Find news, events, articles, videos, and more that answer your questions and keep you up-to-date.
Visit Resource Center
Stay informed on compliance updates
Recent data indicates that small businesses are victims when it comes to cyber attacks and the frequency of attacks are on the rise. In fact, 58% of malware attack victims are categorized as small businesses. Small business owners need to know that their companies represent opportunities for hackers.
Adam K. Levin, a nationally recognized expert on cybersecurity, privacy and identity theft, says that breaches have become the third certainty in life. Listen to this podcast to learn what it takes to help prevent cyber attacks and how to get started.
Greg Corombos: Hi, I'm Greg Corombos our guest this week on Expert Insights is Adam Levin, chairman and founder of CyberScout and co-founder of Credit.com. He's also the author of Swiped: How to Protect Yourself in a World Full of Scammers, Phishers, and Identity Thieves. Today we're going to get his expert insights on cybersecurity for businesses both large and small. And Adam, thanks very much for being with us.
Adam Levin: Thanks for inviting me.
Greg Corombos: Let's start very general here. First of all, based on your experience, how well or poorly are businesses dealing with this? And let's start on the corporate side where there should be ample resources to address it. Are they generally up to speed, or they still whistling past the graveyard to some extent on this?
Adam Levin: I think. you know, the biggest problem is that breaches have become the third certainty in life. And another fact of life is that cyber war has replaced the Cold War. So as a result as a business organization, you could be facing off against the state-sponsored hacker. Or a very sophisticated for-profit hacker. Or someone who is a cause hacker, they're angry at you for something relative to something they believe in.
Or then you could be facing off against, again, a very highly sophisticated form of hacker, which could be as the President lovingly refers to [in] a number of his speeches, the 400-pound guy operating off a mattress in his mother's basement in New Jersey. And oftentimes it doesn't matter whose sights somehow you have found yourself in. It's a very dangerous place to be. Every time we think we've figured something out, hackers figure out a way around it. So it's a very dynamic situation. You have to think about it is, in cyber, every day is a new day and every minute is a new day.
Greg Corombos: So there's never a point where a responsible business owner should say, Oh, well, I hire these people to take care of cybersecurity. I can check that off the list.
Adam Levin: It's never about checking a box when it comes to cybersecurity. It’s about being engaged with the people who are doing cybersecurity for you. It's about opening yourself up to be more amenable to new ideas and different things you have to do, understanding this is a constantly evolving environment. And even if you are secure at 9 a.m., if somebody in your organization clicks on the wrong link and somebody who is monitoring your systems misses an exfiltration situation, and sometimes malware can be on your computer for months if not years, sitting undetected, and then it springs into action.
And there are a lot of people out there that go, you know, I'm not that important. I'm just a little guy. I'm a small business. Why would anybody want anything to do with me?
Well, just remember that to a hacker. No business is too small. No consumer too unimportant, though government agency too irrelevant. We are Kim Kardashian, as far as they're concerned; we got what they want. Either data, and certainly we've seen it with Target, the Office of Personnel Management, and a lot of other businesses. Or we are the tributary to a larger river.
So think the HVAC subcontractor that was hacked as a pathway into Target or a business machine manufacturer that was featured in The New York Times many years ago, that ended up as a target for hackers. Not so much for who they were or what they did, but they as a conduit into a much bigger organization or many organizations.
Greg Corombos: We're talking with Adam Levin. He's the chairman and founder of CyberScout and co-founder of Credit.com. The book is Swiped. We talked a moment go about corporations, and especially if they're big enough. But most corporations, in general, would have the resources to put this together. But if you're a fairly small operation, and you just explained why small operations need to be very vigilant on this as well. Resources could be a little bit scarce. You might have one or two people trying to wear a lot of hats, and they're just not super savvy on this stuff. What's your advice for them?
Adam Levin: Well, I think it goes back to, you know, one theme for everybody because we've seen corporations that spend $250-$500 million and still suffer breaches. So [it] really goes back to one essential element, and it’s culture. Creating a culture of privacy and security. You know, one of the most quoted and quotable people in our industry is Bruce Schneier. And he once said, If you think technology is the solution to your security problems, then you don't understand the problems, and you don't understand the technology. And when you combine that with Peter Drucker when he said “culture eats strategy for breakfast”, it becomes clear what the problems are, is you could have spent the money. But if you haven't created an environment where anyone from the reception desk to the boardroom, or in a small company, any human being involved in any capacity whatsoever for the company, unless they understand what the threats are, and where the vulnerabilities exist, and make sure that they don't click on the wrong link, that they're properly trained, that they understand the concept of who you need to get involved in your company to help it become more secure. And this is not something where somebody becomes an employee of an organization and in their orientation package, or when you sit with them in your office the first day, and you tell them what the rules of the road are, and then you don't update them as to things going on. Doesn't matter who you are.
You know, perfect example, Equifax. They had a disaster. Why? A security patch was issued for a vulnerability involving a software that they were using. They sent a note to their security department saying make sure the patch is applied. Somehow the security department missed it. Nobody was properly managing it. And this is a multi-billion dollar corporation. And all of a sudden 150 million people had their information exposed.
Well, with a small company it’s kind of the same thing. People have to stay on top of it. The looking...they have to practice what I call the three M's. How do you minimize your risk of exposure, reduce your attackable surface? How do you effectively monitor? And what's your plan to manage the damage?
Greg Corombos: Is this an easy culture to implement?
Adam Levin: it's not necessarily a difficult culture to implement. But remember, hacks happen fast, culture develops slowly. This is a marathon. It's not a sprint. So this is something where people have to be constantly involved. There has to be constant communication. People have to be aware of the new threats as they arise. And they have to be educated clearly on the things you do and you don't do to make absolutely sure that you're not exposing your business.
And I'll just give you one really easy form of vulnerability. Everyone acknowledges the fact that smartphones can be dangerous because people using their personal devices download all sorts of apps. They give their devices to their kids. The kids may download things they may be surfing. Let's say you're at a restaurant, you give your child a cell phone to play with. You don't realize they just clicked on the wrong link. Then you connect this device into the network of your business. Because you're working remotely you figure you can get a lot of stuff done when, you know, you have off time in your life. Unfortunately, these could be weapons of mass destruction for a business. Yet, think about how many businesses don't say, you can only use one phone or one mobile device that connects into us if you're operating remotely. You have to use a virtual private network. You have to make sure the security protocols are tight on this device. How many businesses let that happen, regardless of their size, and all of a sudden they're vulnerable?
Greg Corombos: It could seem overwhelming still to folks. Adam, if they're lost, where do they start on this? Adam Levin: Well, you can go to a variety of different websites to get information. The FTC has information on this. We at CyberScout have information on this as to how businesses, you know, the steps that businesses should be taking or consumers should be taking. There's a wonderful site by the Consumer Federation of America called [IDTheftInfo.org], where it gives people an enormous amount of advice about things that are identity theft-related. Better Business Bureaus have information. U.S. Chamber of Commerce has information. And many businesses are involved with many different associations, and those associations have information.
Greg Corombos: So much to learn. And Adam, you've given us an excellent explanation of why this is so critical and how it's a never-ending process of vigilance here. And it's vital to stay on top of this for so many reasons. Thank you very much for your time today.
Adam Levin: Thanks for inviting me
Greg Corombos: Adam Levin is chairman and founder of CyberScout and co-founder of Credit.com. He's also the author of Swiped: How to Protect Yourself in a World Full of Scammers, Phishers, and Identity Thieves. I'm Greg Corombos, reporting for Expert Insights.
More in Compliance Solutions
More in Running Your Business