BBB Helps Members Write Cybersecurity Plans
YOUNGSTOWN, Ohio — The Better Business Bureau of the Mahoning Valley offers area businesses tips to protect themselves from cyber attacks, but a review last year showed it, too, had a vulnerability – since corrected.
At one time, the Youngstown BBB office allowed member businesses to use its conference room and the BBB’s Wi-Fi, President and CEO Carol Potter says.
But during a review by the BBB’s information technology consultant, Potter was told that the office needed to set up a separate account for visitors.
As a result, “We have a guest Wi-Fi and we have a secure Wi-Fi for the staff,” says Melissa Ames, vice president of BBB services.
The BBB advises its accredited businesses that at some point everyone will fall under attack. “That’s why you need a cybersecurity plan,” Potter says.
Early last year, she notes, a company in Boardman found itself a victim of identity theft, a problem normally associated with individuals.
“We received phone calls from customers outside the service area saying that they had a timeshare they were looking to sell and they were interested” in the company’s properties, Ames recalls, or were inquiring about a fee they had sent the company.
“We determined that the company was in Mexico,” she continues. The Mexican company positioned itself on a Google search page to come up above the Boardman company’s website.
“They had stolen their identity. They’d captured their website and they’d changed the phone number by one digit,” Potter says.
Potter outlines five myths about cybersecurity and businesses. The first is that smaller businesses have little risk of being the target of a cyberattack.
“A lot of businesses think it’s the big guys,” Potter says. “The statistics do not bear that out.” In fact, 60% of all cyberattacks happen to small business and 42% of small businesses report they have been the victims, based on the reports Potter cites.
When the personal information a small business holds is compromised, customers often are unaware because the breach doesn’t get the sustained media attention of an attack like that retail giant Target suffered during the 2013 holiday season.
“So it’s very hard to determine the correlation to size,” Ames adds.
Another myth is that small-business owners can’t protect themselves. In fact, Potter says, six of 10 small businesses have a plan in place that incorporates elements such as a security strategy, insurance or engagement of an information technology team. “More small businesses than one would think have a plan,” she says, “but that still leaves 40% unprotected.”
The third myth is that the lack of resources is why small business can’t invest in cybersecurity efforts when instead the lack of expertise or understanding is the top reason, Potter says.
The fourth myth is that if a small business is hit by a cyberattack, its financial institution would cover losses, she continues.
And the fifth myth is that an attorney should be the first call if a substantial block of data is stolen.
The burden of proof lies on the business, not the banks, and the average loss is just over $32,000, Potter points out.
Should there be a major data theft, the business should first notify those affected by the breach – customers, employees, vendors – about the incident, she says.
“It’s particularly important that be the No. 1 action they take because research shows that eight out of 10 consumers are likely to walk away from a purchase if a business fails to keep their data safe,” Potter says.
Businesses should call an attorney before a breach might occur “because breach notification should be a part of the advance incident response planning,” she continues. Businesses also can contact the BBB for help in writing their plans.
The BBB makes available to its accredited businesses a five-step guide to creating a cybersecurity plan that’s based on the National Institute of Standards and Technology framework. The five steps are:
Identify: Take inventory of key technologies the company uses and know what information would be needed to rebuild infrastructure from scratch should that become necessary.
Protect: Assess the measures necessary to be as prepared as possible for a cyberattack, including the installation of security updates and patches and using encrypted Wi-Fi.
Detect: Put measures in place to provide alerts about current or imminent threats to system integrity and the loss or compromise of data.
Respond: Make and practice an incident response plan to contain an attack and then maintain business operations in the short term.
Recover: Know what to do to return to normal business operations following an incident, including creating a disaster recovery plan and being aware of any data breach notification requirements.
In documenting the hardware it uses, companies need to keep in mind their employees who work remotely and the devices needed to maintain operations, Ames says. When it comes to detection, businesses should make sure they’re monitoring their messages and network traffic for suspicious activity.
“For example, at the BBB system, we noticed that we were getting a lot of looks from potential hackers in Eastern Europe,” she continues. “And those we knew were not [our] customers or businesses. As an organization we had to be very aware that our network was up to date.”
A company’s staff might assume that its IT department is addressing these issues but the sign of a breach or threat might just appear on an individual employee’s computer. “They need to be vigilant in looking as well as reporting something that seems suspicious,” Potter says.
Copyright 2022 The Business Journal, Youngstown, Ohio.