Just one of the articles from Pet Care Pro Quarterly, IBPSA’s digital magazine for pet care services professionals. Read the current issue online here.
“While the threat of a cyber attack is real for businesses of all sizes, nearly half of small businesses in the U.S. have suffered a cyber attack in the past year. Small businesses are less likely to have strategies in place to ward off attacks, detect them early if they do occur, and reduce the damage. And, they are less likely to be able to withstand the financial impact of a hack or breach.” – 2018 Hiscox Small Business Cyber Risk Report
Think your pet care business isn’t at risk of a cyber attack? How much of your business is online? Do you keep your clients’ contact information on your computer system? Their credit card information? Do you have online reservations? Do you have a website? Do you use email? Pet care businesses are not immune to being hacked. Could your business survive an cyber attack? Another one? If you’ve been hit once, the likelihood of being attacked again increases. On November 28, 2018, IBPSA conducted a free webinar for its members on the subject of cyber safety with cyber security experts Dan Talbott and Harold Collum. The eye-opening webinar brought home the vulnerability of pet care businesses, as well as presenting general measures to take to not only avoid being attacked but how to survive if you are.
Shortly after the webinar, one of the attendees sent this to IBPSA:
“Thanks for getting this subject in front of us. It’s one of those topics we don’t want to think about, and it’s easy to put it aside and say I’ll take care of this later. After listening to the webinar, I have placed it as a priority on my list of must do! I appreciate all the info I am getting from IBPSA as I plan out my new facility.”
The following presents key highlights from the webinar. The full webinar audio is also available for members of IBPSA in the video library through the membership dashboard at https://members.ibpsa.com (you must be a member of IBPSA to log in). Whether your preference is reading or listening, make learning about cyber safety and implementing security measures a priority now.
Cyber safety, cyber security, data protection, and data privacy.
One of the main questions people have today is about data privacy and your responsibility for the data you carry on your computer system and through your networks. Using pet boarding facilities as an example, phone numbers, addresses, and credit cards – lots of personally identifiable information – are kept by facilities. Customers reside on a boarding facility’s computer system. The European Union’s general data protection regulation (GDPR) has now essentially forced itself out into the world. In the U.S., for example, California and New York also now have data protection acts. While it’s currently state-by-state for the most part, at some point there will be a national federal data privacy law in the U.S. Part of your responsibility, and a potential risk to your business, is caring for this data. This “cyber safety” subject is about cyber safety, cyber security, data protection, and data privacy.
Risk versus return.
Questions for business owners revolve around that age-old equation of risk versus return. If you want to reduce your cyber risk all the way practically to zero, then you won’t have a website, you won’t have email, you won’t do any online business. That will drastically reduce the likelihood of getting hacked or getting a data breach. Of course, that’s also going to drastically reduce how people are able to find your business, how they’re able to contact you, learn more about you, and compare you to competitors. In short, being online is a necessary business risk.
Pet care facilities with webcams present an additional “entry point” vulnerability. The Internet of Things, or IoT, is essentially anything that has a sensor. Surveillance cameras. Thermostats. Microphones. With the IoT in the mix, you’re increasing the complexity of your network and making it a more attractive target for hackers who possess special software and machines that allow them to scan networks looking for vulnerabilities. Assuming there are 10 million hackers in the world right now, some of them would scan across, say, a live pet care webinar, that’s just the nature of it. But the webinar is not intruded upon thanks to security measures put in place by the webinar hosting provider. Unless you’re a specific target, such as a government defense contractor or a big law firm with a client’s big trade secrets, most of the targets are random. The good news is, random targets are safer with a nominal amount of cyber security measures being taken. In that regard, there are two terms everyone should know: cyber hygiene and cyber resilience.
Cyber hygiene has to do with, for example, do you have anti-malware? Do you have anti-virus? Do you have a firewall on your computer system? On your network? Do you run scans? Do you update your software? Do you update your Adobe Reader when it has an update? Whenever Microsoft Office has an update? A known vulnerability comes through and they issue a patch. Do you keep up with your software patches? Cyber hygiene is keeping your system clean, keeping it protected.
