TechRepublic's and ZDNet's Dan Patterson spoke with attorney Stephen Lilley, of Mayer Brown's Cybersecurity and Data Privacy, about how a SMB or startup should prep against cyberattackers. Lilley stressed businesses should be wary of free email and cloud-storage services, and eliminate as many risks as possible, because attacks are proving to have long-range legal implications.
Dan Patterson: Cyberattacks are an undeniable component of business. Enterprise companies have the resources to put up good defense. What about SMBs and startups? Stephen, thank you very much for your time today.
I hear this all the time, I'm sure you hear this as well. "My business is small, we're local, we're regional, or we're a startup and we just don't have the resources to spend on cyberdefense." How can companies that are small or just don't have a lot of extra cash still put up a good defense?
Stephen Lilley: Thanks for the chance to talk to you about this important topic today. You're right. We hear this all the time. Big companies have compliance programs, they have massive security programs. The small businesses and startups, this is not something they can achieve. There's not the money to go around to invest in such use programs. At the same time, the threats are real, and companies, unless they address cybersecurity in a reasonable way, could find themselves facing existential risks; both from a business perspective and from a litigation and liability perspective.
Patterson: So I'm sure you hear this as well. I hear this all the time but, "Okay. I get it. I understand that I have to spend some money, but I just don't have the money or where should I spend the limited resources my company has?"
Lilley: Every company has a different profile. Some companies hold personal information. If you think about a startup that's putting out some new app for healthcare information, for example, a fitness tracker or something like that. That company is obviously going to want to be very focused on protecting that personal information.
Other companies may have a very new exciting technology that they want to guard very closely. I think the key takeaway for companies is to identify where the greatest risk is and then identify what steps they can take, given their budget to protect those risks, protect those threats, and for companies in regulated industries, particularly. So for example, a company that's in healthcare or a company that is handling personal information, they obviously want to be thinking as well about what a regulator might think if there were to be some sort of compromise.
Again, understood that small businesses don't have compliance programs. They don't have a huge department that's doing audits like a big enterprise company would, but if you could spend a little bit of time thinking about: "Who are the people? Where are my legal risks going to be? And how do I generally guard against them?" It can be fairly simple, it can be as simple as...If you're a really small business, don't email back and forth spreadsheets full of personal information. That's just not a good idea, obviously as you get bigger and bigger, your process will mature.
There's some basic steps that you can take and regulators at the FTC have made clear what those can be for small businesses.
Patterson: This may sound like a rhetorical question, but what type of threats do small businesses face? Are these the same as large enterprise companies and government organizations?
Lilley: I think ultimately, they are. They may be at a different scale, but the same general threats face all types of companies. If you hold personal information, there's a risk that someone is going to try and steal that personal information and monetize it one way or another. If you have a trade secret, there is a threat that somebody is going to try and steal that trade secret and make some sort of commercial gain from it.
If you have any sort of system, there is a chance that someone could use a disruptive attack against you like the ransomware attack, and shut down your systems, and you lose access to them and you have to pay money or through some other means to get access back to your systems. While if you're a massive Wall Street bank, your threat profile is going to be different; the basic types of threats you face are generally going to be the same.
SEE: Top 5: Ways employees create security headaches for their companies (TechRepublic)
Patterson: So, what can I do to mitigate cyberattacks or mitigate the risk of attacks happening to my company?
Lilley: If you're this very, very early stage startup, there are just some basic practices that you can use to protect against the basic threats. Those are frankly are going to be the same as your personal computer hygiene. You should be very careful about the email system you're using, there are a variety of free services where you can store documents in the Cloud. Those are all good things to explore.
As you get more and more mature as a company, you are going to want to start to put in place some sort of plans and policies. You're going to want to think about if something does go wrong: "Who am I going to call?" You're going to want to use some sort of managed service provider to protect your systems and your information, assuming that you're not going to build that capacity in-house.
Patterson: Stephen Lilley, Mayer Brown. Always good to talk to your team. As we look into the next year, three years, ransomware is an undeniable component of doing business, but what keeps you up? What cyberthreats are bubbling under the surface that could impact particularly SMBs and start-ups over the next, say, 12, 18, 36 months?
Lilley: I think there's a wave of new types of attacks that are coming that don't necessarily impact a company immediately, but can have really significant fall on legal effects. For example, there are Bitcoin mining attacks now, where basically hackers are taking advantage of unsuspecting company systems to mine for Bitcoin. So they compromise your system, and they turn your system into a Bitcoin-mining operation. That is something that can happen. It doesn't necessarily mean ... Your system may slow down, but when it turns out later, that you've had some sort of criminal syndicate running on your systems, and the FBI is knocking on your door, that's a very bad day.
It's sort of the next wave of attack, and similarly, I think you saw this a little bit already last year with the Mirai Botnet. Devices are being used to attack other systems, I think is another sort of risk. Again, it's not something that small businesses are going to think about, but if it turns out that your devices that have been attacking some third party, again, that's going to be a very bad day when you find that out and you have to start thinking through what obligations you have to those third parties you didn't even know you had any connection with.
- Should IT Vendors Consolidate to Extend to Endpoint Security (TechRepublic)
- Cheat sheet: Two-factor authentication (TechRepublic)
- How to achieve better security with third-party vendors (TechRepublic)
Dan Patterson has nothing to disclose. He does not hold investments in the technology companies he covers.
Dan is a Senior Writer for TechRepublic. He covers cybersecurity and the intersection of technology, politics and government.