Chris Keller has a message for small businesses when it comes to cyberthreats: If you think you are too small to be targeted, that your business has little of value to hackers, think again. “Cyberthreats are not a matter of if,” he said. “They are a matter of when.”
Keller is co-founder of Prospect-based Advanced Global Communications (AGC), which provides a range of IT and communication solutions, including security and investigations.
“Enterprise companies have hundreds of folks working on this,” Keller said of cybersecurity, “but small and medium-size businesses are just seeing the attacks on these big companies. They don’t realize that there are ‘bots’ out there looking for IP addresses. These bots don’t care what is on the other end.”
While data breaches at large corporations affecting millions of clients get the headlines, reports from an array of organizations indicate small targets are at least as likely to be hit. Nearly half the data breaches Verizon recorded in 2012 took place in companies with fewer than 1,000 employees, according to CNN. A report by Symantec, the cybersecurity software and services provider, shows 31 percent of all attacks in 2012 happened to businesses with fewer than 250 employees.
Global ransomware damages were estimated to exceed $5 billion in 2017, up by 15 times from $325 million just two years earlier, according to CSOonline.com, a provider of IT news and research on security and risk. Cybersecurity Ventures expects ransomware damages alone will rise to $11.5 billion in 2019, when CSO reports a business will fall victim to a ransomware attack every 14 seconds.
“As more small businesses utilize online solutions to serve customers, manage business operations and market themselves, their risk exposure has grown,” said Cecelia Taylor, spokesperson for the Small Business Administration. “Websites, financial transactions, critical databases, client records and brand reputation can be among the biggest vulnerabilities.”
More online activity means more targets.
“Small businesses must be aware of breaches/risks associated with their large company partners and suppliers,” Taylor said. “Their banking relationship, customer relationship management, web-hosting services, etc. – often supported by large firms – add another layer of vulnerability.”
The SBA said a security breach can impact a small business in numerous ways, from brand embarrassments if someone were to post on your website or social-media outlets to more financially costly matters if a hacker accesses banking accounts, personal data, supplier and customer records. Restoring files, checking records and securing systems can cost a small-business owner, on average, $20,000 in the short term, Taylor said.
Back in Prospect, Keller spreads his messages about small businesses and cybersecurity with an evangelical zeal. Organizations, particularly smaller ones, must evolve to respond to the eventuality of cyber incidents that are being unleashed at unprecedented rates.
Awareness is the first step to being vigilant, according to Keller.
“Everyone from the executive staff down should be looking at cyberattacks as a threat to their business and their livelihood,” he said. “Anyone in the office can open the wrong attachment and put the company in jeopardy. Everyone has to be engaged.”
Larger companies separate the CEO job from that of the chief information security officer, the thinking being that there are too many issues today for one person to handle both tasks.
Small businesses, however, rarely have the luxury of even one person totally dedicated to cybersecurity, said Keller, who advises that consideration of cyberawareness should start with the hiring process.
“Whenever possible, hire folks with an aptitude for technology. Even the biggest companies don’t have enough people with the perfect skill set,” he said. “Look for people who can learn and aren’t afraid of technology.”
Additionally, ongoing training is also a must.
“You can’t afford to let everyone go who doesn’t have this knowledge,” he said. “This is no different than preparing for the eventual major storm or preparing for a rainy day. Everyone needs to understand the threat and how to mitigate it; otherwise, you are locking the front door and leaving the windows open.”
It begins with common sense and best practices, Keller advises.
“Make your firewall stronger and higher,” he said. “You don’t want to be an easy target.”
Follow best practices methodically.
“If you don’t have a relationship with a person, do not open an email attachment” from them, Keller said. “I get six to eight emails a week that I don’t know the origin; I don’t open them.”
And look for certification when hiring outside firms to help. Numerous bodies have developed certifications.
“The SANDS Institute provides certifications for a lot of industry security; UCI for the credit-card industry,” he said. “Financial groups have their own regulatory groups, as do the medical groups.
“The federal government mandates security for many industries but not for all. Reach out to your professional associations and see if they have tackled this issue,” Keller said. “Search out what is best, and then find a third party such as (New York-based) Global Security Associates that best matches your firm and your goals.”
Outside help is critical for several reasons, according to Keller, whose company provides security among other computer-related services.
“An outside firm can monitor all your traffic and determine the risk,” he said. “If you try to do it internally, there is a tendency to not want to find problems. Employees can be careful not to expose faults.”
In addition to hiring an outside expert to assess risk and shore up your cyberdefenses, Keller recommends five security tips applicable to enterprises of all sizes and budgets.
Back up your data. Back up your entire data from servers to workstations, locally and to the cloud. If ransomware or malware hits, you will be prepared.
‘Walls inside of walls.’ Establishing virtual walls inside of walls can protect servers, LANs, virtual servers. Segregate critical data to prevent hackers from leaping into another vertical once they’ve broken into your network.
Get a cyber ‘X-ray.’ A lack of symptoms doesn’t mean an X-ray won’t reveal a health concern. Networks are no different. Advanced Global Communications and others use technology to examine traffic across all ports in the critical space between the internet and your local network.
