As our country grapples with the threat of a pandemic and as we adjust to the challenges this new threat poses, it is important to plan for the new challenges and vulnerabilities that any such adjustments will necessarily create.
Congress has passed—and the President has signed—an unprecedented relief package to help businesses keep a connection to their employees and to help all Americans keep the bills paid, but such problems will hardly be the last ones that this virus causes. And with the wholesale pivot of the workforce to remote work that does not appear set to let up until the summertime, there is no more timely concern to raise among local businesses than cybersecurity.
The United States government has been proactive in their response to the increased threat of foreign actors seeking to use this crisis as an opportunity to divide and frighten Americans. But the government cannot be the only—or even primary—group taking action to safeguard against cyber-attacks. To that end, businesses should first know the threats that they face. Criminal elements and nation states both will be specifically targeting private American businesses in this crisis. In fact, we already have a model for foreign countries’ behavior, as we discovered last summer when the United States Department of Treasury announced that North Korea had stolen over $2 billion from American companies to finance their WMD and illicit missile programs.
North Korea’s desperate financial condition made it the first nation to see hacking American businesses as a revenue stream, but with the dire financial straits that the world finds itself in, it would be truly extraordinary if they were the last country to do so. For example, the Chinese government already has proven that they are capable of using such techniques to steal industrial and commercial secrets, so it is likely that grabbing American business’s assets will be a priority as their government faces a severe contraction in the country’s economic fortunes. And in fact, we recently learned of a hack of Citrix and Cisco that occurred during this pandemic that exceeded anything known from the Chinese regime to date. And these hackers have shown no inclination to spare small businesses.
Getting through this crisis and addressing this threat will not be easy, but it will be less onerous if everyone takes the time to prepare. To that end, below I have put an answer to frequently asked questions. I want to offer to help any Alamance County business, nonprofit, or local government prioritize those measures that are most needed to minimize risk in the switch to a remote workforce at no cost.
Question 1: Why do I need to add this to my plate? The pandemic response is already stretching everything in my business. Can’t this wait?
Answer 1: Unfortunately, this cannot wait. Numbers vary by industry, but all sectors are seeing an unprecedented spike in cybercrime. The criminals who make their living stealing from American businesses see a vulnerability in our response to this pandemic, and they are seizing it. The sooner you can integrate security measures into your process, the less likely you are to fall victim to an attack.
Question 2: I am a small business owner. Aren’t I too small to be a target?
Answer 2: Regrettably, the answer is absolutely not. First, if your small business provides services to a larger business, many hackers will see you as a “jumping off point” to the larger target. And second, hackers’ efforts to get into your systems are very inexpensive for them, so it makes a twisted economic sense for hackers to go after absolutely any revenue, even from small businesses with precious little revenue in a pandemic. Indeed, a CNBC report found almost half of all cyberattacks were directed at small businesses, a number pretty close to small businesses’ share of national economic activity. And small businesses are some of the least prepared organizations for this kind of threat. According to one study by Champlain College, 60% of small businesses who experience a successful cyberattack will be out of business within 6 months of the attack.
Question 3: How much will this cost?
Answer 3: It really depends on the business and what measures are appropriate for the individual business’s security needs. I’m willing to help businesses prioritize for no charge; just email me. The average cost of a cyberattack on small businesses though is $200,000 if no steps were taken beforehand to mitigate the harm.
Question 4: What is the most important thing for me to do?
Answer 4: Start now. There are several things that you can do that are generalized best practices, but as soon as you get beyond generic best practices, there is a lot of variation depending on the particulars of a business.
Question 5: I represent a church, a nonprofit, or a local government. Are we targets as well?
Answer 5: Yes. Anyone with any amount of cashflow is a target that hackers will think makes “economic sense” to pursue.
Question 6: What resources are there for me to keep up-to-date on these issues?
Answer 6: The FBI has an email list that can keep you up-to-date on the latest threat intelligence. The National Institute of Standards and Technology has a top-notch cybersecurity framework. And websites like Krebs on Security document many of the most pertinent attacks.
Peter McClelland is a resident of Burlington and serves as in-house counsel for Winston-Salem based ThreatSketch, a Cybersecurity consulting firm.
*This is a guest post provided on behalf of the author as a courtesy to Alamance Strong. Posting this article does not represent an endorsement, recommendation or legal advice on behalf of Alamance Strong.