A technology provider is meeting with a company that they provide IT support for, and the client brings up cybersecurity. “We’re not concerned,” says the company’s President, “We’re too small to be a target. It will never happen to us. A commercial insurance agent is meeting with their nonprofit agency client and suggest a review of the very minimal cyber coverage in the current policy. To increase coverage will require that the agency have some basic cyber testing performed. “We don’t have any budget for that and we’ve never had an issue so we’ll take our chances,” says the Director. The IT Director for a small town approaches the First Selectman with concerns about how they would respond to an incident since he is the only technical resource and their outside IT consultant doesn’t have any experience in that area. He suggests that they retain a firm just in case, but the Selectman shoots him down. “We’re not Atlanta – no one is after our data” is his reasoning.

A look at the ID Theft Center breach response list shows that in January 2020 alone, a total of 76 data breaches exposed 622,496 sensitive records and 652,683 non-sensitive records. This was the highest number of breaches in one month in the past 3 years. Let’s look at some examples of reported breaches:

Viking Partners is an investment management firm in OH that specializes in real estate funds. After a phishing email was sent out from an employee’s account, they hired a cyber forensics firm to investigate. The investigation determined that the employee’s email account that included Social Security and EIN numbers, date of birth and other personal information for over 500 clients had been compromised, and all had to be notified of the potential exposure and provided with credit monitoring and protection. A&S Construction in Colorado also detected unusual activity on an employee’s email account and found personal information on over 600 staff and customers had been exposed. They too had to pay for forensics, remediation costs to increase security controls, and notification and credit monitoring expense. No company is too small for phishing emails that cast a wide net and wait to see who responds, so they can obtain their credentials and look for data they can profit from.

The Native American Rehabilitation Association of the Northwest, Inc. (NARA NW) announced that it experienced a cybersecurity incident after malware capable of accessing and exporting data resulted in unauthorized access to some patient healthcare information. Since forensics could not verify exactly which files were exposed to the malware, notification and monitoring were required for all 25,187 current and past patients.

City of Port Orange, FL reported an incident when data was exposed by CentralSquare, a third-party utility billing vendor who provided and managed their online payment portal for residents to pay their utility bills. An estimated 5,615 records were exposed, which is surely not the population of Atlanta, but given that the exposure was caused by a vendor payment portal that many other cities and towns also use, the larger target was the vendor. Even small organizations that may not have enough data to be on a hacker’s radar can find themselves in this situation.

Key takeaways:

  • Hacking accounted for 76% of the records exposed in January, and it was mainly via malicious code or phishing emails that are continuously being spread by automated bots without specific targets.
  • Nonprofit does not mean “not profitable for hackers”, especially if the nonprofit maintains health information, financial account details, or personal information on members, donors or patients.
  • Not budgeting for reasonable protections is not good ROI. Penetration testing costing less than $5,000/year could uncover known vulnerabilities that could easily be exploited to expose data. Our breach response service starts under $2,500/year and can not only detect if data attributed to the client’s domain or key vendors may have been exposed, but also provides 24/7 access to incident responders and up to $250,000 per year to pay for related costs of the incident.  And most commercial insurance agents who offer cyber coverage can review your coverage with you at no cost to explain the deductible, non-covered breach expenses, and what requirements you will have to meet to be able to collect on a cyber claim. With even the most minor incidents resulting in six-figure total costs, this is critical information for a small business owner to understand.