If you were hacked with ransomware, a breach of catastrophic proportions, the cyber attackers could encrypt your entire your system, making it inaccessible to you, and demand you pay some sum – $500? $5,000? $50,000? (whatever it might be) – then you’re out of business if you can’t get to your databases. But if you have a backup plan and system in place, then you’re going to be more resilient. That plan may include buying another laptop you can then load with your backed up system. Studies show that the longer it takes you to get back online, the more vulnerable you are, the more catastrophic the blow, and the more likely you will eventually go out of business.
Be ready with a backup.
A very possible and very doable backup should have you up and running within hours or a day or so. The big trick is to not back up on your main system because then your backup will also be encrypted and stolen. Your backup needs to be redundant and not attached by any connection to the main operating system you work off of. Cyber hygiene keeps your system clean and cyber resilience keeps you up and running. You’re not paying some extortion fee to get the key to the ransomware because you have a backup.
People, process, and technology.
According to the 2018 Hiscox Small Business Cyber Risk Report, 47% of small businesses had at least one cyber attack in the past year. Of those, 44% had two to four attacks. Once they know they can get in and what kind of data they can get off your network, they’ll just keep coming at you because now you are no longer just any of the hundreds of millions of entry ports out there. They did it once, they’ll see if they can do it again. The trick, of course, is not getting hacked in the first place with good cyber hygiene. The three main themes popularly addressed when it comes to cyber security are people, process, and technology. Technology, while the most intricate and complex, is also the easiest part of the problem to deal with as you can buy anti-virus software, you can install a firewall. The people and the process are a different animal as it comes down to proper training. Have you trained that new hire or a temporary hire on the processes you have in place to maintain your network and data security? One of the worst violations of processes is employees using company computers and networks to access their personal social media accounts, potential sources of intrusion.
Formalize policies (hope is not a strategy).
HR manuals should include written cyber policies and employees should be properly trained so they have the opportunity to do a good job protecting your company. Moreover, formalized policies also provide cause of action justification should an employee need to be terminated for improper actions. Cyber insurance is one of the fastest growing sectors of the insurance industry and insurers are going to require those written policies in HR manuals. Hope is not strategy and a bad place to be. Don’t hope your employees know what to do, write it down.
Yes, it can happen to you.
Everyone reading this article has either been breached or they will be sooner or later, it is just a matter of time. Maybe it will be a breach through a third-party vendor like the big retail store breaches that make the news. Maybe you have a client who regularly sends you an email asking about her dog. You click on the email, but it wasn’t actually from your client, it just looked like it was from her. Those are the relatively simple ways you can be breached. Depending on a boarding facility’s location or clientele, your facility could be more of a specific target. Ever notice your computer network running more slowly? Cryptojackers could be hacking into your system and stealing your bandwidth for nefarious undertakings. These more specific situations are beyond the scope of this article, but they do exist.
For pet care facilities looking for cost-effective solutions to back up their systems, there are widely available, cloud-based systems, web hosting services, and online platforms that are inexpensive but effective for backing up, staying secured, and regularly patched. That being said, even for those looking to save money while implementing your cyber plan, bringing in an expert who can do an assessment of your system and help design and implement your strategy, and written policy guidelines, is worth the investment. If you pay a cyber consultant $2,500, what is that compared to potentially being unable to conduct business for three days while you get up and running again? Compared to mailing out notifications to 500 clients that your system with their personal and credit card information was hacked?
Finally, be sure to ask all related cyber vendors that you use (the cloud-based servers, the web hosts, the online booking systems) to provide you with information on their cyber security measures. Don’t just assume, ask.
SIDE BAR: From the May 11, 2017, Inc. article, “60 Percent of Companies Fail in 6 Months Because of This (It’s Not What You Think)”: Research conducted by the National Cyber Security Alliance found that:
Harold Collum is the founder and Managing Director of Black Swan Consulting Group, LLC, strategic partners in cyber security, data privacy, digital asset protection, and loss recovery. Harold is also is the founder and CEO of U.S. Data Mining, Inc., where Dan Talbott serves as president. U.S. Data Mining, Inc. provides risk management database products and related services, leveraging the IoT to provide a 360° view of enterprise risk.