For small business owners, protecting against cyberattacks has never been more urgent, or more challenging. Even as awareness of threats like ransomware, malware and phishing has grown, a recent Small Business Administration survey found that almost 90% of small business owners felt they were vulnerable to a cyberattack, with many lacking the security infrastructure to keep their systems safe.
“With cyberattacks happening on a daily basis, businesses of all types and sizes must be able to detect and stop attacks. No organization is off limits,” says Wayne Scarano, founder of sga.com, referencing Verizon’s 2019 Data Breach Investigations Report, which ties 43% of breaches to small businesses.
“From the perspective of the attacker, they want to exploit victims as easily as possible by using existing tools and technologies,” he says. “That is why it’s important to have a minimum baseline protecting your assets from common threats; force the attackers to work harder to break in, and when they’re in, make it more difficult for them to exploit your critical data.”
One of the main reasons cyber crime is rising so fast is that perpetrators continue to come up with new and innovative ways to exploit their victims’ vulnerabilities. Scarano quotes the “Sophos 2020 Threat Report,” which advises, “You can’t defend against what you can’t understand.” Whereas five years ago hackers attacked from a designated IP address that would eventually get blacklisted, they are now renting VPNs (Virtual Private Networks) and can change their IP address at any time – and instantly. “They’re smarter and more nimble than ever, and they’re able to do a lot of things without being caught,” says Tony Wittock, director of technology at Cyber Security Consulting Ops (CSCO-IT.com) in Mount Laurel.
According to Wittock, cyber criminals prey on companies whose firmware/software is out of date, which makes it vital for businesses to get regular updates – particularly prime targets such as medical facilities, financial companies, law offices and others. The federal government recommends businesses get a yearly assessment, though the frequency can be every quarter (90 days), based on regulations for your organization. Because of their high breach rate, medical providers should get an assessment every 90 days, Wittock says, and those in the banking industry, probably every week.
“Medical offices are a favorite target, since medical data is highly valuable on the black market,” he says. “You have to make sure you have cybersecurity that identifies when an IP address is in your system. If you’re not doing that, you’re doing a bad job – and that’s where a lot of small businesses are falling short.”
Most experts agree ransomware is one of the most dangerous threats to small businesses today, as it freezes access to data unless you pay a ransom demand. Ransomware is almost always delivered by a “phishing” e-mail that gets the recipient to open an attachment or web link. Getting a really good e-mail/web filter can help, but it’s also important to warn employees against opening e-mail attachments they don’t recognize, as these can be used to release a virus into the company’s system.
Manfred Minimair, Ph.D., a professor in the Department of Mathematics and Computer Science at Seton Hall University in South Orange, says these social engineering type of attacks, or phishing – where users give away personal or institutional information that allows attackers to penetrate the institutional networks more easily – are the greatest threat to small businesses today.
The educational community is similarly vulnerable, as there are a large number of users – including students and staff – who may not always be aware of threats. Apart from phishing and social engineering type of attacks, research equipment that is connected to the Internet may also be vulnerable. However, most educational institutions have an IT staff responsible for reaching out to the campus community and educating about threats. Small businesses often don’t have that luxury.
“It happens very easily that someone clicks on a web link contained in an e-mail or on a website, is sent to a fraudulent site that looks legitimate, and provides sensitive information,” Minimair says. “I think there is the ongoing need for enhancing (employee) awareness.”
Rashaad Bajwa, president/CEO of Domain Computer Services (go-domain.com) in Cranbury, specifically warns against BEC (Business E-mail Compromise), where a hacker spoofs the identity of the CEO or other executive and gets an employee to wire money to a false account. With so many employees active on LinkedIn and other social media, it’s very easy for cyber criminals to find out detailed information about company executives to make these fake e-mails seem legitimate.
“This type of hack is often not covered by cyber insurance, which makes it even more devastating,” Bajwa says. “Always confirm with a back channel that the directive came from the CEO. A business needs to put a policy in place that it will never wire funds based on an e-mail.”
Even as awareness of cyber crime has spread in the small business community, many companies think a comprehensive solution is beyond their financial reach. However, according to Bajwa, protecting your business can run as little as a couple hundred dollars a month – a drop in the bucket compared to the cost of a major breach.
For example, Domain recently got a call from a New Jersey-based dentist’s office that had been hacked, which cost the company $250,000 in downtime, plus the $8,000 they had to pay Domain to retrieve information on scheduling, medical records, x-rays, and more. “When they had set up their office, they relied on a friend of one of the partners who worked in computers, but really didn’t know about securing a small business,” Bajwa says. “In hindsight, they’re realizing getting the right resources to do the right job is a lot more economical in the long term than trying to jerry-rig something yourself.”
Wittock suggests shopping around and finding a company that gives you an assessment or penetration test from the outside in, looking first at your IP address and web applications, including the cloud configuration to store data. Cyber Security Consulting Ops’ fees start at a little over $1,000 for an initial assessment, which he says is reasonable given the time invested.
“We realize most small businesses are surviving with very narrow margins, and we tailor our pricing to address that,” Wittock adds.
Scarano hesitates to put a price on cybersecurity, saying, “It should cost what it takes to protect the assets you care about.” He poses these questions: What would you pay to recover destroyed or encrypted data? Do you have access to or store individual, corporate or government data? If compromised, what is your liability? He suggests hiring an expert to help you understand your vulnerabilities and possible remedies.
“Know your risks and understand the likely threats. Then implement precautions,” he says. “It doesn’t have to be expensive, and simplicity is best. Complexity is the enemy of security.”
Most experts agree that as hackers continue to become more sophisticated, small businesses will increasingly turn to AI-based solutions that spot malicious behavior and protect assets.
“The cybersecurity industry and academic researchers try to develop methods based on artificial intelligence/machine learning to automatically detect ongoing attacks and intruders,” Minimair says. “However, defenders often have to play catch-up because cyber criminals tend to be inventive, coming up with new ways of exploiting software vulnerabilities and hide their activities.”
As Wittock puts it, “You have to fight fire with fire.” He points to top cybersecurity companies like Cisco, Palo Alto Networks and others that have implemented AI to help governments fight back against sophisticated attacks.
“They’re working on artificial intelligence solutions, including a smart firewall to realize when someone is trying to take data from your system,” he says. “AI is just going to get more important in cybersecurity to protect assets.”
Bajwa also points to the importance of educating yourself and your employees about cyber crime and how to defend against it – especially when it comes to Business E-mail Compromise. “It’s an old saying now, but still the most significant: the most important and effective firewall is the human firewall,” Bajwa says, adding that a small investment with a cybersecurity company can also go a long way.
“We’d much rather see a company comes to us in advance so they can keep things from happening. We can help shovel the garbage after it’s happened, but we’d rather keep the garbage out in the first place.”
To access more business news, visit NJB News Now.Related Articles: