Your company relies on email, company websites, online payments and smartphones to conduct business. The problem is that every digital portal a business opens to the internet provides an opportunity for cybercriminals to follow them back through, creating a potential trail of fraud, theft and ransomware attacks.
But small businesses like yours aren’t helpless against cyberthreat, says Eric Cole, founder and CEO of Secure Anchor Consulting, a cybersecurity firm helping businesses of any size to prevent security breaches, detect network intrusions and respond to advanced threats. Cole is also the author of Online Danger: How to Protect Yourself and Your Loved Ones From the Evil Side of the Internet and Advanced Persistent Threat: Understanding the Danger and How to Protect Your Organization.
Q: A lot of companies feel they’re immune to cybersecurity threats because they’re too small to be hacked. How does that belief stack up against reality?
A: In many cases, small companies are even more at risk than large companies. Look at it from the hacker’s perspective: Which company has the most advanced security system, and which one provides the easiest target? They would be just as happy to collect $500 from an easy target with little security as risking weeks of effort only to be turned back by a sophisticated security system.
Smaller companies tell me they don’t have anything of value that would attract the interest of cybercriminals. If that was true, you wouldn’t be in business. Every company also has employees and customers with social security numbers, credit cards and bank accounts. A lot of the crime is related to identity theft.
I recently saw a small business with 20 employees report a theft of $18,000 from its bank account through a fraudulent wire transfer. That’s a rounding error for a billion-dollar company but devastating to a small business.
Q: What recourse do these companies have after they’re defrauded?
A: They can report the crime to law enforcement, but it’s difficult to get noticed when even larger cybercrimes are competing for their attention. In many cases, the criminals are operating outside the country, so little can be done to investigate or prosecute.
Q: We’ve heard a lot about ransomware attacks. What are they?
A: Adversaries enter the host system using a malicious file and encrypt all of the business data so that it’s unusable. The cybercriminal then offers to unlock the files once a ransom is paid.
Q: Are hackers targeting smaller companies with ransomware?
A: Yes, they are. About 10 to 15 years ago when ransomware attacks were first reported, the criminals would typically target large corporations and ask for $50 million in ransom to release their files. No small company is going to pay a ransom of that size to release their files, but the adversaries have changed their tune. They’re now targeting a large number of small companies and asking if they’re willing to pay $500 or $1,000 to unlock their data.
If a criminal has locked up the files that contain the only copy of your customer information, all of your billing, all of your inventory and all of your taxes, what are your options? If the hacker is offering to release it for $1,000 or destroy it forever, paying the ransom is often a no-brainer.
Q: How can a small business secure its data against ransomware?
A: Back up your files. I have large clients who are hit with ransomware attacks every week, but they don’t worry about it because they can restore their files from cloud-based backups.
However, it needs to be a nontransparent backup — one that requires a password to activate each time. If you don’t have to do anything to activate the backup, neither do the ransomware files embedded in your system. They’ll be backed up along with your data.
Q: What methods do cybercriminals use to gain access to your data?
A: The single biggest point of entry is a legitimate-looking email that has an attachment or a link that you’re asked to click on. It might look like it comes from a customer. It might tell you that unless you revise a quote or a contract within the next eight hours, you’ll lose the business. They want you to get emotional so you click on the link immediately … and then it’s game over.
In every case where this happened to my clients, they’ve told me that something didn’t seem right about the email and a voice told them not to do it, but they did it anyway. Train yourself to understand that banks and clients are unlikely to convey critical information in an email. Call by phone to confirm with the sender that the email is real.
Q: How can we secure emails?
A: Emails were never designed to be a file transfer mechanism. It’s a bad idea. There are plenty of services out there, such as Dropbox or OneNote designed to send files cost-effectively, so use them.
Q: How important are passwords?
A: Put some rigor into the selection of strong passwords. Many people use the same password for everything. Once the first password is discovered, adversaries can access all of your accounts and systems.
Q: What sort of security protection is available to small businesses?
A: They can’t afford a $500,000 firewall or intrusion detection system. But you can buy a good third-party security system for $50. Even an operating system such as Windows 10 already offers solid endpoint security to small businesses and you can download updates and patches for free. The issue is that Windows endpoint security is turned off by default. Spend the five minutes it takes to activate it properly.
If you’re using cloud-based services, you’re probably already paying for an extensive security package, but it’s also turned off by default. The biggest failure for endpoint security systems is that they were never turned on in the first place.