WEST FARGO, N.D. — Small- to mid-sized businesses may not face the tens of thousands of daily cyberattacks directed at big corporations or governments, but that doesn’t mean that there aren't hackers happy to take a crack at your computer system to pry out trade secrets or customer or employee data you're trying to protect.
Lynn Soeth, manager of security services for High Point Networks, has seen her share of heartache from firms that have had their IT networks breached.
“Businesses have been shut down for more than a week, trying to recover from ransomware,” Soeth said Tuesday, Dec. 3.
Unless a company’s information systems are safeguarded, a ransomware intrusion can put that business at the mercy of hackers, she said.
Even paying the ransom may not get you access to enough of your data to operate normally.
“Businesses without backups actually almost have to start from scratch again,” Soeth said.
Small businesses have the same vulnerabilities as big corporations, she said, and fewer people to handle the workload.
“They’re larger targets nowadays. The hackers are lazy. They’re looking for the easiest challenge,” Soeth said. “Companies have to realize that cybersecurity has to be in your DNA now."
The statistics are sobering:
- Forty-three percent of data breaches involved small businesses, Verizon reported in 2019.
- Data breaches exposed 4.1 billion records in the first half of 2019, Veronis Systems reports, with the U.S. ranking first in the world in ransomware attacks at 18.2%.
- According to the FBI’s Internet Crime Report, the cost of cybercrimes reached $2.7 billion in 2018 alone.
- Symantec reported that In 2018, employees of small organizations were more likely to be hit by email threats — including spam, phishing, and email malware — than those in large organizations. Symantec also said spam levels continued to rise, with 55% of emails received in 2018 being categorized as spam.
- Hackers can quietly be in your system months before they are detected, a 2019 IBM report said. The average time to identify a breach was 206 days, while the average lifecycle of a breach, from start to containment, was 314 days.
- In its 2019 cybersecurity study, Keeper Security said a survey of decision makers at small to medium businesses said six in 10 of those surveyed did not have a cyberattack prevention plan. Meanwhile, 66% of those company leaders believed a cyberattack was unlikely, even though in reality, two-thirds of small- to medium firms faced some kind of cyberattack in the last year.
Small size, same threat
Cybersecurity is very important for businesses of all sizes, says Jeremy Straub, the associate director for North Dakota State University’s Institute for Cyber Security Education and Research.
“In a way, it takes on a special requirement for small- and mid-sized businesses,” Straub said. They don’t have the resources but “they’ll face many of the same challenges.”
Hackers will try to collect customer or employee personal information, or other information such as product designs or formulas, or other trade secrets, he said.
“All of that stuff that’s obviously very integral to any business surviving, whether it’s big or small, and really across any number of industries. Small- and mid-sized businesses have that type of stuff, too. They just typically don’t have the same level of infrastructure and staffing to protect it as a larger firm would,” Straub said.
Soeth said the IT systems users “are often your weakest link. Regular security education is key,” she said.
That could range from having trainers come from outside of your firm, to sending out a weekly email about a different security topic.
Test your systems
Soeth says High Point will test its own security with regular phishing campaigns for training.
“It’s not a gotcha’, it’s ‘This is what an email looks like. This what an email from the bad guys looks like.’ So when you get an email that is a phishing email, you instantly know what it is. Or you just have that creepy feeling that this isn’t right. So you go to someone else and get a second opinion,” Soeth said.
Testing firms can probe your system for vulnerabilities, warn of holes in security and provide an action plan to secure its data.
Measures can be as simple as requiring more than an email to verify if a boss really wants to have an employee buy 100 iTunes cards, or send $175,000 to a bank Louisiana, Soeth said.
Requiring a phone call or face-to-face communication can short-circuit such phishing scams, or the efforts of hackers masking their actions by emailing from the accounts of company officers, she said.
“Basically, (hackers are) trying to get in through your hardware or they’re trying to get in through your people. And what do they want? They want money, or they want personal information that they can use to set up a credit card account somewhere, or rent a car from Enterprise, simple things like that,” she said.
Mobile devices used for company business also need to be protected with security software and used safely, Soeth said.
Mobile device management solutions can include monitoring software, automatic security updates and requiring regular password changes for private devices, like cell phones, tablets, iPads, etc.
“If you can’t control them, get them off of your corporate network,” Soeth said.
With mobile devices, “security really is a tradeoff between the immediacy of serving someone right away, versus the additional threat of losing the device or using it in places with more risks,” Straub said.
None shall pass
Soeth is a big believer not just in passwords, but in pass phrases, the longer the better.
A pass phrase can be simple, such as four different words strung together, like OrangeBrownCowTractor, and be hard to crack.
“Hackers are basically lazy, they’re not going to go for that,” Soeth said.
And she cautions users not to reuse passwords from site to site, otherwise, “If someone gets your Facebook password, he now has your banking password and your company password and the company wire transfer password.”
Can't remember a boatload of passwords or pass phrases? Soeth recommends finding a password application to keep track of them.
Multifactor identification, requiring two or more pieces of evidence that a user is authentic, should also be “on everything that it can be,” Soeth said.
And access to data should be layered to keep sensitive data safe. That can mean requiring additional passwords or encryption to access the data.
“Just make sure that anything that is particularly sensitive is stored in a secure way and encrypted and that the access credentials for that are well-guarded,” Straub said.
Backup is the byword
Your operating software, security software and other applications should all be up to date on security patches, Soeth said. If you aren’t sure how to maintain your system, Soeth recommends hiring IT experts.
Businesspeople should also know what devices and software are on their networks. That way, they're more likely to know if something strange is going on in the IT system.
Hackers may quietly monitor computer systems for weeks or months, she said, “because they want to figure out what your crown jewels are. Once they figure out what they are, then they can act,” she said.. “They want to figure out what they should encrypt that you would pay ransom for."
“Which takes us down the road of backup, backup, backup, backup. Make sure you have backup” of your files, she said.
Backup files give you the option of wiping your computer systems of ransomware or malware and getting a clean start.
IT security has a cost, but there are also costs for every day of not being able to operate, Soeth said.
“How long can you afford to be down?” Soeth asks. “Your key to not having to pay a ransom and your key to sleeping well at night is to have back up, back up, back up, that you know works” because its been tested.
Doughnut let hackers in
Physical security is important, as not all hacks start on a computer. It can be as simple as someone claiming to be a copy repair person.
“We’re way too trusting. We’re Minnesota nice, North Dakota nice, Midwest nice, whatever that is. When someone walks into your company you don’t know, you are empowered to challenge them and find out why they are there,” Soeth said.
Don’t be afraid to escort the copy repair person to the job.
“An easy way to steal company information is to pose as the copier guy, and install a capture device on the back of the copier” that captures everything, such as invoices for companies with information, or copied pay stubs.
You also don’t want to let a stranger tailgate you into the door. Even if the guy is carrying a box of doughnuts, she said.
“We’re all going to be so helpful and open that door for him. We’re all very nice, and the guy just drops off the doughnuts in the breakroom,” then wanders off to the copier to install a data capture device.
If you’re hacked
If your firm's IT security has been breached, Soeth recommends contacting your insurance company immediately to report the intrusion. If your business doesn't have cyber insurance, she recommends you get it.
She said insurance companies may have their own investigation procedures, and may want to forensically examine your computer system.
In addition, she said firms should contact their banks and their technology partners, so that they can protect your assets and restore your information technology system from backups and getting you back online in short order.