Ulistic Projects Blog

Ask any small or medium-sized business owner and they’ll tell you the same thing: They’re terrified of a data breach. Sure, their fears might not exist on the same plane as, say, a Target or a Wells Fargo, but that doesn’t mean they’re not real and quantifiable.

The average numbers are pretty scary, in fact. According to MarketWatch, citing a study by IBM Security and Ponemon Institute, “the 2018 Cost of a Data Breach Study found that the average cost of a data breach globally is $3.86 million, a 6.4 percent increase from the 2017 report.”

That’s just the average, mind you. Things get much more frightening on a large scale: “the study also calculated the costs associated with ‘mega breaches’ ranging from 1 million to 50 million records lost, projecting that these breaches cost companies between $40 million and $350 million respectively.”

These numbers become even more heart-stopping when you consider that a data breach’s costs don’t end at the financial. There are some hidden costs of data breaches that you may not yet have considered. While no one likes to conjure more bogeymen than necessary (isn’t the world scary enough?), it’s critical to take data breach extremely seriously.

Here are seven of the most notable – and the most frightening – hidden costs of data breaches.

1. Loss of Intellectual Property

One of the most significant losses associated with a data breach is intellectual property. This can include:

• Blueprints for setting up a factory
• Specs for a project
• Code for a piece of software or another product
• Proposals for new products or services
• Recipes for proprietary dishes or ingredients (think “secret sauce”)
• The means of replicating patented products

If an attacker gets their hands on this information, you might suddenly have a competition where before you owned a niche. This is bound to decrease your profits and impinge upon your success.

2. Disruption of Operations

Data breaches cause a lot of panic and havoc, and unfortunately, this means suspending normal daily activities in favor of dealing with the crisis. This can put your standard timelines behind by days, weeks or even months … which is time and money you can’t get back.

3. Destruction of Property

We tend to think of data breaches as a one-way flow of information out of the formerly secure system. This includes client or customer information, intellectual property, company figures and documents, or other pieces of information customarily kept private.

However, some data breaches also include an element of cyber attack, information flowing in that is harmful to the system. Perhaps the attacker sends through the malicious code to damage it. They may also attempt to shut it down while withdrawing the data, with the intent of making it more difficult for the company to protect itself. In some cases, these attacks leave long-term damage behind, and it takes thousands or millions of dollars to pick up the pieces.

4. Loss of Customer Relationships

For obvious reasons, your customers aren’t going to be thrilled to learn that their credit card information, medical records or private purchase histories are now out in the world. While some may forgive you, especially if you take the right steps to fix the problem as soon as possible, others will not. The loss of their business can majorly cut into your margins.

You may even face canceled contracts. Money that was already factored into your budget on a monthly or yearly basis is now gone, and it will take time to replace it through new clients and customers.

5. Disrupted Vendor Relationships

It’s not just customers you have to worry about. Most people don’t want their names associated with an accident or leak that gets their end users in trouble. B2B companies still worry about what consumers will think, especially when they’re products are used as-is and branded. They may pull out as well, forcing you to find new vendors for your goods.

6. Disappearance of Important Information

Client and customer information is precious to your company. Not only do good records allow you to keep serving your important people well, but they also form a valuable basis for your business in the future. In addition to creating acrimony between yourself and your clients, losing that information can cost you considerably.

For instance, consider a breach of your customer relationship management (CRM) software. You keep a lot of valuable information inside that system, such as:

• Customer details, including their personal information
• Records of past interactions with clients or customers, such as medical history or purchases
• Contacts made with the customer
• The nature of contact made, such as phone or email
• Financial information
• Personal notes regarding the relationship you’ve forged with each client or customer

… and additional information that helps you to relate to your VIPs day in and day out. Starting from scratch does more than failing to impress them; it can ruin all the hard work you’ve put in so far.

7. Increased Cost of Loans

Data breaches, despite your best intentions, send the signal that your company can’t be trusted. Usually, we assume that it’s consumers whose good opinion we’ll lose, but banks and other lending companies also tend to become a little cold.

Post-data breach, it’s very likely that your company’s credit score will drop. The results of this vary:

• You might have a harder time getting loans or extending lines of credit
• You may have to pay higher interest rates when you do get loans
• You might not be able to get loans at all

Any of the above may hamper your growth and limit your ability to produce new revenue, which can cost just as much in the end as losing money you’ve already made.

