Not long ago, I heard FBI Director James Comey say, "There are two kinds of big companies in the United States. There are those who’ve been hacked ... and those who don’t know they’ve been hacked.”
I took note and quietly patted myself on the back, knowing I’d taken precautions and thinking we were ahead of the game on this one.
But then I got the call every CEO dreads. It was a panicked employee who was about to send a screenshot of something they’d just seen on our intern’s computer. “You have 96 hours to pay a ransom or your data will be permanently locked,” the email read.
Fortunately for us, we had a cyber-incident response plan already in place, and I immediately put the plan into motion. As a result, we prevented calamity. Policy, process and practices were what saved us from an embarrassing and debilitating breach.
We got lucky. Putting a number to all of those victimized by cybercrime is difficult -- if not impossible -- but news headlines ranging from the Home Depot, Apple iCloud and Anthem breaches make it clear: This can happen to anyone.
There's a new risk every day. As quickly as technology grows and changes, so do the threats. Even if you think you're not at risk because you don't store consumer data, realize that hackers may target you to access larger businesses you deal with through portals or electronic data exchanges.
Threats are not just consumer data or intellectual property. Everything is interconnected. If hackers access the plans to one component, it may be interchangeable and create vulnerabilities in other processes, divisions, intranets or extranets.
Threats aren't limited to consumer data. Foreign powers and those willing to sell to the highest bidder can cause U.S. businesses to lose a competitive advantage on the global stage anytime a breach occurs.
Cybercrime prevention is now considered a cost of doing business
Cyber attacks are not a matter of "if" but "when." Cybercrime needs to be viewed as any other business risk, and the investment in cyber security cannot be negligible. According to a 2014 Hewlett Packard study, the average annualized cost incurred per attack was $12.7 million, with a range of $1.6 million to $61 million. For protection, experts suggest developing a cyber-audit committee with a multifunctional and multidisciplinary plan of action.
Related: Why Your Password is Hackerbait
Responding to an attack will require action from not only the IT department but from public relations, social media and customer service. A company has a very short window of time in which to inform customers of the breach. Do you know yours?
Risks aren't limited to a particular industry or a specific size of business. The profile of a cyber attacker may vary, but can be associated with organized crime, terrorists, nation states, internal threats or disgruntled employees and ransom attacks.
For international businesses, the risks are expanded and may change based on region. An outside risk assessment can provide invaluable insights that an internal team may not be able to provide. Even if your business's internal data isn't compromised, social media accounts can be hacked and cause serious damage to your reputation.
Even if you have a top-notch cyber security plan in place, human error can create some of the greatest risks for exposure -- as in our case, with an intern.
- Use long passwords. Do not use the same password for all accounts
- Put policies in place that require strong passwords, and require new passwords that were not previously used at regular intervals
- Avoid the temptation of "free" WiFi and hotspots. These networks aren't secure and your data can be exposed
- Consider encrypting all emails
- Develop a cyber-incident response plan that includes your board, legal, IT and management
Cybercrime is not a problem we're going to fix or solve. Businesses have to find a balance between the amount of resources they're willing or able to invest in security while maintaining effectiveness in all other areas.
As Bill Gates said: “Treatment without prevention is simply unsustainable.”