YOUNGSTOWN, Ohio – Cyberattacks are the top concern of 60% of small businesses, according to a U.S. Chamber of Commerce survey.
So how are businesses staying safe? The same survey shows 48% have trained staff on cybersecurity measures in the past year, including 64% in the professional services industry and 69% of businesses with 20 to 500 employees.
Local IT companies can help small businesses train their employees and prevent attacks. “The ongoing trend is that cyberattacks are increasing in volume, scale and technical sophistication,” says Tom Reeveley, president of Team Office Technologies.
Jason Wurst, vice president of Tele-Solutions, says businesses formerly had to worry most about malware, viruses and ransomware. But with the strong protections now in place at most companies, there has been an uptick in phishing efforts to gain access to accounts.
Wurst and other local IT professionals describe a scenario whereby cyberthieves hack an email account and monitor conversations. Eventually, they will impersonate that person and send a deceptive email claiming there has been a change in bank accounts and instructing them to send future payments to it.
Ralph Blanco, CEO of ECMSI, notes email hackers will watch closely for the optimal time when it would be a natural point in the conversation for a change of account numbers.
“At some point they’re going to doctor an invoice or a wire transfer or a payroll account request, something financially, and that money is going to be stolen directly,” says Mike Timko, owner of Cortland Computer of Warren.
Such social engineering attacks can lead to payments no longer reaching your businesses’ accounts or payments from another business going to the wrong account.
“If you’re responding to phishing emails and you’re in the accounting department and you accidentally respond to someone who is impersonating someone else, that can escalate quickly,” Wurst says. Such actions underscore the need for employee training on what to watch out for and what to avoid.
David Daichendt, vice president of InFinIT, a managed service and cloud provider, says viruses are getting better at overcoming defenses. Instead of immediately causing havoc that will raise immediate alarms for the AI programs and IT technicians, viruses will sit on a computer for weeks.
“They will wait until a holiday weekend or after work hours on a Friday afternoon, they will activate it, and they will start crawling through your network, encrypting all your data, and they will take the entire weekend,” says Daichendt.
He notes unless there is a 24/7 security operation center watching your system, it can be too late by Tuesday morning. The ransom request has been sent.
Even with AI monitoring, it is never going to be a set it and forget it type of system, Wurst says. The system must be constantly monitored and maintained to protect against threats, including running updates on both hardware and software.
“When everything is up to date, bad actors can’t utilize deficiencies,” says Wurst. “That’s what those updates on newer devices do. They plug holes in the boat, if you will.”
Prevalent Threats
Timko believes small businesses may have more to worry about than larger ones.
While a larger business can take a $100,000 or $200,000 cyberattack, a small business does not have the resources to overcome it.
“Insurance providers are saying only 20% to 30% of small businesses are carrying cyber insurance,” says Timko.
Small business owners do not usually share what has happened.
“You wouldn’t talk about that at the country club with your peers,” Timko says, comparing a cyberattack to an embarrassing medical condition. “No one wants to air out bad things about their own business… but it is happening to local businesses and small businesses.”
Cyberattacks at small businesses rarely make the headlines, Blanco points out.
“It’s easier for a (ransomware) hacker to ask for $5,000 from 10 small companies than to ask for $50,000 from one big company,” Blanco says. “What do they care? It’s all the same. They go after everybody.”
Robert Merva, owner of Avrem Technologies of Canfield, notes his company has done two or three remediation projects for organizations that were not their normal clients after they were hit by a cyberattack.
Even for a small organization, Merva says it can cost up to $200,000 to get remediation work done due to the experts it can require. Plus, some companies may choose to pay the ransom and then there is the downtime caused by remediation, which reduces income.
“As an organization or business, can you afford to write a $100,000 check and be down for a month?” Merva asks.
And even if the business survives, there can be a loss of trust.
“It may not be paying a ransom as much as having a long-term partner vendor or client turn on you because they feel it’s your fault that you were compromised, someone impersonated you and they got tricked out of the money,” Timko says. Without protection and monitoring in place, nothing might be detected until a client calls to question why they sent payment and your business has not responded.
“Prevention is better than cure,” says Reeveley of Team Office. “Even though cyberattacks and cybercrime is at an all-time high, cybersecurity engineering teams, security operation centers and cybersecurity support products are advancing and keeping pace… A well-designed security platform will provide exceptional network security and peace of mind.”
Protective Layers
You must protect your business in layers of security – firewalls, multifactor authentication, employee training, anti-virus software and AI technology monitored by a security operation center, IT professionals say.
Many local companies offer systems checks for vulnerabilities, sometimes for free, to find the holes. Then they offer services, which can be as little as 1% to 5% of a small business’ profits.
Reeveley says tools like penetration testing security audits can help properly configure a network and find remediation methods for security risks.
“For the most part,” Merva says, “a lot of these attacks are perpetrated by casting a wide net and trying to pick up some low hanging fruit. And if you’ve got an unsecured environment or open door that they can walk through, they will. It doesn’t matter what industry you are or what you do.”
Merva believes it is important to layer the protection like an onion.
“You never want to rely on one method of detection,” Merva says. It’s important to monitor the “outer perimeter” where the business’ data can be found, including the servers, internet connections, cloud email systems and individual computers, he says.
When an attack does happen, the protection system needs to shut the system down immediately or at least quarantine the infected computer from the rest.
Event monitoring can identify something that is abnormal – for example, a log-in from a server in Thailand, says Daichendt. The system should automatically raise an alert.
And on the human level, verification can be important when receiving that phishing email too.
“Unfortunately, we’re in an era where you can’t really trust, you’ve got to verify everything,” Blanco says. “If someone you’ve been doing business with for 10 years sends you an email about changing an account number or doing anything that is out of the ordinary, you have got to pick up the phone, talk to them and verify.”