In September 2017, SMART PT, a physical therapy clinic in Massachusetts, received a message from an infamous hacker. The message basically stated, “I’ve stolen your patient records. Pay the ransom or your data will be released to the public.” The company refused to be extorted, and as a result, the hacker released information on 16,428 SMART PT patients. Names, birth dates, and Social Security numbers spilled onto the Dark Web, and SMART PT was left to clean up the mess, and repair their patients’ broken trust.
SMART PT isn’t the first victim of this hacker’s criminal escapades. Just a few months prior, this same hacker exposed 180,000 patients records from a dentist in New York, a surgeon in California, and a surgery center in Florida. Though health care providers are hit hard by cybercrime, they aren’t the only industry that should be on alert. The Verizon Data Breach Investigation Report found 61 percent of breaches hit small businesses across industries.
Considering this common threat business owners face, you would think they’d be more proactive about protecting themselves. But in my experience, this is far from the reality. More often than not, a company will do one thing to address the threat, and assume that means they’re set for life. They never double check their security — until after they’ve suffered a breach, that is. Then they call me to look into the matter, and discover they weren’t as prepared as they thought.
After hundreds of assessments, it’s always the same. I’ve worked with business owners for over three decades, and I continue to be baffled by how willing some people are to ignore dangerous threats to their company. It’s especially frustrating when you realize that small businesses can go far in avoiding the worstcase scenario with a simple risk analysis.
What are your company’s critical data assets? The things your business cannot do without? I’m talking about your email, financial software, video data, and security or monitoring technology. Imagine you suddenly don’t have access to them anymore. What would happen to your company then?
When analyzing risk, this is the reality we examine. My team generates a report based on interviews with executive management, workflow analysis, system review, data analysis, and activities discovered on the corporate system and networks. With this information, we identify critical data assets and organize them based on the likelihood of suffering a break and which assets would have the greatest impact.
How Long Can You Tread Water?
Next, we look at each asset and determine maximum tolerable downtime (MTD) and restore point objected (RPO). Basically, how long can your company afford to have a specific asset down, and how much data can you afford to lose during a disaster? You probably won’t be surprised to learn most companies allow for very lost MTD, but have no method to regain control of valuable assets in the desired amount of time.
What’s the Worst that Could Happen?
In addition to examining critical data assets, we also conduct a detailed threat analysis. Our team calculates the likelihood of a ransomware or email spoof, possible intellectual capital loss, and what backup system and recovery plans are in place in the event of a total system failure. It can be unnerving to learn where your company stands, especially if you are forced to face an unpleasant truth about your lack of preparedness. However, these are the risks you need to assess to determine how you can appropriately respond to a breach.
As I’ve said before, there’s no way to completely protect yourself from a cyberattack. If a criminal wants to get into your business, they’re sure as hell going to find a way. However, you can ensure your company will be backed up and running fast, minimizing damage, and protecting yourself from devastating repercussions.
Building The Human Firewall
Learn how to build an effective end user security strategy!