Are Your Business Tools Ticking Time Bombs For A Cyber-Attack?

 Business Risk Starts Within...

In June a popular file-sharing software amongst big-name companies likes Shell, Siemens Energy, Sony, several large law firms, a number of US federal agencies such as the Department of Health and more was hacked by Russia-linked cybercrime group Cl0p. In its August 24 article, Security Magazine reported that, to date, there are 988 known companies impacted by the breach, resulting in the personal information of more than 59 million people being compromised. More are expected to emerge as the investigation continues.

If you’re reading that list of company names thinking, “I’m just a small business compared to these big guys – that won’t happen to me,” we’ve got news for you. Many of these companies have cyber security budgets in the millions, and it still happened to them, not because they were ignoring the importance of cyber security, but because of a piece of software they use to run their business.

Progress Software’s MOVEit, ironically advertised as a tool you can use to “securely share files across the enterprise and globally,” “reduce the risk of data loss” and “assure regulatory compliance,” was exploited by a tactic called a zero-day attack. This occurs when there is a flaw in the application that creates a gap in security and has no available patch or defense because the software maker doesn’t know it exists. Cybercriminals quickly release malware to exploit the vulnerability before the software maker can patch it, essentially giving them “zero days” to respond.

These attacks are dangerous because they are difficult to prevent and can quickly and easily ruin smaller businesses.

Depending on the organization’s motives, the stolen data can be deleted, held for ransom or sold on the dark web. Or, if you are lucky enough to recover your data, you might still end up paying out thousands or more in fines and lawsuits, losing money from downtime and coming out on the other end with a damaged reputation that causes clients to leave anyway. In MOVEit’s case, the cybercrime agency Cl0p has claimed on their website that their motivation is purely financial and has allegedly deleted data obtained from government agencies as they were not the intended targets.

What does this mean for small businesses?

For starters, it underlines the harsh reality that cyber security isn’t just the concern of big businesses and government agencies. In fact, small businesses can be more vulnerable to cyber-attacks, as they often dedicate fewer resources to protection. While the small business might think that no one is interested in their data, the threat actors know that it is important to the business owner and their clients. Using that leverage, either through ransomware or extortion, the threat actor often wins. Again, their motivations are most often purely financial in nature.

It also means that even if your organization is secure, the third-party vendors you work with and the tools you choose to use in your business still pose potential risks. Most of MOVEit’s customers that were affected likely had strong cyber security measures in place. Even though it was no direct fault of their own, at the end of the day, those companies still must go back to their clients, disclose what happened and take the verbal, legal and financial beating that comes with a data breach.

The MOVEit hack serves as a grim reminder of the critical importance of cyber security for businesses of all sizes. In the face of an increasingly sophisticated and fast-moving cyberthreat landscape, businesses cannot afford to ignore these risks. Cyber security must be an ongoing effort, involving regular assessments, updates, monitoring, training and more. As this terrible incident shows, a single vulnerability can lead to a catastrophic breach with severe implications for the business and its customers.

In the digital age, cyber security isn’t just a technical issue – it’s a business imperative.

An important facet of creating a cybersecurity aware culture in your organization is to ensure that all your business tools, service providers, and third party resources have been evaluated to determine what level of risk they impose on your organization. From there, determine what controls must be implemented to minimize that risk. When you consider your current IT provider, to what extent do THEY protect themselves from becoming a headache for you?

If you have ANY concerns about your own business or simply want to have a second set of eyes examine your network for vulnerabilities, we offer a FREE, objective Cyber Security Risk Assessment.

Click here to schedule a quick consultation to discuss your current situation and get an assessment on the schedule.

The Key To Scaling Your Company Efficiently

As a business owner, you know that continuous, steady growth is an essential part of success. When you’re ready to get serious about scaling your organization, several vital activities must happen. Documented workflows and processes, streamlined hiring, onboarding and training, well-oiled marketing systems and more top the list. One key but often overlooked element of scaling success that can make or break your efforts is leveraging technology to enhance operations quickly, efficiently, and cost-effectively.