Bottom line? You can’t take data breach seriously enough, so if you haven’t yet done a risk assessment and put a security plan in place, make that a top priority right away. Otherwise, you’re a sitting duck just inviting breach and attack, and that’s no way to run a business.

Making an Ultimate Technology Plan for the New Year

Times are changing. Apparently, this is the case considering we’re about to head into 2019. How is your current technology holding up at your company? If you feel like there are certain things that you need to change up to stay competitive, it might be time to confront this challenge head-on with an ultimate technology plan.

You may not be familiar with how to implement one, but once you learn the basics, which we are going to show you here today, it’s a smooth process that will have you on the road to an overall improvement in every aspect of your offices’ technological needs.

Let’s get started with how to create a technology plan for your company or small business so that when you head into the new year, you’ll be thoroughly prepared to be on the cutting edge tech-wise.

Step #1: Look Over Your Existing Technology

When you look around your small business or office setting, what do you see? Do you see old computers, old printers, and another dinosaur related tech that you aren’t even using anymore? Part of your plan should be to clear out old and outdated tech stuff that you probably aren’t using anymore.

Now is the time to recycle all of that and remove it for good from your workspace. It’s like a breath of fresh air when you clean out old technology this way. The beginning of the new year is the perfect time to do this. You’ll be pleasantly surprised at how much this can help to improve the overall attitude of an office or another work setting.

Step #2: Create an Ideal Budget

Mention the word budget and it always feels a little bit “heavy.” What can you afford? What can you really really afford? Sometimes what you need and what you can afford are two different things.

Create an ideal budget in mind that fits in with your revenue plan. You don’t want to overspend, but you do want to achieve your ultimate technology plan with the right budget in mind. Do the best you can with this.

It may require some research to figure out how to afford the technology items you need, but with the right focus, you should be able to obtain great technology that fits into your set budget.

Step #3: Plot Out What You Need

Figure out everything you need tech-wise and the cost for each item. Put all of it into your plan so that you can visualize having the full scope of your new tech at your disposal.

Don’t leave anything out to figure out later. Make this ultimate technology plan as detailed as possible so that you know exactly what you will end up with to ultimately suit your needs.

Step #4: Implement a Realistic Timeline (3-6 Months)

Most of the time you are going to want to get your new technology purchased over a few months. If you can afford it all at once, fantastic. If not, it’s okay to set up a realistic timeline to obtain everything you are going to need to have updated gear that works for you.

Many companies look for a timeline that extends around 3-6 months. If you need it to be shorter or longer, according to your individual company’s needs, that’s fine too. It all goes back to your budget and what you can afford to do at any one time. Or over a few months if need be. Your finance department will be able to assist you with this part of the technology plan.

Step #5: Write Your Plan Out in Detail

Your plan is known as your “technology vision statement.” Sounds pretty fancy, right? This is going to help you achieve your mission to be updated entirely going into the new year with your brand new technology in place.

You’ll be amazed at how much fresh tech will energize your team. Don’t underestimate the power of renewed vigor and the new year is the right time to have your technology planning accomplished. Set out and do it right so that you are ahead of the game in your industry.

It just makes everything you need to get done go a lot smoother for you and your team. After all the last thing you want as a cutting edge company is to look like you are lagging behind tech-wise. Your clients will pick up on your overall image and tech that isn’t up-to-date looks like an eyesore.

If the frightening headlines about massive data breaches were not warning enough, upwards of 60 percent of all small and mid-sized businesses, reportedly shutter within six months of a systems hack.

The leading causes of nefarious systems incursions are reportedly caused by about 25 percent of valued employees repeating the same username and password across multiple platforms. But what remains even worse is that fact that as many as 95 percent of all small businesses lack adequate protocols to safeguard important company or customer information.

In the coming months and years, cyber threats are expected to continue to pose a grave danger to the health and well-being of small and mid-sized organizations. The question business leaders may want to ask themselves is . . . will you join the 60 percent of companies that did not recover from a data breach?

Strengthen Your Business Defenses

Many of the toppled 60 percent may wish they knew then what many know now. That is, the key to cybersecurity does not solely depend on having the best software protections. According to the National Cybersecurity and Communications Integration Center, and Department of Homeland Security, nefarious email remains a primary trap used by cybercriminals and DHS recommends the following safety procedures.

