Busting Cyber Myths: I’m Not a Target (and other lies you tell yourself)
In the first of a three-part series, Buckingham Data Privacy and Cybersecurity Attorney David Myers talks with Andy Jones, CEO, Fortress Security Risk Management and Eric Smith, recently retired Special Agent In Charge of the Cleveland, Ohio, office of the FBI. Together, they dispel myths around cybersecurity and educate businesses on their best path to protecting their financial assets and valuable data.
“You may say I’m not a target. I’m not big enough. I have no international operations. If you have a business with three to 85,000 employees with money and information, you couldn’t be the further from the truth,” says Jones.
Over the last five years, the FBI reports that it has received more than 2.2 million cyber security complaints and the monetary losses to companies big and small have totaled $13.3 billion. While certainly large and growing numbers, they represent only the cases that have been reported.
“It’s really not a matter of if, but when, a business will encounter a security threat and how severe it will be,” shares Smith. “If you make money, you’re a target.”
We often think of hackers as hoodie-clad tech wizards who sit behind their computers in the basement. That’s not so much the case. Smith provided unclassified information from the FBI that identifies types of hackers and their motives, as follows:
- Hacktivists use computer networks to advance their political or social causes.
- Criminals, both individuals and sophisticated criminal enterprises, steal and use personal information for financial gain.
- Insiders steal proprietary information from employers for personal, financial or ideological reasons.
- National-state actors conduct espionage by stealing sensitive state secrets and proprietary information from private companies.
- Terrorist groups seek to sabotage computer systems that operate U.S. critical infrastructure to disrupt and distract us.
- Nation-state actors are motivated by warfare to sabotage military and critical infrastructure systems to gain advantage in the event of conflict.
While there are bad actors who go after specific targets, in many cases, hackers are like fishermen dragging a net to see whose network might be the easiest target and what they might catch.
Phishing is a common way for hackers to get into and infect your system. It often comes from an email that looks official, but really isn’t. That’s why it’s so important to continually advise employees to not open emails from people they do not know.
OK, So I am a Target. Now What?
To protect your business, leave no hole for a hacker to break through. Jones encourages you to be proactive and outlines the minimum protection you need:
1. Setup multi-factor authentication. It’s one of the least expensive protections to make it more difficult for hackers to penetrate systems.
2. Patch the infrastructure. Cover holes that may let infections in. Think like the burglar who sees the house with motion-sensor lights and an alarm system. Could he bust in – yes. But he’s likely to look for the path of least resistance. Hackers are often the same way.
3. Invest in an endpoint detection and response solution which protects user machines not only looking for malware, but also by identifying and understanding behavior patterns and creating alerts when someone appears to act outside of their usual patterns.
4. Set-up a separate backup system that is completely isolated from your other systems.
No doubt, this will be an investment. But when you consider that more than half of the businesses that get hacked are insolvent within a year, being proactive is better than reactive.
I’ve Been Hacked! Now What?
When an attack happens, there are many calls you need to make right away. After contacting your legal counsel, insurance, and cybersecurity partner, Eric recommends contacting the FBI. The FBI has resources that assist in investigating the breach. While it might seem a little embarrassing to have a security breach, working with the FBI positions you to limit the damage while helping to put the bad guys out of business.
“The FBI will focus on the scope of the crime, treat the company as a victim and try to get information and any money you may have paid back to you as quickly as possible,” explains Smith. “The FBI will not search for violations by the company, share company information with the media, seize victim company assets or repair or restore network systems,”
While the FBI focuses on the threat, companies like Fortress can help you get back in business as quickly as possible. To contact Fortress, go online to IR911.com to complete an incident report. You will get a response within a few minutes.
A quick word of caution. Under the pressure of a security incident, it’s easy to forget about important concepts like attorney-client privilege. Any involvement from third parties such as Fortress should be initiated by legal counsel.
Get to Know More
If you want to understand more about the growing cyber-security threat, visit the Fortress public forum at ransomwareclock.org. This article is a synopsis of a one-hour webinar available at