A technology provider is meeting with a company that they provide IT support for, and the client brings up cybersecurity. “We’re not concerned,” says the company’s President, “We’re too small to be a target. It will never happen to us. A commercial insurance agent is meeting with their nonprofit agency client and suggest a review of the very minimal cyber coverage in the current policy. To increase coverage will require that the agency have some basic cyber testing performed. “We don’t have any budget for that and we’ve never had an issue so we’ll take our chances,” says the Director. The IT Director for a small town approaches the First Selectman with concerns about how they would respond to an incident since he is the only technical resource and their outside IT consultant doesn’t have any experience in that area. He suggests that they retain a firm just in case, but the Selectman shoots him down. “We’re not Atlanta – no one is after our data” is his reasoning.
A look at the ID Theft Center breach response list shows that in January 2020 alone, a total of 76 data breaches exposed 622,496 sensitive records and 652,683 non-sensitive records. This was the highest number of breaches in one month in the past 3 years. Let’s look at some examples of reported breaches:
Viking Partners is an investment management firm in OH that specializes in real estate funds. After a phishing email was sent out from an employee’s account, they hired a cyber forensics firm to investigate. The investigation determined that the employee’s email account that included Social Security and EIN numbers, date of birth and other personal information for over 500 clients had been compromised, and all had to be notified of the potential exposure and provided with credit monitoring and protection. A&S Construction in Colorado also detected unusual activity on an employee’s email account and found personal information on over 600 staff and customers had been exposed. They too had to pay for forensics, remediation costs to increase security controls, and notification and credit monitoring expense. No company is too small for phishing emails that cast a wide net and wait to see who responds, so they can obtain their credentials and look for data they can profit from.
The Native American Rehabilitation Association of the Northwest, Inc. (NARA NW) announced that it experienced a cybersecurity incident after malware capable of accessing and exporting data resulted in unauthorized access to some patient healthcare information. Since forensics could not verify exactly which files were exposed to the malware, notification and monitoring were required for all 25,187 current and past patients.
City of Port Orange, FL reported an incident when data was exposed by CentralSquare, a third-party utility billing vendor who provided and managed their online payment portal for residents to pay their utility bills. An estimated 5,615 records were exposed, which is surely not the population of Atlanta, but given that the exposure was caused by a vendor payment portal that many other cities and towns also use, the larger target was the vendor. Even small organizations that may not have enough data to be on a hacker’s radar can find themselves in this situation.
Key takeaways: