A cybersecurity disruption can significantly impact a small business financially. The costs of recovery, lost productivity, and reputation damage can threaten the company's survival.

The disruption can also impair the company's ability to serve customers. With systems down and operations disrupted, the business may struggle to meet client needs, eroding trust.

Customer confidence may be damaged, as clients lose faith. The competitive impact can be severe, as upset customers turn to your competitors.

Employees may feel their trust has been compromised.

The incident can undermine relationships with key stakeholders. Investors may question leadership, suppliers may worry about stability, and banks may reconsider credit. These strained relationships can impact the company's foundations.

• According to FBI and other studies, the frequency and cost of cybercrime is growing rapidly.

• Smaller businesses are the victims in 60 - 70% of cybercrime

• The consequences of cybercrime can be devastating for smaller organizations.

  • Smaller businesses lose 20% of their revenue in the six months following a breach because of reputational damage.

  • 60% of companies suffering a second breach go out of business.

• A cybercrime can be fatal to a smaller business. Even when not fatal, cybercrime can significantly disrupt your ability to meet your mission and serve your community.

• This is not an attempt to frighten you but an attempt to alert you to the reality of our times.

Immediate Losses.

• Direct loss of revenue.

• Inability to serve customers.

• Harm to others

Implications.

• Lost profits.

• Lost customers.

• Lost prospects.

• Inability to achieve business goals.

• Staff depression.

• Fines and penalties.

• Higher insurance costs.

• Higher Line of Credit rates.

• Lower business valuation.

• Ransomware

  • Cybercriminals take control of your computer and information systems.

  • You lose access to your information and cannot work.

  • Cybercriminals demand you pay them to regain access to your information.

  • If you have good backups, you may be able to get your information back. But the cybercriminals are experts at finding backups and rendering them unusable.

  • Even when you pay them, you often do not get your information.

• Ransomware & Extortion

  • Like ransomware but the cybercriminals also copy all of your information.

  • They then threaten to release the information publicly unless you pay them.

  • When this happened to a therapist, the cybercriminals also went after the therapist's patients.

• Business email compromise

  • Accounts Payable receives a fraudulent invoice from a vendor after the vendor's email has been hacked.

  • Your Administrative Assistant receives a fraudulent email from you requesting that he wire $50,000.

• Espionage, Theft of Intellectual Property.

Here are six common "attack vectors"

• Phishing attacks. (email, text, other)

• Social engineering attacks. (Employees are misled by cybercriminals. This problem is worsened by Deepfakes and other AI applications.)

• Network attacks. (Cybercrimals exploit vulnerabilities in your IT network. These are often misconfigurations or inadequate IT maintenance.))

• Supply chain attacks. (Cybercriminals attack your IT service provider or their technology.)

• Insider threats. (These can be purposeful attacks from rogue employees. They can also be the result of a cybercriminal taking control of a staff member's computer.)

• Drive-by-compromise. (A computer gets infected by clicking on an ad that the cybercrimals have booby-trapped or a rogue website.

• You may have security and privacy responsibilities. Talk to a cyber-attorney to understand these.

  • If you need a referral, please reach out to us.

• Examples

  • If you collect Personally Identifiable Information, there are numerous privacy laws to which you may be subject. These include HIPAA, state Breach Disclosure Laws, and the California Privacy Rights Act..

  • Companies in Critical Infrastructure Sectors are required to meet cybersecurity regulations of the Cybersecurity and Infrastructure Security Agency.

  • Companies subject to the SEC must follow their cybersecurity regulations.

  • Companies in the Defense Industrial Base are required to meet the security requirements in the Defense Department's Cybersecurity Maturity Model Certification (CMMC) program.

  • Tax preparers are required to follow IRS Cybersecurity Regulations.

  • If you do business in Europe, you may be subject to the General Data Protection Regulation (GDPR).

• Once you know the laws and regulations to which you are subject, you can integrate these into your Information Security Management Program. (see below).

A cyber crime or other incident is no longer a matter of "if" but of "when."

The more prepared you are the less disruption there is, the quicker you get back to "business as usual" and the less costly it will be.

To prepare for a disruption you need to be able to detect possible incursions and analyze them to see if they are security incidents that put you at risk.

This requires planning and preparation. You don't want to be caught flat-footed in the middle of a breach.

• Knows who's in charge and who's on your team.

• Document how your network is set-up, where your information is stored, who your vendors are and how you can reach them in an emergency. Know the people you need to contact if there's a breach.

• If you have an IT service provider, make sure your plans fit together so that things don't slip through the cracks.

Part of preparation includes protecting your information from attack. This includes making sure IT is doing its job to secure the network and training your people to do their job..

The more thorough your planning and preparation, the less often your nonprofit will be disrupted by a cyber-event and the more quickly you will recover from a disruption.

Part of planning and preparation for the next disruption is ask yourself "how do we do better next time."

• Your IT service provider may be managing much of your IT security needs.

• We rarely if ever see an IT service provider managing an entire program, including, e.g., staff awareness training.

• Given the importance of your information and your IT network to your business, it's prudent for you to ensure your IT service provider is doing the right things.

• Regardless of how much of your program they are managing, you still have legal responsibility for your Program.

• Central to your Information Security Management Program is the question of "what's reasonable?"

  • It's clearly not reasonable to spend $10,000 to protect something worth only $1,000.

  • Nor is it reasonable to spend $10,000 to protect something worth $100,000 if the likelihood of loss is 5%.

  • But it's absolutely reasonable to spend $10,000 to protect something worth $100,000 if the likelihood of loss is 50%.

• There is an evolving body of law defining what security controls are reasonable when protecting the information of 3rd-parties.

  • Some of this evolving law is proscriptive: if you don't do this, then you are not reasonable.

  • Some of it is rewarding: if you do this, then you are prima facie reasonable.

• At the 2024 RSA Conference, the Center for Internet Security released “A Guide to Defining Reasonable Cybersecurity.”

  • The Guide includes a review of current State laws providing "get out of jail free cards" to businesses following the CIS, NIST and other frameworks should they be sued following a security incident.

• SecureTheVillage understands this and makes it a key element of our program.

  • Since 2019, we have had an annual seminar on reasonableness every October.

Join LA Cybersecure ™, SecureTheVillage's unique learn-by-doing, team-based information security program that meets the special circumstances of smaller businesses.

• Congratulations ... And thank you for helping keep cybercrime at bay.

• Please consider joining our Cyber Resilience Program.

• The Program is based on the National Institute of Standards Cyber Security Framework 2.0

• Included are regular educational sessions on cyber-law and cyber-insurance.

• Keep your program up-to-date.