Stay safe from coronavirus and cyber attacks alike

The World Economic Forum believes cyberattacks are a more imminent threat for businesses than infectious diseases. We need to put in a great effort to avoid both. Why do we insist on ignoring cyber crime while we worry about the coronavirus?

Since late Decem­ber 2019, the COVID-19 pan­dem­ic has now spread into 114 coun­tries from a grimy, live ani­mal mar­ket in Wuhan, Chi­na. Ven­dors there knew how to avoid infec­tious dis­eases: wash your hands, your food. But they didn’t care enough. It’s the same care­less­ness that brings com­pa­nies thou­sands or even mil­lions in dol­lars in post-hack­ing recov­ery dam­ages. We now care about stop­ping the coro­n­avirus, but we don’t seem to care about stop­ping cyber crime from reach­ing our com­pa­ny even though it has been a real dan­ger for years.

Pic­ture 1: The results of a 2019 sur­vey by the World Eco­nom­ic Forum explor­ing busi­ness risk for the next 10 years. Cir­cle 1 marks infec­tious dis­eases, cir­cle 2 marks cyber attacks and cir­cle 3 marks data fraud or theft.

The threat of a cyber crime virus affect­ing your busi­ness depends on the vol­ume of data you keep, but it’s there. In a 2019 glob­al sur­vey from the Ponemon Insti­tute, 66% per­cent out of 2,391 IT pro­fes­sion­als of small and medi­um enter­pris­es revealed hack­ers attacked their com­pa­ny through­out the year. Is there a real risk of a cyber attack on your busi­ness? Yes, if we look at the recent secu­ri­ty breaches:

1. In Jan­u­ary 2020, Microsoft lost 250M cus­tomer ser­vice and user records from 2005 onward
2. In Decem­ber 2019, Face­book lost 267M records, but they wouldn’t know if it wasn’t for researcher Bob Diachenko, who uncov­ered the leak
3. In Novem­ber 2019, T‑Mobile lost 1M full-scale records includ­ing billing addresses
4. In July 2019, Cap­i­tal One bank — the third largest card issued in the US — lost 100M records with card num­bers out in an insid­er attack

Cyber crime is preventable — if you act

So what’s the cyber­se­cu­ri­ty hygiene for your busi­ness? Con­sid­er the inter­view ques­tions that each one of my prospects faces:

• Do you work with an admin­is­tra­tor to keep all web­site com­po­nents secure?
• Does your com­pa­ny review the website’s secu­ri­ty at least once a month?
• Does your web­site use mul­ti-fac­tor authentication?

As a dig­i­tal gate­way for busi­ness, web­sites are at the fore­front of defen­sive efforts. From my expe­ri­ence, com­pa­nies at most have some sys­tem admin with what­ev­er he or she knows about cyber­se­cu­ri­ty. Out­side of IT, the man­age­ment doesn’t reg­is­ter how often that per­son reviews online secu­ri­ty mea­sures. They imag­ine their web­site is secure just because they said it should be and because there’s a hid­den back­door link with login and the pass­word in safe hands. The rule is not to shake hands in a COVID-19 infec­tion area even if peo­ple look rel­a­tive­ly healthy. Even when our web­site appears to be safe, our rule should be to keep it this way through con­scious action. The virus symp­toms show after 2 weeks, while it can take 5 days to a month to uncov­er a data breach for a secu­ri­ty-focused orga­ni­za­tion. That’s twice the time need­ed to sell records on the black mar­ket for that ear­ly retire­ment fund. Which should lead you — the busi­ness own­er or a friend of one — to con­sid­er what’s the next step:

1. Com­mis­sion a web­site secu­ri­ty audit to assess the risk of a breach. Remem­ber — if you hold any cus­tomer records in a con­sid­er­able vol­ume, you’re qual­i­fied for an attack
2. Web­site host­ing providers don’t pro­tect web­sites from hack­ing and self-host­ing is not safer either with­out 24/7 super­vi­sion. SaaS secu­ri­ty solu­tions such as Titans24 can store your web­site, app, or data in a dig­i­tal vault with real-time mon­i­tor­ing and pre­ven­tion at a rea­son­able price.
3. Dig­i­tal assets that we men­tioned should under­go secu­ri­ty reviews once a month. Some­body knowl­edge­able has to do that. Or you can auto­mate it if you use a secure host­ing platform.

Businesses need cybersecurity hygiene

The fear of mon­ey loss caused by hack­ing seems to res­onate with busi­ness­es the most. In that case, mon­ey burns in 3 main areas: there are GDPR fines; recov­ery dam­ages; and law­suit loss­es. You might won­der why are we talk­ing about legal costs. Busi­ness offices close so that one infect­ed employ­ee doesn’t take out half of the com­pa­ny. But your online busi­ness office — which is your web­site — can spread a mal­ware infec­tion under your radar for months. For instance, crim­i­nals steal pay­ment infor­ma­tion from users by insert­ing mali­cious code to forms (“for­m­jack­ing”). This hap­pened to British Air­ways in Octo­ber 2019. Not only the air­line got slapped with a £183.4M data breach fine, but Unit­ed Kingdom’s High Court passed a group lit­i­ga­tion of 500,000 cus­tomers against the com­pa­ny with poten­tial com­pen­sa­tion of £6,000 to £16,000 per indi­vid­ual. Although only mega-cor­po­ra­tions face finan­cial dam­ages of that scope, a client can sue any busi­ness for los­ing data if he or she proves the result­ing dam­age. By pro­tect­ing your web­site all year round, you pro­tect your customers.

Cyber­crime is a pan­dem­ic that will cost busi­ness­es $6 tril­lion in dam­ages by 2021 (Cyber­se­cu­ri­ty Ven­tures). Stop­ping the COVID-19 starts with us fol­low­ing the advice from the WHO and local health author­i­ties. We should approach cyber crime pre­ven­tion with the same height­ened aware­ness as it’s not avoid­able by dis­tanc­ing our­selves. When the time comes, it hunts us down.

Stay safe dur­ing the COVID-19 out­break with this safe­ty guide from WHO.