If you’ve ever had a tooth filled you may have trouble feeling sympathy for dentists. However, at the end of the day, they are small businesses, and they’re under attack.
Last week we noted an increase in cyber-attacks in the health care sector that made the news. Big headline-grabbing stuff at large faceless organizations but when you consider how a lot of services we use are delivered by small businesses then the problem becomes more…shall we say…acute (sorry for the pun). For example, one clinic was forced to shut its doors entirely as a result of an attack. Well, now they have come for the dentists.
A Toronto dental clinic was recently the victim of a ransomware attack that encrypted files on 19 out of the clinic's 22 computers. The hackers demanded a $165,000 ransom from the dentist after infecting the clinic’s computers with a form of ransomware called Ryuk.
These attacks on small business, particularly health care clinics, are becoming so common that the FBI Internet Crime Complaint Center issued a warning to small businesses.
What is most interesting about this latest attack was the candid response from the dental clinic owner. In an interview with CBC, he stated that while $165,000 was too much for him to afford, he would have been willing to pay $20,000 to recover his files.
Putting aside the $165,000 ransom demand, let’s do a little research and unpack the impact of what this dental clinic was actually willing to pay. For the average dental clinic, $20,000 represents:
- about half of a dental assistant’s salary;
- about half of a receptionist salary;
- about one third of a dental hygienist’s salary ;
- about half a year’s rent for the average dental clinic.
For small businesses, unexpected costs have to come from somewhere, and unless they have some rainy day money lying around, those costs will impact operations. There aren’t a lot of other areas where a dentist can cut costs. This means that cyber-attacks can have a direct impact on the service a dentist is able to offer. It could also mean a cut to the dentist’s take home pay, no raises for their staff, or axing the holiday bonus.
Waiting a little longer for a root canal or a tooth polishing might not seem like much, but if we consider the impact of these attacks on the broader health care sector it can cause big problems for the health of everyday people and hurt employees as it increases costs.
Bad news: the problem is growing. CIRA’s 2019 Cybersecurity Survey found that 71 per cent of organizations reported experiencing at least one impactful cyber-attack last year. On the ransomware side, six per cent reported paying a ransom. That number may seem small, but if you consider that there are more than one million employer businesses in Canada employing millions of Canadians, the problem becomes a lot bigger.
In our survey, we saw that many businesses are responding with increased investment in cybersecurity, increased hiring of security professionals or outsourcing to service firms. However, for a small business these costs are not factors of production. Unlike hiring a new hygienist, investing in cybersecurity does nothing to increase their revenues. This means that the ultimate victim is both the small business and the consumer.
So what can we do? Turning back to the FBI news release, it is recommended that small business deploy a “robust system” of big-business type security including:
- regular backups;
- cybersecurity awareness training;
- a formal patching process;
- endpoint protection;
- disabling all macro scripts;
- application whitelisting;
- physical and logical separation of networks and data;
- maintaining robust firewall and website filtering.
This is complicated stuff for most small businesses considering that 43 per cent of businesses don’t employ dedicated cybersecurity professionals (because they can’t afford it). For those that don’t have the resources and also can't outsource their cybersecurity needs to an external vendor their options become even more limited and their real risk very serious. For context, managed service providers (MSPs) have typically charged $75-$100 per year for very basic users and layering on new security increases this cost for both licences and, more importantly, service commitments. These are things that many customers can't grasp in the fight to get the lowest possible cost IT services - but they need to.
This is the reality that many small businesses, including small health clinics, are facing. Cybersecurity is no longer an option or something to be ignored.