It’s happened – someone in your company fell for a phishing email. They clicked on a link and entered their user credentials. Then one day, you are receiving emails from that employee’s email contacts asking if the email they just received from you is legitimate. Your IT team takes action, deploying your incident response plan (you have one of those, right?). Passwords are changed, logs are reviewed, screenshotted and time stamped.
You call your insurance provider (because you have Cyber Incident Insurance, right?) to report the incident. Next, you get in touch with an attorney who specializes in cyber law because if you are located in California, or one of several states that now have strong consumer information privacy laws, you will need to make sure that the breach is reported to the state.
And now, the worrisome unknowns: How much time passed since the employee entered their credentials before the emails went out? How long were the hackers in the account with access to potentially proprietary information: bank transfer information, customer information, private company financial information? So you hire a cyber forensics company to scan the emails for key words and personal identifiable information (because how many emails do you send and receive in a day?).
But these efforts are only the hard costs. What about that email or letter you now have to send to everyone who might have had personal information exposed because of your breach? How will your reputation be affected? Will this taint the trust your clients have in you? What if you have sensitive government contracts and/or are in the middle of an important contract negotiation?
What if you rely on online orders and a digital reading platform to support your shrinking brick and mortar business structure, like Barnes & Noble, who yesterday (October 14, 2020), had to notify all of their customers that personal information may have been exposed in a breach? With data breaches becoming more and more common, consumers are becoming increasingly concerned, and less forgiving, of companies that expose their personal data.
As far as data breaches go, Barnes & Noble’s was relatively minor. No Social Security or credit card numbers seem to have been exposed, only email addresses and physical shipping addresses. However, with the vast amount of data from other breaches floating around on the dark web, an enterprising cybercriminal could combine data from this breach and others and have a nice list of data to use or sell. And cybercriminals are nothing, if not enterprising.
Worst of all, the Barnes & Noble breach does not seem to be the result of a phishing email like the hypothetical breach described above. Barnes & Noble’s VPN servers were previously exposed by a known vulnerability and this cyber breach is likely the result of a ransomware attack that exploited a similar vulnerability. While many people may understand and forgive the human error involved in clicking on a link in a potentially sophisticated email designed to trick you, they will be less understanding of a security failure caused by a weakness in the infrastructure of a company the size of Barnes & Noble.
Regardless of the cause, the reputational damage caused by bad press, along with customer trust eroded by mea culpa letters are a significant intangible cost of a cyber breach. It is a cost that many companies fail to take into account when budgeting for cybersecurity (you do budget for cybersecurity, right?). These are costs that cannot be recouped by insurance. Loss of reputation and consumer trust are costs that persist for years, coming to mind every time another breach hits the news. If you have not budgeted for cybersecurity training, or an annual vulnerability assessment and penetration test (VAPT), consider the cost of losing of your company’s good name. How much did you budget for that?
What Windes Can do For You
Cybersecurity is not just a concern for giant corporations or financial institutions – it is a concern for everyone. Our team, made up of industry leaders in cybersecurity, professional services, and legislation, realized that even though there are many solutions and providers available, none of them were truly tailored to professional services within the middle market. With that challenge in mind, Windes focuses on custom solutions that provide the maximum amount of protection for both your organization as well as your clients.
If you are concerned about your business’s cybersecurity strategy or if your company does not have a cybersecurity strategy, reach out to our team of industry experts so we can help prepare you for the worst. We can test your network, identify vulnerabilities, and prepare your company to defend against attackers.
For questions about Windes Cybersecurity services, please call 844.4WINDES (844.494.6337) or email us at email@example.com.