On the topic of cyber security, I think that most small business owners file this under the category of “I’ll worry about it next year.” This strategy works until the business owner loses the ability to earn a living, loses customers, has their intellectual property stolen, and/or has to pay fines and penalties because their digital data is stolen. The reality is that theft of digital information far exceeds the loss from physical theft. If you think it’s important to put a lock on your door at night to keep your inventory safe, you should consider locking up your digital assets the same way.
The ways in which the business owner can be harmed by a hacker include:
- Theft of employee customer Personally Identifiable Information (PII)
- Theft of customer credit card information
- Denial of Service preventing access to websites and/or ecommerce sites
- Shutdown of critical information systems
- Theft of funds from bank accounts
- Theft of HIPAA (Health Information Portability and Accountability Act) protected health information (PHI)
- Loss of crucial intellectual property to a competitor
- Fines in addition to any or all of the above
The fines are not insignificant. Fines for not sufficiently protecting PHI can range up to $50,000 per violation.
So what to do? I have written previous blogs with general guidance from the FBI on general practices on securing your data, and of course there are government agencies such as the FCC and NIST who offer high level guidance on how to create an information security policy for your company.
What I’m going to offer over a series of blogs, however, are some very specific tactics, responses, and guidance aimed at business owners to assist with their information security needs. My previous blog on how to deal with a Yahoo account compromise started this trend.
The next topic I’m going to cover is going to be Spearphishing attacks. Most companies are familiar with the general Nigerian email scams and other similar, non-targeted scams that come through email, but spearphishing attacks are another things entirely.
According to a popular joke, “If you give a man a fish, he’ll eat for a day. If you teach a man to spearphish, he’ll use you credit card to buy dinner.” Spearphishing attacks are targeted at an individual. In terms of threat and potential damage, a spearphishing attack is to normal email scams what a trained sniper is to someone randomly shooting a handgun into the sky. They often come from an email address from someone that you know and may trust, may have a subject line that you are familiar with, and may have an attachment that is something you would normally expect to open. By accumulating information on you and your life from the Internet, dumpster diving, stolen data, or social engineering, the attacker is able to bypass your normal “email scam filters” and cause you to open a file that will often contain malware that can cause far more damage.
Stay tuned in the next blog for how to recognize and deal with spearphishing attacks.