With the realization of Covid-19 causing a major shift from office-based to distributed workforces, many companies were caught flat-footed. With much of their corporate culture driven by internal, on-premise systems, the lift and shift from on-premise to remote work posed unanticipated constraints on pivoting to the new normal. This became the Achilles Heel for many businesses. As we look in the rear-view mirror at a challenge that, sadly, resulted in the downfall of many small to mid-sized businesses, we need to look at the lessons learned. This relates directly to businesses looking to grow.

As history taught us, flexibility is a must for a business to thrive and grow in today’s economy. When we look at the available options of how to use technology as a leverage point for growth, one resource we can’t overlook is implementing cloud based systems and resources. The cloud, which now integrates with numerous AI tools, giving it more capabilities than ever before, allows you to streamline and automate your operations without large, unnecessary investments.

In this article we’ll cover what the cloud is, the major benefits you should take advantage of and how you can use it to grow your organization without overspending.

The cloud is simply a global infrastructure of servers that gives you remote, on-demand access to both applications (think Microsoft 365), as well as computer system resources, including cloud based servers, workstations, and data storage. Cloud based resources are in most cases virtual systems run on in data center and accessed over the Internet instead of on your computer’s hard drive. With these capabilities, your business doesn’t need to invest in its own hardware or perpetual software licenses, allowing you to pay only for what you use when you use it. Software and hardware can be expensive, making this a great solution for businesses in growth mode without unlimited budgets.

How can the cloud help your organization? Here are 5 benefits to consider:

1. Economies of Scale – As mentioned, with most cloud-based programs you can expand the services as your business grows. When revenue increases and you take on more clients, you can choose to upgrade your services or invest in new features or capabilities, so you never pay for more than you need at the time. It takes only a few clicks from an administrator.
2. Enhanced Collaboration – In a digital world, we need real-time access to tools for collaboration, no matter where our employees are. Cloud-based programs can typically be accessed anywhere in the world on any device by multiple members of the team simultaneously. This allows for colleagues to work on projects together even if they aren’t in a physical office or are in different time zones, increasing productivity all around.
3. Increased Automation – You can save money and your employees’ time by having cloud-based programs automate certain repeatable tasks such as regular backups, logging and monitoring networks, resource allocation and much more. Most business owners don’t know how many tasks they can automate or how much money and time they can save until they have an IT professional review their network.
4. Faster Access to Resources – With the cloud, your employees no longer have to wait for extensive downloads or installations. Most tools are readily available instantly, making it easier and faster to get work done.
5. Reduced Disaster Recovery Costs – Disasters rarely damage cloud-based data and assets that are hosted virtually on servers, not on hardware in the office. Your IT professional should have multiple backups of your data, so if something goes wrong, it will be easy to get it back up and running.

Cloud-based programs are a great resource for business owners who want to scale. They are generally easy to use, simple and flexible to expand, cost-effective, great for collaboration, more secure than other programs, and much more.

If you think you’re not harnessing all the power that cloud tools provide, you’re probably not. The best next step is to have an IT professional do an in-depth review of your current network to find the areas of opportunity in your business.

We offer a FREE Network Assessment, where we’ll extensively review your network and sit down with you to review what should be done differently to save you money and enhance your business operations. If you’re serious about scaling and want to do it the right way, click here to book a Network Assessment with our team or call our office at (413) 786-9675 to get a meeting on the schedule. 

Best Kept Secrets About Cyber-Liability Insurance

Warning: The Hole In Your Cyber-Insurance Policy That Could Result In Your Claim Being Denied Coverage

You’ve all heard the stats – small businesses are the #1 target for cybercriminals because they’re easy targets. A recent article in Security Magazine reports that nearly two-thirds (63%) of small businesses have experienced a cyber-attack and 58% an actual breach. What many still don’t understand (or simply don’t appreciate) is how much a cyber-attack can cost you.

