YOUNGSTOWN, Ohio – It’s often a major cyberattack on big companies that commands the most attention among the public. Yet it’s the thousands of cases that go unreported that business owners should be most concerned about – clear evidence that small and medium-size companies are vulnerable to cybercrime that could cost them everything.
That’s the daunting consensus of specialists interviewed by The Business Journal for our Cyber Summit webinar, held July 13 and sponsored by the Better Business Bureau of Mahoning Valley.
Click HERE to watch the full webinar.
During the webinar, six local cybersecurity experts told how they protect their clients from cyberattacks and how they work to mitigate the damages when one occurs.
As sponsor of the webinar, BBB President and CEO Carol Potter introduced the discussion. More and more, cybercriminals are targeting small and midsized businesses.
All agree that cybercrime is a major threat, that most businesses are woefully unprepared for a systems breach, and that these threats are not going away.
The webinar can be viewed in its entirety at BusinessJournalDaily.com.
Panelists are: Robert Merva, CEO of Avrem Technologies; Steve Franckhauser, chief legal and privacy officer at Bertison-George LLC; Mercy Komar, cyber risk manager at L. Calvin Jones; Craig Horbus, partner at Brouse McDowell LPA; Ralph Blanco, CEO of ECMSI; and Paul Hugenberg, director of cyber security services at Rea & Associates.
What follows is a summary of their insights.
‘About 60% of the time, we’re paying something to unlock the systems.’
Craig Horbus, Brouse McDowell
If I’m doing my job, you’ll never hear about a cyberattack on my client,” says Craig Horbus, an attorney at Brouse McDowell in Akron.
Much of Horbus’ time is spent quietly negotiating with sophisticated cyber criminals who have breached a company’s computer system, locked it, and then demanded payment in return for reactivating its operations.
These cases are far more prevalent than the public thinks. Horbus says on average he receives three to four calls per week related to some type of ransomware breach.
“By the time it becomes an incident, we’re quarterbacking everything,” he says.
First, it’s determined whether the company has sufficient backup that hasn’t been compromised, Horbus says.
Most of the more notorious and sophisticated extortion organizations operating in the cyber world are well known and are fairly easy to detect. “We typically know who these guys are. So we know what we’re dealing with,” he says. “If they have a high rating, then most likely we’ll have to pay it.”
These cyber criminals – the majority of which are based in Eastern Europe – have devised elaborate business models designed to successfully hijack a company’s network, crippling its entire business operation, Horbus says.
“They have project management teams trying to gain access to targets around the world,” he says.
In most cases, the affected company finds it easier to quietly pay the ransom, restore data and get their systems running again as soon as possible.
“About 60% of the time, we’re paying something to unlock the systems,” Horbus says. More recently, the attorney was attempting to negotiate lower a $300,000 ransom on behalf of a northeastern Ohio company hit by an attack. These hackers demand payment in crypto-currency such as bitcoin within a short time period – in some cases a matter of days.
The longer it takes to pay, the more money it might cost the business, Horbus says. Moreover, a longer delay also prolongs the period in which the company’s systems are shut down, so it’s often in the business’ benefit to resolve the matter quickly. In some cases, the attorney was able to negotiate a lower payment in return for a quick turnaround.
“These guys are in the game to make money,” he says. “We make sure we mitigate the damages.”
‘All the security in the world doesn’t matter if somebody clicks the wrong button…’
Robert Merva, Avrem Technologies
There are steps a business can take to prevent a major attack on their systems, says Robert Merva, CEO of Avrem Technologies LLC, Canfield. Avrem is a managed service provider that oversees information technology needs for business clients.
Merva says there is a dangerous lack of knowledge in the business community about how important cybersecurity is to their livelihoods.
“Almost every new client we pick up is deficient in security practices by a huge margin,” he says. Often, it boils down to simple basics that aren’t adhered to by a firm’s employees. “It seems that general knowledge is really low, and I don’t understand why.”
In most cases, breaches to a computer system occur when an employee opens up a suspicious email, logs on to a fake website, or erroneously sends information such as a password to a source that is pretending to be a legitimate entity, Merva says.
“It comes down to basic computer literacy,” he says. “I see it everywhere.”
Some companies say that it’s difficult for employees who are older to grasp these concepts, Merva says. “I could understand if it were 20 years ago,” he says. “But it’s 2021. It should be mandatory at this point.”