“Never click on links in emails. If you do think the email is legitimate, whether from a third party retailer or primary retailer, go to the site and log on directly. Whatever notification or service offering was referenced in the email, if valid, will be available via regular log on.”

“Never open the attachments. Typically, retailers will not send emails with attachments. If there is any doubt, contact the retailer directly and ask whether the email with the attachment was sent from them.”

“Do not give out personal information over the phone or in an email unless completely sure. Social engineering is a process of deceiving individuals into providing personal information to seemingly trusted agents who turn out to be malicious actors. If contacted over the phone by someone claiming to be a retailer or collection agency, do not give out your personal information. Ask them to provide you with their name and a call-back number. Just because they may have some of your information does not mean they are legitimate.”

As you can surmise, these cyber safety measures do not necessarily rely on the latest antivirus software or systems protections. Hackers continue to take advantage of human oversight and error to infiltrate organizations and pirate valuable personal data and intellectual property. Homeland Security also recommends that business leaders implement the following employee training and protocols to protect against data breaches via email.

• Maintain Secure Passwords: Change passwords regularly and never share them or provide co-workers with access.
• Verify Sources: Make certain that emails originate from people and companies within your network by contacting them directly for verification.
• Nix Auto-Download: Never use automatic download options for email attachments.
• Never Click On Links: Embedded links are a primary method used by hackers to trip up team members through ransomware and malicious viruses.

Strengthening a company’s defenses begins with employee training and awareness that data breaches are not reserved for significant organizations and Fortune 500 corporations. Hackers continue to troll for low hanging fruit and unsuspecting employees who make innocent mistakes.

Employee Cyber Security Training is Job One

Although ransomware attacks reportedly declined from 638 million in 2016 to 184 million in 2017, according to Statista, this method has been used to target a tremendous number of small and mid-sized outfits.

The common attitude among cybercriminals is that decision-makers will ultimately weigh the cost of paying the ransom against potential profit losses and do the math. Hackers understand that poorly defended organizations are likely to negotiate and pay up. That’s why valued employees must remain vigilant and be a sort of human firewall if you will.

Proactive industry leaders are tasked with training employees and also determining which team members could be considered at risk. An IT support team can utilize training videos, create a cybersecurity policy and implement it by working with groups and individuals. But once the hands-on work has been completed, it’s imperative that companies conduct ongoing cybersecurity evaluations. These are logical methods to consider.

• Identify team members who could be best targeted by hackers.
• Deploy unscheduled mock cyber attacks.
• Create and release convincing but harmless mock ransomware links via email.
• Require employees to complete cybersecurity training modules.
• Require advanced training for those who are tripped up by mock cyber attack drills.

We may be living in a golden age of technology, but our everyday fallibility remains the threshold that cybercriminals use to break into our business systems and rob our valued customers and us of critical data. One of the primary ways to avoid joining the 60 percent who are out of business is to make team members aware of cyber dangers and provide them with the skills to combat cybercriminals.

Is someone out there pretending to represent your business to make money? Don’t laugh. It happens. Business identity theft is a growing concern for many companies across the US. According to a recent study by Dun & Bradstreet, business identity theft, also called commercial or corporate identity theft, was up 46 percent in 2017.

The CEO, Mary Ellen Seale, of The National Cybersecurity Society (NCSS) said, “Small business identity theft – stealing a business’s identity to commit fraud, is big business for identity thieves.” However, too few businesses, especially smaller businesses, are aware of the issue. In 2018, the NCSS published “Business Identity Theft in the US” to help publicize the problem, and to provide guidance on how companies can help protect themselves.

Which Types of Businesses Are Targeted by Business Identity Theft?

Corporate identity theft is not just a problem for large corporations or companies operating in a particular industry. It is a crime which can affect any-sized business from tiny Mom and Pop shops on Main St. USA to multinational companies who are involved in any commerce:

• Small companies are usually the initial victims of identity theft since these companies tend to have more lax security in place and are less likely to realize their information is at risk. However, that doesn’t mean that larger companies are immune from having a criminal steal their identity. Plenty of larger businesses have their identities stolen each year.
• Corporate identity thieves use the name and legitimate business information of customers of large vendors’ customers to trick them into fulfilling orders. Busy vendors who fail to put into place procedures to verify whether an order is genuine can end up losing millions of dollars a year to these scams.
• Criminals masquerading as a legitimate business deceive financial institutions to open credit card accounts, establish lines of credit, send or receive wire transfers, and secure loans.
• The list of victims of corporate identity theft even extends to the US government when criminals use stolen company credentials to claim tax refundable tax credits or to exploit other government benefits for corporations.

