Last year broke all records for data loss in cyberattacks on individuals, governments, and companies. Driven by a range of motivations, hackers, activists, organized criminals, and even governments are attacking networks with increasing severity.
As large organizations—such as Costco, Target, and Marriott, all of which have suffered data breaches—have improved their cybersecurity and more small businesses go online, hackers have shifted their attention to smaller marks. According to CNBC, in 2021, 43 percent of cyberattacks targeted small businesses, only 14 percent of which were prepared to defend themselves.
A cyberattack can cost a small business like an aerial adventure park hundreds of thousands in lost revenue, credit card company fines, lost time, lost staff, destroyed equipment, and guest lawsuits. It can also crush one’s reputation.
Consider how much your operation relies on technology. In this new digital reality, to reserve tickets or complete liability waivers for an aerial adventure, guests disclose private information with an expectation that the business—you—will protect it. The more automated we get, though, the more vulnerable we become to cybercrime. So, it’s more important than ever to take steps to protect your operation.
How do Breaches Occur?
A breach is an incident where cybercriminals access, share, or steal confidential, sensitive, or protected data. The three most prevalent cyberattacks are phishing, brute force attacks, and malware.
Phishing occurs when, through email, social media, or phone calls, attackers deceive targets by posing as people or organizations you trust. The hacker’s goal is to get an employee to give access to or provide sensitive data. Phishing accounts for 41 percent of attempts to gain access to systems.
Brute force attacks use sophisticated code breaking software to find passwords, sometimes in a matter of seconds if the password is weak.
Malware is software designed to interfere with a computer’s normal operation. “Malware” is the blanket term for viruses, trojans, and other destructive programs hackers use to infect systems and networks in order to gain access to sensitive information, send spam, or steal data. It can be identified by slow computer performance, browser redirects, infection warnings, problems shutting down or starting your computer, and frequent pop-up ads. The most malicious and profitable malware is ransomware, which was responsible for 21 percent of cyberattacks in 2021, according to the IBM Security X-Force Threat Intelligence Index.
Ransomware can quickly paralyze an entire organization. It encrypts a victim’s files, databases, and applications so that a ransom can be extorted in exchange for returning that data. According to Venafi’s worldwide survey of IT decision makers, a mere 17 percent of ransomware attacks ask only for money (usually in Bitcoin) for a decryption key. Eighty-three percent also involve additional extortion tactics, e.g., extorting customers directly, leaking data on the dark web, and informing customers their data was stolen.
Cost Breakdown: Before vs. After
Cybersecurity breaches and cybersecurity defenses have something in common: They both cost money. The difference is the price for security that prevents a breach can be calculated and accounted for in the IT budget, while the exact cost of recovering from a breach cannot. It can easily exceed $100,000, and can run into the millions.
Here are some financial factors to consider about recovery costs:
1. Incident response company. The first step after a breach is to work with specialists to manage the emergency, provide forensics on the breach, and get you back up and running. These services range anywhere from $30,000 to $150,000 per incident.
2. Ransom to retrieve stolen data. The FBI suggests to never pay ransom. At the very least, never negotiate or pay a ransom yourself; always involve the experts. Still, most small businesses pay an average ransom of $30,000, with fear the breached data might still be leaked on public platforms or be used to extort customers.
3. Equipment recovery/replacement. Some hacks not only hold data hostage but also destroy devices. Recovery might necessitate building temporary infrastructure, rebuilding current programs, increasing resources to replace system shutdowns, or having to unplug and isolate computers. This can run thousands of dollars.
4. Attorneys and legal services. You will need counsel to navigate privacy laws and possible lawsuits. An average retainer is about $25,000.
5. Lost revenue due to downtime. The average downtime a company experiences after a ransomware attack is 21 days, according to Coveware ransomware case data. Downtime is the costliest aspect of a ransomware attack, and recovery from a ransomware attack is often 10 times the cost of the ransom payment, according to Sophos research.
6. Increased insurance premiums from your cyber insurance policy—if you have one. A cyber insurance policy can cost from $650 to $120,000 a year. After a breach, the cost of that policy increases.
7. Customer loss. According to a survey by PCI Pal, 83 percent of U.S. consumers claim they will stop spending at a business for several months immediately after a security breach; 21 percent will never return. Consumers also reported they trust the retail and travel industries least, and they are only comfortable sharing credit card information over the phone to companies that have earned their explicit trust.
8. Increased borrowing fees and interest rates. Following a cybersecurity incident, victims often see a spike in borrowing or reborrowing fees due to a drop in their credit score rating.
The best way to protect yourself and your organization is to avoid being a victim in the first place. Though there is no silver bullet for cybersecurity, there is silver buckshot, in the form of security systems and staff training programs.
Develop a response plan for ransomware. Every business is at risk of a ransomware attack. How your team responds in the critical moment makes a difference in the amount of time and money lost. Use the new U.S. government website StopRansomware.gov as a free resource for guidance on the response process, including best practices for detecting, containing, and eradicating malware.
Don’t wait to update software. When software vendors release updates, apply them as soon as possible; these updates contain patches that resolve the latest known exploits and vulnerabilities. The “Wannacry” ransomware attack in May 2017 is a good cautionary tale. Though the attack occurred in May, the vulnerability in the Windows operating system that Wannacry exploited had been fixed by Microsoft in March, two months prior to the global attack. Many of the victims simply had not patched their operating system.
Enforce strong passwords and multifactor authentication. A strong password includes a combination of random letters, numbers, and symbols. But the experts at haveibeenpwned.com say easily guessed passwords like 123456 are still widely used; 123456 has been seen in data breaches more than 24 million times. Worse, a 2021 Identity Theft Resource Center study found that 85 percent of people reuse passwords across multiple sites. This is a problem, because even if someone has a complex password, a data breach at Facebook or Adobe could lead to the user’s account getting breached on your organization’s site through a process known as credential stuffing.
Implement multifactor authentication (MFA) on every remote access point into a network. MFA provides an additional barrier to breach and helps ensure the users who access your system are who they say they are. As such it can decrease the risk of several different
attack types, including ransomware, data theft, and server access.
Back up critical data. Backup software protects business data by copying it from servers, databases, desktops, laptops, and other devices in case user error, corrupt files, or an emergency renders critical data inaccessible. A backup also provides protection in the event of a hardware malfunction or hacker penetration. Data can become corrupted at any point in the backup process, so back up—and test your backups—regularly (daily or weekly).
Educate staff about best security practices and ways to avoid phishing attacks. Staff are the first line of defense in combating cybersecurity threats. Staff who do not know what the threats are, how to notice them, and what to do about them become a risk in prevention.
Consider the top five reasons human error leads to a hack:
1. Increased use of social media by staff.
2. Failure of staff to understand new threats.
3. General negligence/carelessness with websites and applications.
4. Lack of security expertise with websites and applications.
5. Failure of staff to follow security procedures and policies.
Cybersecurity is for everyone, not just IT people. All the time and capital you invest in a robust security plan means nothing if human error is not addressed. Protect your company, your staff, and your security investment by making sure everyone in your organization is executing cybersecurity best practices.
Aerial adventure operations are relying more on technology each year. Developing a strategic, customized, and comprehensive cybersecurity program will help your organization be more prepared if—and when—you are targeted with a cyberattack.