How bad is it? Will Cybersecurity get worse?

I know there are many macro statistics, which we have discussed on this site:

Describing The Cyber Neigborhood

For example Cisco determined that by 2020 there will be 50 Billion devices on the Internet. And we are well on our way to create this prediction.  Bla bla bla…

Forgive me for a minute…

I don’t like to talk politics and say X did this and I don’t agree with Y (insert your politicians in x and y).  I just want to talk about it in the sense that talking politics  even sensibly with facts and such does not change many minds.


I don’t know if you are a Trump supporter or not, but interesting to note many of the Trump naysayers from the very beginning did not understand him (but were 100% certain they were right).

And then the election actually occurs on November 9th and he wins (again proving all the ‘experts’ were wrong) and now the exact people who did not think Trump was going to win are now incredulous about the election. And are not shy about telling you how to think about the election.


Ok Back to your regularly scheduled programming…


Now I would like for you to talk to someone about a subject they have preconceived notions and tell them they are essentially WRONG. How well will that argument go?

I.e. Cybersecurity will get worse next year just like all the years before. So if you have done nothing or very little in the last year and are NOT interested in thinking about it at all. There is likely nothing I will say to change your mind.

I am not interested in changing your mind if you have no understanding and think you will not be affected next year just like this year.


The biggest problem with Cybersecurity is that it is very complicated, has many pitfalls, potential issues, and on top of that it ultimately ‘depends’ on how much you are defending.  But the defense could fail spectacularly to the point of going out of business if the situation is right. Of course the devil is in the details

I can give you proof that this is happening:   In this blog at knowbe4 Stu Sjouwerman has written a post that discusses Paychex (the payroll services company) and the data came from the National Cyber Security Alliance infographic.

It is worthwhile to review the information from NCSA.

Small businesses have been targeted, according to NCSA 70% of them.

Out of those 70% who have been targeted there are some who have experienced cyber attacks, and out of those with successful cyber attacks 60% go out of business in 6 months.

To me the numbers are staggering but it makes complete sense.

IF you do absolutely nothing with Cybersecurity and get a catastrophic attack (like Ransomware) which is very prevalent these days. AND you did not have a tested reviewd backup which actually restored your data. You might actually have to pay the Criminals to get your data back.

In my last post (last week) I noted that IBM surveyed a number of business executives and found that 70% of the executives paid to resolve the hack.

Now let me ask you something…  If you paid once will you pay again?

What makes you think this will be easy next year? The criminals will hire young kids who code in their sleep to hack your systems to make more money. (with the money you paid them).

So I made a proof positive case that small business people have to do something to solve this problem (Cybersecurity). But will it actually help?

Because proving that a backup actually works is complicated and costs a lot of money and time for all of the employees (as they have to check the data). But if you do not do it, and the ransomware tech support did not set up their software correctly you may have lost your data forever. And if you do it nothing improves in your business as this is not a “sales” decision.

So if x then y and then out of business.  What would happen tomorrow if you lost your data and would have to recreate it?

What would happen on the off chance that a tsunami blows down your house?  Let’s forget about whether you are near an ocean or not. Imagine a bad calamity since if I explain some Cyber cause most people would not understand.

ULTIMATELY this is a BUSINESS DECISION. (not technical)

We have to spend time and effort to test a backup. Just in case of a calamity, yes it could be a cybersecurity problem, but it also could be a physical problem.

I would like to see in 2017 the number of SMB businesses that go out of business go to near zero at least due to a Cybersecurity attack.

We do have to talk to business leaders in their language – money. So lets watch what we say and watch from their peers and financial people, such as:

ABA The ins and outs of Cybersecurity Insurance

So maybe the businesses need more insurance because the median claim payout is $144k and average payout is $733k

Median Cost per breach expense 110k, and average cost for breach response services: $366k

I wont list the legal costs as those can always balloon.

Most interesting is Hackers were the most frequent cause of data loss, followed by employee mistakes(32%)


So as a business decision you should get Cyber Insurance (and I don’t sell it).

But before you get it you have to do a risk assessment, the risk assessment has to weigh the potential risks with real and maybe even unknown threats.

Look at this extortion threat to a bank:

So an insurance claim could be due to a client with intimate knowledge of your information and infrastructure that could cause serious harm to you and your reputation.

This is unfortunate but in the realm of reality these days.

I found the actual Security Survey post in NCSA:

  • A Majority of SMBs Believe Security Is Critical to Their Success and Brand: Seventy-three percent of SMBs say a safe and trusted Internet is critical to their success, and 77 percent say a strong cybersecurity and online safety posture is good for their company’s brand.
  • SMBs Unprepared to Handle Data Breach Losses: Nearly six out of 10 (59 percent) SMBs do not have a contingency plan outlining procedures for responding and reporting data breach losses.
  • Two-thirds of SMBs Aren’t Concerned About Cyber Threats: Sixty-six percent of SMBs are not concerned about cyber threats – either external or internal. External threats include a hacker or cyber-criminal stealing data while internal threats include an employee, ex-employee, or contractor/consultant stealing data.