Compounding this are business owners who do not have strong knowledge of what constitutes a good IT provider or manager, Merva says. “Most of the time we get a call because a company isn’t happy with their IT,” he says. In some cases, Avrem has found companies whose computers lack basic security protocols such as spam and multi-factor identification that can help deter an attack.
To date, Merva says that no Avrem client has been subjected to a ransomware attack. Yet that doesn’t mean it can’t happen. “Any one of our clients could still be breached,” he says.
While layered security protections within a system are still the best method to deter a breach, there is “no single line of defense” against an attack if employees or company owners aren’t educated.
“All the security in the world doesn’t matter if somebody clicks the wrong button or types their user name and password and lets a hacker in,” Merva says.
‘If you can get cyber insurance, then get it.’
Steve Franckhauser, Bertison-George LLC.
Cyber criminals are more sophisticated than ever and have perfected social engineering to a point where it’s easy to dupe an employee into giving up valuable information, says Steve Franckhauser, chief legal and privacy officer at Bertison-George LLC, an oil and gas company based in Pittsburgh.
About 75% of breaches come from social engineering emails, Franckhauser says, such as another party sending an email posing as a trusted source. “There was one case in which a hacker spoofed an email address of a lawyer involved in a real estate transaction,” he recalls. The client received the email from the supposed attorney requesting that the money be transferred into an account.
“The client did it, and two days later the attorney called him and said they were ready to do the transaction,” he says. By that time, the money had already been sent to the hacker’s account.
More importantly, the perpetrator knew when the lawyer would be out of the office, the nature of the transaction, and other details, Franckhauser says. “It happens all the time.”
To ensure that data is protected, businesses must pay close attention to other moving parts of the operation, including the supply chain, he says.
“You need to find out who’s using your data,” he says. “Ask, ‘What are my relationships with my vendors?’ If you receive a thumb drive, is it from a trusted source?” he says.
“If you look at the list of protections under the National Institute of Standards and Technology, two-thirds of those protections are related to human behavior,” he says. “If you send a letter, you send it to one person. If you send an email, that could be sent to 15,000 people,” he says.
The amount of electronic information generated each year is staggering, according to Franckhauser. The amount of data produced in 2016, for example, is equal to the aggregate amount of data generated from the dawn of the human race until 2015.
“It’s projected that the amount of data created in 2025 will double every 12 hours,” he says.
Key to all of this is for companies to recognize data as a vital raw material to their business. Franckhauser says. “If you can get cyber insurance, then get it,” he urges. “We can adapt. But are we willing to adapt?”
‘Ransomware is usually about one-third the cost of the recovery.’
Mercy Komar, L. Calvin Jones
The rise in cybercrime across the country has driven up insurance premiums for businesses looking to protect their assets in the event of a ransomware attack, says Mercy Komar of L. Calvin Jones, an insurance provider in Canfield.
While incidents such as the Colonial Pipeline breach command the headlines, there are thousands of breaches to small businesses that go unnoticed, but collectively account for most monetary damages, Komar says.
“There are tens of thousands of businesses affected by this, and these losses are causing rates to go up,” she says.
Premium renewals for cyber insurance are today 30% to 40% higher, Komar says, because of the wave of cyber criminality and ransomware. “I’ve seen annual premiums go from $1,000 to $2,500 this year,” she reports. “I saw one jump from $11,000 a year to $19,000 per year,” for $1 million in coverage.
What many companies don’t understand is that the greatest cost to a business from a ransomware attack isn’t the extortion money, but rather expenses related to recovering data, information and any other liabilities it might face in the attack’s aftermath.
“Recovery is what people should be concentrating on,” Komar says. Paying the ransom is usually about one-third the cost of the recovery, she says.
Local companies typically have targeted cyber insurance coverage between $2 million and $5 million, she says. But Komar has seen it as high as $10 million.
“You have to determine what they need to ensure they have enough money to survive,” she says.
Often, the level of coverage and premiums depend on the nature of the business, Komar says. For example, a local coffee shop with a handful of employees would present a much lower risk compared to a health care company that deals with a significant amount of personal data.
Still, she’s seen ransomware claims filed locally ranging between $50,000 and $100,000. While it’s not the $5 million in ransom Colonial Pipeline paid out, it’s still significant for a small business in the Mahoning Valley.
“Health care and utilities are the highest risk categories,” Komar says. “Retail doesn’t seem to be having as many problems. But it’s not going to stop.”
‘No one thinks they need it until they’re shut down.’
Ralph Blanco, ECMSI
Critical to any company’s IT strategy is integrating into its systems the functions that can sniff out any potential threat or anomaly before disaster hits, says Ralph Blanco, CEO of Executive Computer Management Solutions Inc., Struthers, a managed service provider.
“You’ve got to have tools with artificial intelligence built into them so when it detects an anomaly, it can catch it,” he says. “It can shut down your PC if things are out of the ordinary. It’s a nuisance, but it’s more security.”
Often, hackers are randomly searching for open backdoors into a company’s system, all of which are documented by computer logs, Blanco says. “The system can scan the log, and if there’s something out of the ordinary, it can be reported.”
No security system is foolproof, Blanco says, since human error almost always factors into many of these breaches. Criminal networks that are especially adept in social engineering, for example, are able to infiltrate a system, capture malware, and basically monitor an employee or company’s operations.
“They can impersonate someone else, someone you’ve been dealing with for 10 years,” Blanco says. “It’s not just the fear of downloading a virus anymore.”
Once a criminal gets in the system, they can ascertain just how much liability coverage – if any – the company has or the amount of cash on hand in the business’ accounts, Blanco says.
“Then, they can figure out just how much they can extract. There’s often some backend digging once they breach the system,” he says.
After that’s determined, the organization can seize the system and make its demands.
Altering employee behavior and installing security measures such as multi-factor verification are important first steps a company should take in order to secure their systems, Blanco says. “Multi-factor verification should be mandatory across the board,” he says.
Among the biggest resistance from small companies is that they believe it’s too costly to maintain additional security to their systems, Blanco says.
“No one thinks they need it until they’re shut down,” he says. “By then, you’ve put yourself in a very dangerous spot.”
‘Too many people have access to this data’
Paul Hugenberg, Rea & Associates
What many businesses don’t understand – especially small, second or third-generation shops or startups – is that protecting your company from a software invasion is more important than preparing for a natural disaster, says Paul Hugenberg, principal and director of cybersecurity services at Rea & Associates, an accounting and business consulting firm with offices across Ohio.
“If there’s a tornado, weather disaster – even an explosion, your insurance can cover it,” he says. “There is nothing except a cybersecurity event that can end that business a moment from now.”
He says most small and medium-size operations don’t carry cyber insurance, or at least do not have enough coverage in case of a major ransomware attack. “What we worry about is that a business that was the result of years of hard work, effort, time and skill can come to an end with the next click of an email,” he says.
Hugenberg says he identifies a company’s risk in several ways. The first is availability and access to the business’ systems. “How is it backed up? How can you mitigate disruption?”
Another is integrity and whether you can trust information and data streaming into your company, he says. “Who has access to this data? Do too many people have access to this data?” are questions users should ask.
Confidentiality is an important measure that should be adopted as part of a company’s IT strategy, Hugenberg says. “The only people who need to see something should see it,” he says. Data in the wrong hands could lead to a ransomware attack, a corporate account takeover, or theft in which information is sold over the dark web. “Often this can come as a result of routine activity,” he says.
Nevertheless, companies are hesitant to add more costs to protect data than their physical assets, Hugenberg says. Yet the cost to back up a company’s data systems and improve security is miniscule compared to what it could cost a business if it’s hit with a cyberattack. Depending on the business, it could cost as little as $60 per month for a small shop, while others could go to $3,000 a year.
Hugenberg says he’s familiar with one company that told its tech support team that it didn’t need to spend money on cyber protection.
“In a single week, they were hit with cyber theft and then ransomware,” he says.
Pictured: Panelests convened for Tuesday’s webinar were Robert Merva, CEO of Avrem Technologies; Steve Franckhauser, chief legal and privacy officer at Bertison-George LLC; Mercy Komar, cyber risk manager at L. Calvin Jones; Craig Horbus, partner at Brouse McDowell LPA; Ralph Blanco, CEO of ECMSI; and Paul Hugenberg, director of cyber security services at Rea & Associates. The Business Journal’s Mike Moliterno and Dan O’Brien moderated the event.