At a time when hackers are running rampant everywhere, all organizations, big and small, must be on guard. In July, the U.S. joined NATO, the European Union, and other countries in denouncing the Chinese government. They held China responsible for cyber-crimes such as the early 2021 breach of the Microsoft Exchange that compromised over 100,000 servers worldwide. In the same month, a breach in the Olympics in Japan compromised the personal data of ticket holders and volunteers.
Unfortunately, smaller organizations in the U.S. are complacent on the issue of cybersecurity. CNBC and Momentive conducted the Q3 2021 Small Business Survey from July 26 to August 3. 56 percent of owners were not concerned about cyber-attacks, and 59 percent expressed confidence that they could immediately resolve an attack. However, 42 percent have no cybersecurity plan in place, and 11 percent were unsure whether they had a cybersecurity plan. Only 14 percent had a cybersecurity plan under development.
Perhaps the reason for their confidence is that only 14 percent of the respondents had been hacked, and only seven percent were attacked by ransomware from 2020 to 2021. 51 percent of those had to pay a ransom, with 27 percent paid by their insurance and 24 percent from their own pockets.
Small business owners must not be overly confident because data shows that in 2019, cybercriminals saw small and medium scale businesses, and 43 percent of data breaches were among small companies. Hackers know that small organizations usually do not allocate budgets for cybersecurity. Hence, they are easy to penetrate.
It is, therefore, crucial for all small businesses to prioritize cybersecurity and ensure data backup, such as archiving Salesforce Chatter. This is a two-fold measure. First, to defend against attacks, and second, to ensure a full and immediate return to business as usual without data loss.
Hacking Private Companies to Attack the Government
On August 17, Security Magazine reported that T-Mobile telecommunications company admitted a breach of its databases with the personal information of about 100 million people or almost all of its U.S. clientele. T-Mobile stated, however, that they are still reviewing the situation and still could not determine if clients’ personal data have been compromised.
An earlier report by Vice Motherboard stated that a seller on a covert forum was selling personal data, including Social Security Numbers supposedly from T-Mobile servers. The seller claimed to have the data of 100 million customers and was selling the data of 30 million customers for six bitcoin, which is equivalent to about $270,000.
BleepingComputer reported that the hackers told Hudson Rock cybercrime intelligence firm that the attack was a retaliation against the U.S. government for CIA activities. This is just one of many hacking attacks continuously deployed against both public and private organizations. Small businesses that do business with the government are vulnerable as entry points of hackers targeting the government. This is another reason to tighten cybersecurity. This is also why the U.S. Department of Defense has implemented the Cybersecurity Maturity Model Certification (CMMC) that all its contractors must comply with.
The Cyber Incident Notification Act
The U.S. government realized that not all cyber attacks are reported. Some only come out after the information is leaked. For instance, the December 2020 attack on Solar Winds affected many companies, including Google and Microsoft, and many government agencies. It only came to light when FireEye cybersecurity company announced that it had been breached. According to Kevin Mandia, CEO of FireEye, companies tend to keep quiet on cyberattacks because disclosure can lead to lawsuits and negatively impact their business.
The Cyber Incident Notification Act introduced in July is a bipartisan bill requiring critical infrastructure companies, federal contractors, and federal agencies to immediately inform the Department of Homeland Security (DHS) upon discovering any cyber breach. The DHS will keep all personal identification anonymous, and the reporting company will be granted limited immunity with the information they disclose kept inaccessible to shareholders. This will enable the government to act on the issue quickly.
Private and Public Cooperation
On August 5, the Cybersecurity and Infrastructure Security Agency (CISA) launched a new agency, the Joint Cyber Defense Collaborative (JCDC). It will partner with other government agencies and the private sector to develop and execute nationwide cyber defense plans and unified action against any cyber-attack. Among the first private companies to partner with the JCDC are Microsoft, Google Cloud, AT&T, Amazon Web Services, Verizon, Palo Alto Networks, Lumen, FireEye Mandiant, and CrowdStrike.
Everyone must recognize the enormity of the problem. Even individuals must ensure compliance with cybersecurity measures. It only takes the carelessness of one person for hackers to get in and use that entry point to do much damage.