Cameras, TVs can be attacked. Anything that carries an internet address should be secured, Keller said. Hackers can exploit surveillance cameras, boardroom TVs and other devices to spy or exploit your network. In late 2016, this method created a major denial-of-service (DoS) attack that affected millions of people.
‘Human engineering’ hacks. If a help-desk impersonator is given your password, that person has the “keys to your kingdom.” Many exploits occur inside an organization, and AGC believes this threat is the hardest to protect against. A perpetrator can physically sneak into a network closet, exploit a vulnerability and potentially own your network. When planning cyberdefenses, keep “human hacks” in mind. Conduct physical penetration tests to determine vulnerabilities. Include human attacks in your training and testing.
The SBA also has some suggestions:
• Make sure your current desktop and mobile applications software stays upgraded.
• Realize cybersecurity is now a standard business planning and operations issue – something to address through planning, education, staffing and on-going maintenance. Inventory the data management and client records used in your business. Review processes for financial management, from sales to banking and inventory control. Assess which systems are used for each critical step of your business and which hold valuable information.
• Discuss cybersecurity with employees so they are aware, receive standard training and, as needed, attain industry certifications on IT security. Discuss cybersecurity with your vendors/suppliers and your banking institutions.
• Confirm that any major systems or suppliers you rely on have security protections in place or readily available.
• Examine vulnerabilities immediately and revisit when you change business processes, online systems or staffing plans, and especially when your organization or a key business partner experiences a breach.
• Review online training materials that provide an overview of vulnerabilities. They help small businesses understand risks and consider which aspects of operations need immediate attention.
• Review if you have needless services integrated with primary databases or systems. They can open vulnerabilities.
• Sit down with your information technology staff or vendors to assess their understanding and planning.
• Make sure that all staff understand vulnerabilities and immediate practices needing attention (strong password, handling of records/data, checking encryption standards).
Verizon’s 2017 Data Breach Investigations Report gives a fuller picture of cybercrimes.
Top 10 Cybersecurity Tips
The Small Business Administration provides these tips to protect your small business:
1. Protect against viruses, spyware and other malicious code. Make sure each of your business’s computers are equipped with antivirus software and antispyware and update regularly. Such software is readily available online from a variety of vendors. All software vendors regularly provide patches and updates to their products to correct security problems and improve functionality. Configure all software to install updates automatically.
2. Secure your networks. Safeguard your internet connection by using a firewall and encrypting information. If you have a Wi-Fi network, make sure it is secure and hidden. To hide your Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID). Password protect access to the router.
3. Establish security practices and policies to protect sensitive information. Establish policies on how employees should handle and protect personally identifiable information and other sensitive data. Clearly outline the consequences of violating your business’s cybersecurity policies.
4. Educate employees about cyberthreats and hold them accountable. Educate your employees about online threats and how to protect your business’s data, including safe use of social networking sites. Depending on the nature of your business, employees might be introducing competitors to sensitive details about your firm’s internal business. Employees should be informed about how to post online in a way that does not reveal any trade secrets to the public or competing businesses. Hold employees accountable to the business’s internet security policies and procedures.
5. Require employees to use strong passwords and to change them often. Consider implementing multifactor authentication that requires additional information beyond a password to gain entry. Check with your vendors that handle sensitive data, especially financial institutions, to see if they offer multifactor authentication for your account.
6. Employ best practices on payment cards. Work with your banks or card processors to ensure the most trusted and validated tools and anti-fraud services are being used. You may also have additional security obligations related to agreements with your bank or processor. Isolate payment systems from other, less secure programs and do not use the same computer to process payments and surf the internet.
7. Make backup copies of important business data and information. Regularly back up the data on all computers. Critical data includes word-processing documents, electronic spreadsheets, databases, financial files, human-resources files, and accounts receivable/payable files. Back up data automatically if possible, or at least weekly, and store the copies either offsite or on the cloud.
8. Control physical access to computers and network components. Prevent access or use of business computers by unauthorized individuals. Laptops can be particularly easy targets for theft or can be lost, so lock them up when unattended. Make sure a separate user account is created for each employee and require strong passwords. Give administrative privileges only to trusted IT staff and key personnel.
9. Create a mobile-device action plan. Mobile devices can create significant security and management challenges, especially if they hold confidential information or can access the corporate network. Require users to password protect their devices, encrypt their data, and install security apps to prevent criminals from stealing information while the phone is on public networks. Be sure to set reporting procedures for lost or stolen equipment.
10. Protect all pages on your public-facing websites, not just the checkout and sign-up pages.
Free online resources
• Take the SBA’s free online Cybersecurity for Small Business e-course (sba.gov/tools/sba-learning-center/training/cybersecurity-small-businesses)
• Attend local cybersecurity workshops offered by NIST (csrc.nist.gov/groups/SMA/sbc/workshops.html).
• Visit the FBI’s Infragard site (infragard.org/) for useful tips and local resources.
• Stop in to a local SBA resource partner office to talk with business counselors and mentors (SCORE, Small Business Development Centers and Women’s Business Centers).
Debra Gibson Isaacs is a correspondent for The Lane Report. She can be reached at [email protected].