How Do Thieves Steal a Corporation’s Identity?

Criminals who steal the identities of businesses have a wide range of methods ranging from very simplistic to highly sophisticated. Many lower level identity thieves focus on email phishing scams which target employees of the company in an attempt to gain confidential information such as database passwords or HR records. Other simple scams use spoofed email accounts of company executives to trick vendors and clients of a company into believing they are communicating with someone from the company. Slightly more advanced scams can include setting up an unsecured WiFi network in near a company in hopes that employees will use it to conduct business and then stealing the data.

More sophisticated scams can include dozens of people, building fake websites, using shelf companies, social engineering and even renting office space at the same location as the targeted company. The goal of these higher level scams is typically to create a plausible “Proof of Right” which the thieves can then use to secure fraudulent loans, masquerade as the company in a business deal, or even sell company assets.

How Can You Protect Your Company From Identity Theft?

While there is no way to protect your company completely from identity theft, you can make it harder for cybercriminals by maintaining proper data protection procedures.

• Train your staff. Teach your staff how to recognize phishing scams and how to verify when an email is from a legitimate source. Establish procedures on how to handle data correctly, and have a data loss prevention plan in place including a ‘clean desk’ policy.
• Secure your network. Add additional security to your networks and ensure that everyone is using secured servers. Avoid using a ‘master account’ which allows access to your entire network to limit data breaches. Require two-factor authentication.
• Monitor your financial information. Check your company’s credit report regularly to ensure that there aren’t any unexpected changes such as credit applications or new accounts.
• Consider hiring a company to help prevent corporate identity theft. An outside security company is one of the best ways to protect your corporate identity from scammers.

No one wants to go through the stress of firing anyone, but sometimes you need to let one of your IT techs go. This can leave your company wide open for data breaches. Before starting the off-boarding process of an employee who has access to your entire computer network, having a proper procedure in place can help protect your data. Use these six tips to create a process you can use to safeguard your company’s private information when severing ties with a member of your IT team.

Tips to Terminate an IT Employee Without Risking Your Company’s Information Security

Eliminate the employee’s company network access. It is perhaps obvious fired employees should no longer have access to company computers, but a recent study found that surprisingly almost 9 out of 10 former employees’ credentials were still active for some time following termination. Your business can prevent potential issues by disabling, but not deleting a person’s business account and passwords before firing. You should pay particular attention to blocking any applications which allowed the employee to access your company data remotely.

Prevent access to third-party applications. Access to third-party software connected with your company can be more difficult to contain than access to in-house computer systems. If your former IT employee had access to third-party applications such as Dropbox, Outlook, Sharepoint, Trello, or Facebook, remove the person’s access immediately. This is where the importance of good record keeping is beneficial. Remember to leave your former employee’s email accounts and cell phone number open for a time, but forward emails and incoming calls to another member of your staff to maintain seamless communication.

Recover company-owned property. Before the former employee leaves your premise, take back the person’s company ID, access cards, keys, fobs, cell phones, laptop computers, and any manuals. Your HR department should always maintain a list of anything you give your employees to make it as easy as possible to verify the person returns everything.

Back up the former employee’s work computer. In the rare event that a former employee misuses your company’s data, it is essential for you to have a record of everything the person had access to while employed. Before reformatting the terminated employee’s computer or company cell phone, make a complete backup of the data and maintain the information for a few years just in case the worst-case scenario occurs.

Inform people that the person no longer works for your company. Make sure that all of your employees know that the person left the company and that their former coworker should not be in the office at any time. Ask your employees not to discuss company information with the person in the future. Contact any vendors which the former employee did business with and give them a heads up in case the person tries to contact your vendors for any reason.

Change access codes and locks for your most sensitive areas. If the terminated employee was able to access highly restricted areas in your company, replace locks and create new PINs and door codes. Look into the possibility of upgrading your security to use biometric or individual passcodes to make the process as easy as possible.

In a survey by Osterman Research, Inc., over 75 percent of former employees who retained credentials admitted to at least logging into company computers. Hopefully, your former employee is the rare exception, but the risk is far too significant to do nothing.