That’s why one of the fastest-growing categories in insurance is cyber liability. Cyber liability covers the massive costs associated with a breach, which may include the following, depending on your policy:

• Legal fees to handle any number of lawsuits, including class action litigation against your organization, as well as fines and penalties incurred by a regulatory investigation by government and law enforcement agencies.
• Negotiation and payment of a ransomware demand.
• Data restoration and emergency IT fees to recover your network and get it operational again.
• Customer notifications and credit and identity theft monitoring for clients and employees.
• Public relations expertise and call center costs for taking inbound calls and questions.
• Loss of revenue related to being unable to transact; if your operations and data are frozen, you might not be able to process sales and deliver goods and services for days or weeks.
•  Errors and omissions to cover liability related to a failure to perform and deliver services to customers, as well as allegations of negligence in protecting your customers’ data.

If you want to make sure you don’t lose everything you worked so hard for to a cyber scumbag, cyber liability is a very important part of protecting your assets.

Here’s the new reality, and what you need to know: In order to get coverage, businesses are required by insurance companies to implement much more robust and comprehensive cyber-protections. Obviously, the insurers want the companies they are underwriting to reduce the chances and the overall financial impact of a devastating cyber-attack so they don’t have to pay out – and this is where you need to pay attention.

MANY business owners are signing (verifying) that they DO have such policies and protections in place, such as 2FA, a strength of password requirement, employee awareness training and data recovery and backups, but aren’t actually implementing them, because they assume their IT company or person knows this and is doing what is outlined in the policy. Not so in many cases.

Unless cyber security is your area of expertise, it’s very easy for you to misrepresent and make false statements in the application for insurance, which can lead to your being denied coverage in the event of an attack and having your policy rescinded.

If you have cyber liability or similar insurance policies in place, I urge you to revisit the application you completed with your IT person or company to make absolutely certain they are doing everything you represented and affirmed you are doing. Your insurance agent or broker should be willing to assist you with this process since your IT company or person cannot be expected to be insurance professionals who know how to interpret the legal requirements outlined.

What’s critical here is that you work with your IT company or person to ensure 100% compliance with the security standards, protocols and protections you agreed to and verified having in place when you applied for coverage. IF A BREACH HAPPENS, your insurance provider will NOT just cut you a check. They will conduct an investigation to determine what happened and what caused the breach. They will want to see tangible evidence and documentation that proves the preventative measures you had in place to ward off cyberthreats. 

If it’s discovered that you failed to put in place the adequate preventative measures that you affirmed you had in place and would continue to maintain on your insurance application, your insurance company has every reason to deny your claim and coverage. Be certain that the insurance company is going to look for every possible way to get out of paying the claim.

Many small businesses fail to seek cyber-liability coverage due to the cost. The average cost of a cyber-event cleanup is in the hundreds of thousands of dollars.  If you lack adequate coverage (the rider in your general liability policy typically caps out at $10,000 and only covers about 6 of the 40 or more components that make up a cyber incident response. Failure to have adequate coverage is like playing Russian Roulette with semi-automatic weapon.  It's not likely to end well. 

If you have ANY concerns over this – including whether or not you need coverage, whether your coverage is sufficient and whether you are doing what you need to do to avoid an insurance denial, click here to schedule a quick consultation to discuss your current situation and to receive a referral to a cyber insurance expert we recommend.

Further, if you would like us to conduct a FREE cyber security risk assessment to show just how secure and prepared you are for ransomware or a cyber-attack, we can discuss that too! Just click here to schedule a phone consultation.
 

Your Personal Titanic Moment

 

On a recent interview about the Titan sub catastrophe, director of the movie Titanic James Cameron, who has made 33 successful dives to the Titanic wreckage site, pointed out that this tragedy is eerily similar to the 1912 Titanic disaster: the captain of the 1912 RMS Titanic was repeatedly warned about ice ahead of his ship, yet he plowed ahead at full speed into an ice field on a moonless night, resulting in the deaths of over 1,500 innocent souls.

