WEST FARGO — Small- to mid-sized businesses may not face the tens of thousands of daily cyberattacks directed at big corporations or governments, but that doesn’t mean that there aren't hackers happy to take a crack at your computer system to pry out trade secrets or customer or employee data you're trying to protect.
Lynn Soeth, manager of security services for High Point Networks, has seen her share of heartache from firms that have had their IT networks breached.
“Businesses have been shut down for more than a week, trying to recover from ransomware,” Soeth said Tuesday.
Unless a company’s information systems are safeguarded, a ransomware intrusion can put that business at the mercy of hackers, she said.
Even paying the ransom may not get you access to enough of your data to operate normally.
“Businesses without backups actually almost have to start from scratch again,” Soeth said.
Small businesses have the same vulnerabilities as big corporations, she said, and fewer people to handle the workload.
“They’re larger targets nowadays. The hackers are lazy. They’re looking for the easiest challenge,” Soeth said. “Companies have to realize that cybersecurity has to be in your DNA now."
The statistics are sobering:
- Forty-three percent of data breaches involved small businesses, Verizon reported in 2019.
- Data breaches exposed 4.1 billion records in the first half of 2019, Veronis Systems reports, with the U.S. ranking first in the world in ransomware attacks at 18.2%.
- According to the FBI’s Internet Crime Report, the cost of cybercrimes reached $2.7 billion in 2018 alone.
- Symantec reported that In 2018, employees of small organizations were more likely to be hit by email threats — including spam, phishing, and email malware — than those in large organizations. Symantec also said spam levels continued to rise, with 55% of emails received in 2018 being categorized as spam.
- Hackers can quietly be in your system months before they are detected, a 2019 IBM report said. The average time to identify a breach was 206 days, while the average lifecycle of a breach, from start to containment, was 314 days.
- In its 2019 cybersecurity study, Keeper Security said a survey of decision makers at small to medium businesses said six in 10 of those surveyed did not have a cyberattack prevention plan. Meanwhile, 66% of those company leaders believed a cyberattack was unlikely, even though in reality, two-thirds of small- to medium firms faced some kind of cyberattack in the last year.
Small size, same threat
Cybersecurity is very important for businesses of all sizes, says Jeremy Straub, the associate director for North Dakota State University’s Institute for Cyber Security Education and Research.
“In a way, it takes on a special requirement for small- and mid-sized businesses,” Straub said. They don’t have the resources but “they’ll face many of the same challenges.”
Hackers will try to collect customer or employee personal information, or other information such as product designs or formulas, or other trade secrets, he said.
Soeth said the IT systems users “are often your weakest link. Regular security education is key,” she said.
That could range from having trainers come from outside of your firm, to sending out a weekly email about a different security topic.
Test your systems
Soeth says High Point will test its own security with regular phishing campaigns for training.
“It’s not a gotcha’, it’s ‘This is what an email looks like. This what an email from the bad guys looks like.’ So when you get an email that is a phishing email, you instantly know what it is. Or you just have that creepy feeling that this isn’t right. So you go to someone else and get a second opinion,” Soeth said.
Testing firms can probe your system for vulnerabilities, warn of holes in security and provide an action plan to secure its data.
You have free articles remaining.
Measures can be as simple as requiring more than an email to verify if a boss really wants to have an employee buy 100 iTunes cards, or send $175,000 to a bank in Louisiana, Soeth said.
Requiring a phone call or face-to-face communication can short-circuit such phishing scams, or the efforts of hackers masking their actions by emailing from the accounts of company officers, she said.
Mobile devices used for company business also need to be protected with security software and used safely, Soeth said.
None shall pass
Soeth is a big believer not just in passwords, but in pass phrases, the longer the better.
A pass phrase can be simple, such as four different words strung together, like OrangeBrownCowTractor, and be hard to crack.
“Hackers are basically lazy, they’re not going to go for that,” Soeth said.
And she cautions users not to reuse passwords from site to site, otherwise, “If someone gets your Facebook password, he now has your banking password and your company password and the company wire transfer password.”
Can't remember a boatload of passwords or pass phrases? Soeth recommends finding a password application to keep track of them.
Multifactor identification, requiring two or more pieces of evidence that a user is authentic, should also be “on everything that it can be,” Soeth said.
Backup is the byword
Your operating software, security software and other applications should all be up to date on security patches, Soeth said. If you aren’t sure how to maintain your system, Soeth recommends hiring IT experts.
Businesspeople should also know what devices and software are on their networks. That way, they're more likely to know if something strange is going on in the IT system.
“Which takes us down the road of backup, backup, backup, backup. Make sure you have backup” of your files,' she said.
Doughnut let hackers in
Physical security is important, as not all hacks start on a computer. It can be as simple as someone claiming to be a copy repair person.
“We’re way too trusting. We’re Minnesota nice, North Dakota nice, Midwest nice, whatever that is. When someone walks into your company you don’t know, you are empowered to challenge them and find out why they are there,” Soeth said.
Don’t be afraid to escort the copy repair person to the job.
“An easy way to steal company information is to pose as the copier guy, and install a capture device on the back of the copier” that captures everything, such as invoices for companies with information, or copied pay stubs.
You also don’t want to let a stranger tailgate you into the door. Even if the guy is carrying a box of doughnuts, she said.
“We’re all going to be so helpful and open that door for him. We’re all very nice, and the guy just drops off the doughnuts in the breakroom,” then wanders off to the copier to install a data capture device.
If your firm's IT security has been breached, Soeth recommends contacting your insurance company immediately to report the intrusion. If your business doesn't have cyber insurance, she recommends you get it.