This makes sense to me as that is what I have experienced, essentially everyone believes Cyber Security is important, but do not understand the actual details on how to be safer or they are not concerned at all. Which is why when a Cyber—tsunami(Ransomware on critical data without a backup) blows you over then in 6 months small business is out of business.

As many people say…  BOOOM!!!


Let me help you develop a security policy and review your risk management since the current risk management models are not working. Start your education so you understand the risks as this is not an easy subject to break down.

What exactly are the costs in a successful data breach? And what would actually happen with your business after a successful breach?

“Risk Managment Failed Us” is an article I wrote quite some time ago, but is still apt.


Contact US   Tony Zafiropoulos –  tonyz “@”

2017 Security Improvement Plans

How do we usher in 2017 by improving our situation?

Of course one way we could do that is to be in continuous improvement mode instead of thinking about this every year.

But YEAR END — NEW YEAR  is a good time to make assessments and plans.

In making plans we have to keep in mind the biggest story of 2016:  Ransomware payouts moving to $1 Billion per year from an IBM study:  70% of businesses infected with Ransomware have paid to regain their business data.

A survey was done by IBM and executives were willing to pay up to $50,000 to retrieve data.  In fact out of the 600 surveyed half actually had Ransomware demands, and many paid even up to $40,000.

If the price is right the victim pays (it depends on what was on the computer)

70% of executives who were a victim of Ransomware paid to resolve the hack.

50% of these would pay about $10,000 and 20% would pay $40,000.


So if we look at hacking as a business model (from the Ransomware hacker point of view)let’s say 1000 business computers “ransomed”  extrapolating from above IBM survey

Then 350 would pay $10,000 and 200 at $40,000

which means $3.5mil and$8mil just for those 550, where the other 150 likely in the $400 range  which is equal to $60,000.


So now we are talking millions of dollars (at least 11mil for 550 infected).  Of course one may have to infect 1100 to get this rate, but attacking thousands of computers is not hard once the infrastructure is in place/

You can see that the Criminals are going to ramp up attacks as this is very lucrative.

This is my July 30 post about a scrap processor which got malware and then was swindled out of money.

And this image is from Jul 2015 which reviews the cost of potential Ransomware and other costs to recover from a Ransomware attack.


2017 will be much worse – (as 2016 was worse than 2015). So we have to prepare.

Everyone is preparing for next year including the Hacker Criminals so better prepare yourself.

Contact Us to help you in preparing for the new year anti-hacker plans

Is it a Trick if Pushed to do Right Thing?

Ho do we convince people that don’t  know enough to make an educated decision? If we trick them into making the right decision is that ok?

Cybersecurity is not obvious to the regular person (or the minimal IT educated CxO).

What do the three pictures above have in common? Anonymous, local hacker, and criminal hacker from Eastern Europe.

All 3 are hackers that for one reason or another are attacking your systems. And due to the wonders of the Internet not only are you subjected to attacks by US hackers, but also Chinese, East Europe(Russia, Ukraine & more) and many other countries where there is lax or corruptible law enforcement.

So maybe you thought that the sophistication of hackers are in the top 2 pictures (local and cause based hackers) that do not have a level of sophistication which the bottom one does.

Now we are connected to all hackers in the world including the ones that have made a significant living making attacks ever more sophisticated.

Think about this for a second: The hackers are also drawing up plans next year and the Criminal organizations are looking to recruit new hackers and create more attacks since they want to “make” more money than this year2016.

So, let’s assume you agree that it is important to do more in Cybersecurity next year than this year.

How do we do this? We have to try something new, a new method which sort of tricks the decision maker or the user into making more secure decisions.

Well, we have to review the Psychology of Security first:  Last Week post which says the security decision maker wants to take the risk of not doing anything (in the hope that nothing happens). As most of us are willing to risk the potential bad day from a hacker, I mean what is the worst that could happen?



We can go down the list of companies that have used this bad decision making in the past like

  1. Sony
  2. Home Depot
  3. Michaels
  4. Target
  5. Wendys
  6. Government OPM office
  7. Healthcare records (Georgia  Blue cross Blue Shield)

#7 is a story about a hacker which stole 400,000 health records and will potentially make $682k  in ransom money.


If your budget and thoughts are to keep everything the same – then you are inviting a disaster that will make whatever your hopes of “nothing will happen” be bad feeling in your stomach when you first hear the bad news.

So how do we do it?

How can we explain against the grain of ‘I’m not worried’?

Do we make the bad potential seem worse? It seems to me that does not work – it is just more Screaming in the wind.


We have to incrementally increase things – explain 1 item at a time.

Let’s patch the systems first on time (if you are not doing this already).

