Many business leaders don’t have a strong technical background. Helping them understand their role in managing cybersecurity is my personal mission. Cybersecurity as a business problem seems like a straightforward concept, but sometimes a tangible example can help.
My cousin, a prototypical American small business owner, recently presented a great example. He is a very savvy businessman with decades of experience running a successful small business. He reached the point in his career where he is ready to trade his labor-intensive business for something less physically demanding. One option he’s considering is purchasing a network of about one hundred ATM machines.
In helping him through the early stages of due diligence, I shared with him an article about the FBI’s warning of an impending, coordinated attack on ATMs¹ similar to the one that happened in India². His response was to assume some form of cyber insurance would protect the banks and processors, ultimately replacing any stolen cash from the ATMs. This is a typical response from small business owners when confronted with a cyber threat. His pervasive misconception is a result of banks routinely indemnifying consumers from fraudulent charges on their credit cards. It has created the assumption that when it comes to cybercrime, the bank will take care of it.
The assumption that banks and payment processors are fully insured for this kind of loss is a huge leap of faith. Even if they have cyber insurance, the policy limits may not be high enough, or coverage may be denied³. As a business owner, you really have to dig into contracts to understand how, and if, you are protected. If the merchant bank and ATM processor will not indemnify the ATM operator from such harm, which is unlikely, what would you do: stop operating, or just take the risk of a massive cash loss? This risk-based decision starts to illustrate how cybersecurity is a business problem, not just an IT problem.
Follow this example a little further, and you quickly see that cybersecurity issues can cause many business problems that technology cannot solve. An ATM attack like the FBI warned about will bleed out most, if not all, of the cash from the machines. It will take three to six months for investigations and insurance adjusters to sort things out. During that time an ATM operator will need a lawyer to push the bank, processor, and insurance company to get things accomplished in a timely manner. This is one example of a hidden expense that won’t be reimbursed. In the meantime, who is going to put yet more cash at risk in the machines without knowing if an attack is going to occur again, possibly the very next weekend? Raising extra cash in the midst of an ongoing crisis will be nearly impossible. And without fully loaded machines, transaction revenue will decline. On top of that, consumers will learn about the attack and start to avoid ATMs for some period of time, which will reduce revenue even for machines that were not part of the attack.
The core business problem is that cyber attacks create a perfect cash-flow storm of rising expenses and falling revenue. You might be under the impression that cyber attacks are relatively painless, because publicly traded companies like Target and Equifax have survived them. But these companies have deep cash resources, and they can weather reporting a few quarters of multi-million dollar losses. In contrast, a small company facing a cash-flow storm triggered by a cyber attack is likely to fold. The only upside is that such an event might create an opportunity for one ATM operator to grab market share from peers that are unprepared and go out of business. However, even that takes planning and extra capital to execute.
The question still remains: should my cousin buy an ATM network? Yes, I still think it’s a good endeavor to pursue. But, he has to go in with eyes wide open and utilize tools like a Threat Sketch Risk Assessment to help him remain aware of the risk landscape and emerging threats. If he can manage the risks, an ATM network could be great for his situation. If he does not manage the modern risk landscape, he could lose everything in the aftermath of a cyber attack.
About the Author: Rob Arnold founded Threat Sketch to develop decision-making tools aimed at the leaders of small for-profit and nonprofit organizations. He wrote a book on the subject, Cybersecurity: A Business Solution, testified before congress, and represented small businesses in discussions with the Department Homeland Security at the highest level. He serves locally and nationally on a number of boards and councils where he advocates for the unique needs of small businesses.
¹https://krebsonsecurity.com/2018/08/fbi-warns-of-unlimited-atm-cashout-blitz ²https://www.reuters.com/article/cyber-heist-india/indias-cosmos-bank-loses-135-mln-in-cyber-attack-idUSL4N1V551G ³https://www.businessinsurance.com/article/20180418/NEWS06/912320682/Spoofing-losses-not-covered-under-Travelers-computer-fraud-policy