YOUNGSTOWN, Ohio – There’s isn’t a small business owner who would leave for the day without locking the doors and securing his storefront. Many, however, are inadvertently leaving online windows wide open.
Since the start of the pandemic, cyberattacks have grown more than 400%, finds the FBI.
The losses these cybercriminals cause businesses are growing exponentially and the attacks are becoming more sophisticated all the time.
“We’re sitting here having these conversations about it,” says Carol Potter, president and CEO of the Better Business Bureau of Mahoning Valley. “In the meantime, they’re testing. They’re recruiting. They’re growing their network.”
And, more and more often, their targets are small and midsized businesses. “It’s coming to our level now,” Potter says.
Two big reasons why more businesses aren’t sufficiently proactive about cybersecurity is a lack of awareness and the stigma that comes with falling victim to an attack.
The latter is the main reason most businesses keep news of an attack quiet, which in turn feeds back into the lack of awareness, since the number of known attacks is far fewer than the number occurring.
Still, warning bells are becoming harder and harder to ignore.
A 2019 study by the Better Business Bureau found that Business Email Compromise (BEC) scams alone have accounted for $3 billion in losses since 2016.
A BEC scam occurs when the scammer, posing as a fellow employee, usually the boss, sends an email that asks for a money transfer, although there are many variations.
In 2018, the study found that 80% of all businesses received at least one of these emails. Indeed, email scams cost businesses $360 million in 2016, and $750 million in just the first three months of 2019.
“Someone is going to start getting these suspicious looking emails with a link in them,” Potter says.
“That means someone is coming.”
While many of these emails may get noticed or sent to one’s spam folder, it takes only one for the results to be devastating.
Locally, a BEC scam in January 2020 cost Boardman Molded Products $1.7 million in losses after several emails containing fake invoices and appearing to come from the owner’s email account were sent to accounts payable.
In July 2019, Eye Care Associates, was the victim of a ransomware attack that froze its computer systems for two weeks. The attack failed in that the directors of the physician-owned medical practice decided not to respond to an email that would tell them how much money had to be paid to the unlock the system, said a representative of the company that provided Eye Care managed technology services.
Instead, Eye Care used its back-up data to restore the system in a new environment.
Boardman Molded Products and Eye Care Associates remain in business today.
But according to the National Cyber Security Alliance, 60% of small and midsized businesses go out of business six months after being hacked.
The statistic makes it clear just how difficult it is for a business to recover from such an attack.
“Your printers are down. Your computers are down. Your phone system is down. How many days can you go with your systems being down like that?” asks Melissa Ames, vice president of BBB Services for the Better Business Bureau of Mahoning Valley.
It was a compromised password hackers obtained that allowed them to break into the network of the Colonial Pipeline Co. April 29, leading to a complete shutdown of the pipeline and a fuel shortage on the East Coast.
The hackers, an affiliate of the Russia-based cybercrime group DarkSide, made off with $4.4 million in ransom and nearly 100 gigabytes of data.
Groups like DarkSide have been targeting companies listed on the New York Stock Exchange for years. As the criminal industry has grown, so too has the appetite for new victims.
Potter says reaction to a ransomware attack consists of two components.
The first is to get your data back. The second is to keep the breach from going public and potentially hurting the stock price of the company.
“So they’re not only attacking the business themselves, but also their reputation,” says Ames.
The damage to its reputation, and the chance that it may cause customers to flee, is why the stigma that comes with being hacked may be as harmful as the hack itself.
“You can’t say, ‘It’s OK. I did my digital plan five years ago.’ You have to look at it all the time,” Ames says.
Cybersecurity is especially important today, when so many are working from home, using online networks that may be far less secure than those at their offices.
Ames advises businesses to have an open dialogue about their plan, list the protocols, and discuss them often.
“You have to create within your business a culture of trust. The CEO has to follow the same protocols as everyone else because they’re a bigger target,” she says.
For businesses that have fallen victim to an attack or think they are being targeted, Potter advises they reach out to the local FBI office or Secret Service field office for help.
“The only way to get out in front of this is to educate our local businesses,” she says.
Pictured: Carol Potter and Melissa Ames.