once there has been a breach. I understand there are subject-matter coverage differences, but one of the issues I've seen come up from time to time is that someone has insurance, but the network of people, or the coverage amounts, that they're allowed to spend, limits their choices as to who they can use, how much ... is that something people should be shopping for, or is it pretty uniform in terms of the coverage options?
Boykin: I think with a really sophisticated buyer who understands that, absolutely. There are carriers that have different panels. So, you can't necessarily choose anyone that you want, but you can choose between a panel and get some different options. I would say your average business owner that is purchasing cyber-coverage, honestly for people just purchasing insurance in general, they see something that says cyber-insurance, and they just think they're covered. Most businesses are worried about their workers compensation or their employment practices or these other lines of business, but I really think people need to start looking at cyber as not a matter of if it's going to happen, it's when it's going to happen. And, if they can hack the NSA, they can hack you.
I'm a CEO or COO, and we've been so focused on trying to build the business that we haven't done anything, really, in this area. What's the first thing I should do? What the first thing I should focus on to reduce my risk?
Garrity: The first thing is always to again plan your work and work your plan. Come up with a framework for your business as it relates to cybersecurity and information security policies are a great place to start. Only log into a machine that is non-privileged, meaning it has no rights to do anything (e.g., install software, access data). If I need to install software or something like that, I have to use a different set of credentials to install software. I keep on using the word different because it's important. A lot of times the way this works is, an IT professional has global or domain administration rights. So, they're a user plus they're a local admin plus they're a server plus they're a domain admin. If that user eventually gets hacked because another user has an issue, it starts to propagate through a network. As soon as I have that user compromised, my network is fully compromised. I really would start with that IT professional and say, "Look, we don't trust anyone with anything."
Blacksten: Segregation of data, segregation of credentials, who has access to what, is a big thing because in small businesses, particularly if you've only got one person who's doing all the HR, accounting, sales, and everything else. You need to divide your responsibilities and make sure that everyone has their own credentials and proper access. In the event of a breach, you need to be able to identify what was taken, at what time, and who was logged in.
Chisarik: I still meet a lot of business owners, CEOs, CFOs who think it's not going to happen to them. It really could happen to you. The laws have been great. They have helped me have those conversations where I say, "If this happens to you, you could lose business, you could lose credibility, " sometimes those weren't enough. But, now adding on the laws and some of the cost that could be associated with that, take it seriously, have a plan, test the plan, a lot of people ... they have insurance requirement, they'll say "Look, we got to answer this page and a half of questions, okay I'm done." They don't touch it for three or four years; it's outdated in six months. If there was one thing technically, I would say, emails are the No. 1 one entry point into any business. Link inspection and using software that lets you see where it's going." I had a user once that went to their bank and they said, "It just didn't look right." Their bank's website had been compromised. They noticed that it looked different and it was a copy from the week before. There are very affordable products out there that will track these things for you and help with that layer of protection.
If you get something that looks like it's from Comcast, but it's @37DifferentLetters.com, that isn't from Comcast.
Boykin: That's changed. We've asked our employees to hover over the email address and see if it's from them. But they've figured out a way now. I got an email with an Excel spreadsheet sent to myself, from myself. I sent it to our IT guy, and I'm like, "What the hell is this? This is from me, but I didn't send it to myself.
Garrity: There are strategies on the email side now with ways to append information to the beginning or ending of every email. The one thing that you can do within the email system is to say, "All right, this email came from inside or outside," so if I generate this email from the outside. It looks like you, it talks like you, it goes to somebody else in your organization, that still meets all the email principles. If I'm appending information that says this email came from a different IP address, then the Office365 bank of IP addresses, or this came from outside the organization, even though it looks like it's somebody from inside the organization. So, the subject line says external, you're going to know right off the bat, "Hey, even though this said it's from me, it really come from the outside, it's not from me."
What are you advising your clients around e-mail structures (e.g., First.Last@COMPANY.com)?
Garrity: We're not advising them of that, but one of the things we're telling organizations, all the time is, anything public ... so at some point, I would get email addresses and phone numbers, as much as you can, without phone numbers to the front door, so to speak. Get them off your website. And, then maybe at that point we change how your email addresses are organized, so to speak.
Blacksten: Let's go back to your original question, if you're an owner or a CEO and you're not sure what to ask, [it makes sense] to bring someone in from the outside. And, the nature of what you need to be concerned about is evolving so quickly that you may need someone to tell you what you should be asking.
To what extent do companies have to be concerned about laws outside of Delaware or their home state when determining if they're complying with their legal requirements?