The captain of the sub Titan and CEO of the company OceanGate, Stockton Rush, was also repeatedly warned about his vessel’s safety, lack of certification for the vessel’s integrity, lack of a tracking device (think airplane black box), their experimental approach to deep dives (despite the fact that this is a very mature and well-understood practice) and lack of a backup sub. He also proceeded to plow ahead at full speed, taking people in an extremely unsafe vehicle, which resulted in the deaths of innocent people. If there was ever an example of willful negligence, this is it.

When it comes to IT security and compliance for small business, this kind of willful negligence is rampant. Sometimes it ends with an abrupt, catastrophic “implosion,” as with the Titan, where a company is destroyed by a ransomware attack, operations shut down, unable to transact, employees and clients harmed and their reputation tarnished.

In other cases, the risk is there but hasn’t been addressed because nothing bad has happened – yet. Willful negligence in IT security and regulatory compliance to data privacy and protection comes in three forms.

The first is willful ignorance. Some people running a business are young and inexperienced, too new to the business world to understand the risks they are incurring by failing to protect their clients and themselves. They don’t know what they don’t know. Often, they are being advised by the wrong people – an IT firm that knows how to make their tech work but lacks the expertise to implement good security protections. You kind of can’t blame them for getting it wrong initially, but at some point they’ll get smacked with a cyber-attack and learn the error of their ways the hard way.

The second type of willful negligence is willfully foolish.

This group CANNOT claim “ignorance” as their defense. They KNOW they should be protecting their business and their clients’ data from cyber-attacks. They’ve heard the stories, they know the laws and may have been warned by their IT company or person, but foolishly believe “that can’t happen to us,” or choose to assume they’re “fine” because they are using a cloud application that promises compliance (which is correct for THEM, not necessarily for YOU). They trust but don’t verify that their IT person or company is actually doing what they’re supposed to, and often lack cyber liability insurance, choosing to take the risk because they’re cheap or can’t be bothered.

The third type of willful negligence is, in my opinion, the TRUE meaning of willful negligence and the most immoral and unforgivable. Determined negligence. These people stubbornly insist on continuing to operate without proper security protocols in place, without a disaster recovery plan, without any insurance, without assessing and inspecting their environment, refusing to acknowledge ALL facts, history and evidence to the contrary. They know they are acting irresponsibly but don’t care.

After the tragedy of the sub, multiple experts came forward to point out all the risky behaviors Rush was allowing. The hull had not gone through any type of cyclical pressure testing or thermal expansion and contraction testing. The hatch could only be opened from the outside and not the inside, which wouldn’t allow them to escape if needed in the event of an emergency – one small fire inside would have been catastrophic. No atmospheric system to monitor interior gases such as oxygen, carbon dioxide and carbon monoxide. No emergency air breathing system. The viewing window was only certified to 4,000 feet, not the 12,500 feet of the Titanic wreck. But the most egregious of all was an egotistical assumption by the CEO that he knew better than everyone else around him.

I wonder if he put all of this in the brochure and explained that philosophy to the people in the sub who lost their lives that day.

Everyone makes mistakes. Everyone has a moment in their lives when they place trust in someone they shouldn’t. Everyone has blind spots, and we’re all ignorant and misinformed about something. The question is do you STAY willfully ignorant or foolish to the point of being determined to hold steady to your course of action to the point where you not only do harm to yourself, but to others as well?

If you do, it’s only a matter of time before you have your own ship sunk, your own personal Titanic-size wreck. Sadly, if you’re the CEO of a company that holds financial data, credit cards, medical records, tax returns, Social Security numbers, birthdays or even the contact details of your clients OR employees, YOUR willful negligence in cyber protection will absolutely harm others.  

This doesn't mean that all those who are veering towards that proverbial ice field can’t change course. Hopefully this entry in The Werks stirred within even those with the hardest of heads to take a different tack. If your business is important to you.. and as a business owner, I know it is.. it’s not too late. If you are ready to steer away from the iceberg, get on our calendar to discuss your options by clicking here.