Business owners understand the basic damage that inadequate cyber security can cause, but few think about all of the long-term consequences.
Ransomware attacks can cause loss of data, ransom payments, halted operations, and cost to fix your systems and make them secure (which you should have done before you were hit).
Misconfigured systems may be exploited via an unpatched software vulnerability causing a distributed denial of service (DDoS) attack or infiltration via a router that has a default password.
Untrained or careless employees may click on a link or attachment in a phishing email allowing hackers access to your network.
All these events can harm your business by costing money, impacting operations, and harming employees or customers via theft of information.
The less tangible damage, which may cause even greater harm, is loss of faith.
For a county government, this may mean elected officials are not re-elected.
For a non-profit, this may mean reduced donations.
For a business, this may mean going out of business.
Recently we worked with a local company that was the victim of a phishing attack. An employee received an email that seemed to be legitimately from a potential vendor with whom they had been in discussions. They opened an attachment that appeared to be a quote. However, it was not. The employee knew immediately that it was a phishing scam.
Next, they realized that they were no longer receiving any emails at all when they normally would be getting numerous every day. The attacker had infiltrated the employee’s email. Not only did the attacker gain access to the employee’s address book but they also set up a rule which forwarded all incoming mail to the attacker.
The attacker then sent emails appearing to come from the employee to those in the address book, including their clients!
The small company had several large corporations as clients. The phishing attack, and the new phishing emails that were now sent to the clients, caused damage worse than an exfiltration of data or a ransomware attack. The harm was in good faith with their customers.
Immediately one of their largest clients ceased all electronic communications with the small company. All emails from the smaller company’s domain were blocked by the larger company’s emails server. This not only hampered communications but it was also how the small company invoices their clients… Now they were unable to get paid.
The client then demanded that if the small company wanted to continue doing business with them, they had to obtain cyber security services and provide proof. Trust definitely was lost.
While this seemingly would solve the immediate issue of protecting the small business and appeasing the client, it was not all “forgiven and forgotten”. The relationship has not been restored to its previous level of trust. At this point, it is unknown how long the client will retain the services of the small company. That in itself will be a huge negative impact. But, it also may damage their reputation with other clients with whom the small company does business. Not to mention the hesitation of the client to recommend the business to their peers.
When was the last time you recommended a restaurant with poor service? People are far more likely to share a bad story than a good one.
The answer is to implement cyber security before you are pressured to do so by a client. With as much time and effort it takes to land a new customer, it is important that you protect them and their data as much as you protect your own business and employees. Otherwise, there will be no business left to protect.