Denn: They have to be concerned maybe even more in a state like Delaware where we are A) small and B) surrounded by other states. So, it's very likely that even if you're a Delaware business, that you have customers, that you're doing business with people who do live in other states and who may be protected by the state privacy statutes in other states. And, everyone is subject to the federal standards. There are differences at times between the states both in terms of front-end responsibilities and particularly in terms of after the fact responsibilities, once a breach has occurred.
Are there any high-profile platforms out there that should be a particular concern to businesses?
Boykin: Social media. I think looking at it from a liability standpoint, when you have 50 employees who all have Twitter and Facebook accounts and Instagram accounts, as the employer you can be held liable for what your employees are doing as far as bashing competitors, putting out information on a bad customer. I think that's something we have to be aware of, because we don't as employers have control, per se, of their social media accounts. But, what they're doing on their own time can impact your business.
So, you believe companies should have a social media policy in place?
Blacksten: Social media is how people get spear-fished. People, small businesses included, put everything online. Your kids' names, your boss, where you work, who you are connected to via LinkedIn "¦
Everything is accessible. So, social media has connected us all and really helped small businesses but it's also the biggest player in our demise as far as our information is out there. And, we're publicly giving it to attackers.
Chisarik: Every platform can have an issue. I mean Google Chrome recently had what they call a Zero Day Vulnerability, a new bug found. What was secure two weeks ago may not be secure today. If somebody can find a problem with Google Chrome, they can find a problem just about anywhere. So, it's about knowing what technologies you have and really keeping them up to date. And working with your vendors to say, "OK, are there any holes out there that I need to patch?"
Garrity: If a client asked me to figure out how to access its network, the first place I'd start is social media. I start by communicating with others and usually within a few minutes, unless someone's has built a good fortress, we're in. We do this for a living and I get scared for even our own company.
Denn: The only thing I'd add is when you're talking about social media policies, then you start to get into other legal and HR issues.
What sort of internal education should companies be focused on right now?
Blacksten: Phishing. That's still one of the largest credential-stealing ways to get everything. We can talk about phishing and then tell them not to click on the link, and blah, blah, blah, but then we need to educate on what happens when someone does click on the link. What are the procedures? What do you do?
Garrity: There's a tool called KnowBe4 that will test the organization at various times. You can set up how frequently you want to run these different tests. It sends out test phishing emails, internal to your organization to see who clicks on them, how they click on them and from there share, but not in an embarrassing way, that data with your employees. "OK, we had 30 people click on this phishing email. Let's talk about why."
Chisarik: There's prevention education and then there should be a climate of understanding and trust. The best phone call I can get is, "Keith, I just clicked on something and it doesn't look right, my machine's acting weird." To me that is an organization that has had successful training where it's OK to make a mistake, the employees recognize it and they know what to do.
Boykin: Fostering that environment where you're not going to be demonized or embarrassed if you do something wrong. It's going to happen and the difference between calling right away versus I'm going to wait an hour and see if anything bad happens. When it doesn't look right, call the person.
Chisarik: Who else got that email that you clicked on, because that email might have gone to 300 people? And, how many other people clicked on it? They can start proactive scans, so it's just great.
Boykin: Just assume that it's going to happen. That way you have the procedures in place, you can do all the proactive stuff that you want, but if they target you how you respond is just as important as what you're doing to prevent it from occurring.
What should a company do if it finds that data in its possession has been compromised?
Blacksten: Call professionals and have them put together a team and have them assist you in addressing it.
Garrity: Get the authorities involved early when you know something's wrong.
Boykin: Call your insurance carrier.
Chisarik: Pull the plug. If you suspect something's going on, if you've got 30 servers on site, you may have an issue on one, isolate the issue. I may tell a client to go to the wall and pull out the plug until I can get there, because it's going to take me an hour to drive there if I can't get in remotely. Be safe, pull the plug.
Jake Blacksten is a technology business adviser for the Delaware Small Business Development Center, which is part of the University of Delaware. He handles all cybersecurity awareness programs as well as all digital solutions for the SBDC throughout the state.
Keith Chisarik is vice president and IT director for Newark-based Sigma Data Systems, an information technology company that specializes in cybersecurity. He's been with the company for more than 20 years.
John Boykin is the president and CEO of BHI, an insurance brokerage and risk-management consulting firm in Delaware. His firm was a DBT Fastest 50 honoree in 2019.
Matt Denn is a litigation partner with DLA Piper in Wilmington and was the Delaware attorney general from January 2015 to December 2018. During that time, he was involved in writing the state's data privacy and cybersecurity statute.
Jim Garrity is chief operating officer for Wilmington-based Diamond Technologies, a systems integrator that works with such areas as software development, managed IT, and cybersecurity.