The following article is a compilation of comments from a Cybersecurity panel presentation by Evan Lutz, network security engineer at Cigent, Mark Nieds, attorney at Henderson, Franklin, Starnes & Holt, P.A., Scott Gregory, vice president and business insurance agent at McGriff Insurance and moderated by SWFRTP board member Wendi Fowler, Director of Marketing and Sales at ITVantage, Inc. The presentation was part of the Greater Fort Myers Chamber of Commerce Business Summit, September 20, 2019.
One half of cybersecurity attacks are on small businesses and many attacks go unreported.
Every 14 seconds there is a ransomware attack somewhere in the world.
Hacking is big business with low barriers to entry. It is easy to get hacking tools. Also it’s easy to join teams of hackers.
CLICK VIDEO TO WATCH EXCERPT
In Southwest Florida there have been several examples of hacking including NCH, City of Naples, Collier County Mosquito Control, Radiology Regional and 21st Century Oncology.
Hackers tend to target organizations that are large enough to have value but small enough that they do not have budget allocated for cybersecurity.
There are steps that small businesses can take to not be such an easy target.
Evan Lutz, network security engineer at Cigent advised that you need protection at both ends of the network. First you need to protect end user devices. For this, Windows Defender is better than any protection that is available for free. You also need to protect where your Internet Service Provider (ISP) stops and your organization’s network begins.
Mark Nieds, attorney at Henderson, Franklin, Starnes & Holt, P.A. advised that organizations need a documented cyber-breach preparedness plan.
The most common mistake by small businesses when it comes to cybersecurity is a lack of awareness of what’s in the environment (ex. active exploit attempts).
Scott Gregory, vice president and business insurance agent at McGriff Insurance explained that cyber-insurance endorsements can cost as little as $150 and up to $700 for a more robust policy. Most insurance carriers offer these options now.
Organizations who choose to purchase insurance for cybersecurity must disclose specific information on their cyberinsurance application. For example there will be yes/no questions such as “are you encrypting data?”, “doing audits”, “doing backups” and others. Organizations can lose their insurance coverage if they do not do what they say they are doing on their application. Some insurance contracts include support for managing a response to a breach.
In the event of a breach, who do you call? According to Florida’s data breach law if more than 500 people are impacted an organization must report to the Attorney General. In turn, the Attorney General may ask for details including a police report and whether the FBI was notified.
Reporting rules vary by state. If an organization has customers in multiple states then there will be multiple reporting requirements to follow. In addition, GDPR mandates reporting if any customers are from Europe.
The panel recommended that organizations conduct regularly scheduled independent security audits. A technology network is only as strong as its weakest link. The cyber-insurance is the last line of defense. Cyber training and awareness for employees is the front line of defense.
Knowing where to invest budget in cybersecurity is challenging, especially for small businesses. The panel recommended that an appropriate budget for an organization of twenty or more employees should expect to spend $500-$1,500 per month. For micro-businesses (such as 2-3 people), using an enterprise level antivirus solution is sufficient (combined with the aforementioned staff awareness training).