Here is where  we have to use compliance of different standards (depending on your industry) to make your security better in 2017.


What if there is no “have to have” compliance standard?

Then you can always pull the old ISO 27001


Mr decisionmaker… We should be ISO 27001 compliant or at least start to move to it so that we can have a competitive advantage versus our competitors.


Contact me if you need help with this strategy.




Cloud Compliance & Cybersecurity

Cloud Compliance? Do we even need it? Our data is in the cloud … therefore it is safe right?

What does it mean to have compliance in a cloud computer?  So a cloud computer is a computer managed by “someone else”.   Compliance for various standards is all about your data. So we do have to ask some detailed questions to make sure there is compliant methods at the cloud.


(image from

In past posts I made it clear that backups are needed to make sure you are safe from Cyber attacks. As in case of a successful Encryption attack (Ransomware – including the recent San Francisco train system)  you must have a working backup.  By ‘Working’ I mean tested in the last 3-6 months.  Yes this is a pain and difficult, but as in most Cybersecurity issues the details are important.

As you can see in the image above your devices connect to the Cloud (or Remote Servers) which house your data.

Each cloud setup is different with applications and usage that drive the type of cloud service.


So the data you work on is on the remote server(cloud). How can we make sure we are compliant for this environment (as we do not control it)?

Answering the following is an important step:

  1. Who has access to the data? Employees of cloud company only? Is Data Secure? Details…
  2. How is the data backed up? How long is it kept etc.
  3. How does the data get to the Cloud /remote server? Encrypted or  some other way?

Documentation of the answers to the above 3 questions and the details are important, are there any contractors that will have access to the data? The SLA (Service Level Agreement) is important to review.


The item that now must be done (after the documentation is done and you know what data is stored where) is to test the environment for recovery.

This is an important step not to be missed. How do you know if the backup and recovery works? You will not know until you try it. And it is too late when an actual emergency is facing you. At this point it is a Pray and hope everything works as it should.


Admittedly this testing step is difficult  especially in complex environments.

Let’s assume that you look at these challenges and consider that the costs may be too high to make testing the backup viable.  You may be tempted by our Psychology of Security and decide that you would rather risk the potential of failure in the cloud somehow (Cybersecurity or otherwise) instead of paying a cost to test and ensure the recovery from a failure.


This is not wise but we are human after all and you would be in the majority (as in blogpost 70% take higher risks when loss is an option)


We at do not recommend this argument, as it is better to ensure your survival rather than risk it.

As in the USA Today link about the San Francisco Train System ransomware attack (whether the train system is on the cloud or not) it is undeniable that in the future more companies will depend on the “cloud” and will have serious problems if there are Cybersecurity or functional problems with the infrastructure. So it behooves you to get your backup-recovery tested however complicated.


Contact us to discuss





How Much Time Before Notifying a Breach?

I hope that there is something in place to understand when a breach occurs, but assuming there was a breach – and you found out. When should you notify?

So let’s assume you are in Health Industry and protect the PHI or {Personal health information (PHI), also referred to as protected health information, generally refers to demographic information, medical history, test and laboratory results, insurance information and other data that a healthcare professional collects to identify an individual and determine appropriate care.  (definition from Google)}   then when should the breach be notified to the various people in your database?

An old post at says right away the breach must be investigated immediately.  BUT one does not automatically know that a breach occurred,  so we have to develop a process to uncover breaches.


  1. Breach was found or suspected
  2. Risk Analysis of Breach – if it occurred – what happened?
  3. Determine level of risk
    1. if low: Document, fix and move on
    2. if something else including high – prepare to notify the breached data PHI owners.

When Breach notification must occur:

  • Brief description of the breach, including dates.
  • Description of types of unsecured PHI involved.
  • Steps the individual should take to protect against potential harm.
  • Brief description of steps you have taken to investigate the incident, mitigate harm, and protect against further breaches.
  • Your contact information.



There are many types of breaches – as in Health field if a person sees data that should not have – this is a HIPAA breach. But in this type of breach it may be handled internally. And if the employee or contractor was rebuked and reminded this data is not for worldly consumption  this is a Low risk.

On another case if the breach is a laptop was lost and had patient data then this is a notification event.  Every case is different.

There are many potential scenarios, and I cannot list all the types of breaches in health care and other industries. Data with Social security numbers and addresses are important. Knowing when to notify in your incident response plan is also important. You don’t want to be developing these plans when there is a problem. Unfortunately every company that uses credit card information needs this Incident Response(IR) eventuality.

  • HIPAA breaches
  • PCI breaches
  • SS#’s and other information
  • Privacy data of your customers
  • other data (employee hiring records)
  • other payroll data
  • Data that somebody can use to sue you


we cannot predict how this regulatory environment will change in the future, but it is safe to say that even if regulation is reduced, an enterprising lawyer will take you to court if nothing was done.



So it is better to get started on an Incident response plan.

Contact us today.