Small Business Takeaways from the Recent Colonial Pipeline Data Breach

by | May 24, 2021 | Cybersecurity

Colonial Pipeline silo through fence

You’ve probably seen a bit about the $5M ransomware attack that hit Colonial Pipeline Co., the largest pipeline system for refined oil products in the US. As a quick recap, the oil giant’s network was breached by hackers who encrypted their systems and demanded a hefty ransom in exchange for decryption codes. Colonial paid the price and slowly gained access to their systems, but not before the attackers made off with $5M in hard-to-trace cryptocurrency.

A big sum for a big network that a big company needs to maintain their safety and operations. They could have avoided it, but how? And why in the world would local small businesses care about the data security issues that a behemoth like Colonial Pipeline has to deal with? Read on because this is more about you than you might think.

Many times, it starts with small business

First, it’s important to note that while hacking enterprise companies probably has a larger payout, it can be much harder. Not to mention the fact that the hackers risk public identification since agencies like the FBI and CISA (Cybersecurity and Infrastructure Security Agency) get involved. It’s easier and lower risk to go after many small businesses with limited infrastructure resources than it is to target one giant with complicated operations.

Do you remember back to 2014 when Target made the national news with their data breach that leaked the sensitive information of millions of customers? That started with a small business. A local HVAC company that serviced multiple Target store locations was granted access to the company’s network in order to properly monitor the systems they worked on. The hackers found weakness in the HVAC company’s network, then found a back door into Target’s. It didn’t take long for the hackers to move from their initial small business objective to a much bigger goal.

But small businesses still aren’t listening. Keeper Security’s 2019 SMB Cyberthreat Study found that almost 7 out of every 10 senior decision-makers at small businesses believed they were unlikely to be targeted by criminals. Are you one of these 7 or one of the 3 who realize that something must be done?

Why we don’t hear about small business breaches

Simply put, the crises of small businesses aren’t as newsworthy as the sensational stories of large corporations losing millions of dollars. Small business breaches happen every day and it’s estimated that they happen in much larger numbers than reported. That’s because owners try to avoid:

  • Legal ramifications like fines, investigations, and increased compliance enforcement
  • Horrible PR that spreads negativity about the brand and company practices
  • A diminished bottom line due to customer attrition
  • The embarrassment of admitting that they didn’t protect themselves (and their customers) in the first place

But the worst and most devastating is that, according to the National Cyber Security Alliance, 60% of companies go out of business within six months after falling victim to a data breach. So you don’t hear about it, because they simply don’t exist anymore.

How to keep from becoming a data security statistic

Any modern small business knows that technology is one of the most essential ways to stay competitive and increase profit margin. In many industries, technology actually runs the business. Just like a car gets you from your house to the office, your technology gets your company and your customers from where they are to where they need to be. When it comes to something so necessary, why would you allow your technology to operate without the essential insurance measures that keep it running safely and securely (just like car insurance)? Here are some of the basic steps you can take right now:

Have a comprehensive BDR (Backup & Disaster Recovery) plan.

Use the 3-2-1 Rule which states that you need to keep three copies of your data in two unique locations, one being offsite. Installing cloud services is one of the most secure ways to ensure your backups have the most redundancy while always being accessible.

Require MFA (multi-factor authentication) which is also known as 2FA (two-factor authentication).

This requires a secondary confirmation that the user who is accessing a given system with their credentials is actually the user they say they are. Fortunately, most modern business applications (like Microsoft 365) are now enforcing this in their systems.

Enforce a secure password generation and management policy.

This is part of a general security policy that every employee should understand, agree to, and adopt. For passwords, there are a multitude of generating tools out there that create passwords no human can memorize (and therefore are harder to hack). Management tools like IT Glue, or LastPass make retrieving and applying those complicated passwords easy.

Impose an “unsafe web browsing” policy.

The internet is essential to almost every role’s productivity which means there needs to be some guidelines around which types of websites are safe to use with company machines and which are not. Many online opportunists create fake sites or landing pages that lure unsuspecting surfers into submitting important information. Make sure you educate your staff on the basics and that they comply.

Make sure your systems are regularly patched in a timely manner.

These are simply updates, fixes, and small repairs that are required at a regular cadence to make sure your systems are as secure as possible while running as smoothly as possible. Falling behind on patches leaves your systems with open back doors and small vulnerabilities that system hackers commonly use to gain access.

Implement proactive monitoring.

What would you give to be able to take evasive action by knowing that your car is going to be hit before it actually happens? That’s what proactive monitoring does. Many hacking activities have recognizable signatures that can be monitored for and—if seen—can be reacted to immediately. Oftentimes these processes are automated so there is around the clock supervision combined with instant reaction.

Build a realistic cybersecurity response plan.

Alongside a comprehensive cybersecurity plan (which includes essential items like the above mentioned BDR plan and password policy to name a few), a response plan is necessary so your company has the quickest and clearest path to resolution possible. The plan should be written and disseminated in your company, clearly defining each role, process, and responsibility.

Don’t overlook professional help

Managed Services Providers (MSPs) are swiftly becoming the most essential partners for many small businesses because there’s not only a lot to architect and manage, there’s also a lot at stake. The tips above only highlight the bigger components of a Cybersecurity and Network Systems Plan. There are more, and each component has its own complexities and redundancies to consider. Engaging with a company like HDCav that does this for a living and has years of experience with a multitude of industries is the fastest and most effective way to make sure that every area is covered.

We make it easy to get the most advanced network security and constant monitoring—for companies who have no technology support or for those who have their own IT professional in-house. It’s worth taking a look at your options by contacting us to find out which services line up with your company’s current risks and goals. Good luck!