October is National Cyber Security Awareness Month, and local businesses are encouraging greater vigilance by employees to reduce the soaring rate of cyberattacks on small and mid-size businesses.
The threat of a cyber-attack on a small business is anything but overblown. Hackers count on employees at smaller organizations to be more easily fooled by malicious emails and online scams. The result is that ransomware attacks have soared,” said Mike Cohn, CEO of Summit Business Technologies.
“Most attacks begin at night or on weekends when they can run undiscovered for hours as they quickly encrypt large quantities of files,” he said. “As soon as someone tries to access an encrypted file, they are usually confronted with a brash, dangerous-looking screen meant to instill fear or anxiety in the user. Pirate, Halloween or radiation warning-type screens are common but many variations of warnings exist.”
Phishing emails and other types of hacking are harder to detect, because the perpetrator seeks to operate in stealth mode. “The hacker may want to use information obtained from fraudulent emails to attain some other goal, like access to your bank account passwords or a trove of private information,” said Cohn.
Summit’s program expands typical security awareness training into what Cohn calls “a more effective, longer-term service” intended to help employees retain security awareness over time. While training programs play a role, Summit’s model picks up where they leave off to reinforce security awareness until it becomes instinctive and second nature.
“Faced with so many types of potential attacks, as well as all the distractions we already face in everyday life, it is easy to lose that critical alertness in the weeks after typical training,” Cohn said. “The challenge is to retain and maintain a heightened level of alertness long after the initial training is completed.”
No business is too small for a cyberattack because cybercriminals don’t discriminate, and the vast majority of attacks are not specifically targeted, said Gina Abate, CEO of Edwards Performance Solutions, of Elkridge.
First, cyber criminals strike vulnerable companies, whether they are small or large, Abate said. “Second, if you have customers, is their information appealing to attackers, and could your systems be used to breach your customers’ systems?”
The first step is to understand your risk and then manage that risk appropriately for your business needs and size, she said.
Cybersecurity is not a “one-size-fits-all” discipline, but there is a common set of guidelines: The National Institute of Standards and Technology’s Cybersecurity Framework provides a structure for a cybersecurity program, with a set of outcomes aligned to five functions: identify, protect, detect, respond and recovery.
“Your business needs and tolerance for risk will drive your approach and the plan you put in place,” said Abate.
Every company needs to have an established business continuity policy for its data that includes how the company will respond when it realizes the data has been compromised, said Jim Skillington, president of New Village Media, of Columbia.
“Once a cyberattack has been successful, it is important to stop the intrusions immediately. Hackers often share vulnerabilities they have found with others,” he said.
Skillington recalled when a client, a nonprofit that hosted its own websites, found that some of its website visitors reported picking up malware when visiting the site. “We investigated and found the site had been compromised and recommended it be taken offline and several temporary pages be posted until the site could be cleaned or replaced,” he said. “Not having an advance policy, the nonprofit staff debated what to do for nearly a week. That delay allowed additional hacks to occur, and the cost to fix the site skyrocketed.”
Skillington suggested using secure passwords and changing them regularly — and stressed not sending those passwords out via email or posting them in an obvious place in your office.
Also, “Don’t host your own website before linking it directly to your internal local area network,” he said. “Consider if you really have the capability to keep it secure.”
Backing up your data is vitally important as well, said Skillington and other business owners. “Regularly back up your website, your internal data and your emails. It is better to have to go back a month than to the beginning of time. Also, test that the backups can really be used to restore your systems.”
Finally, he said, keep all software current. “Don’t trust your [information technology] department or contractor that updates are being made,” he said. “Insist on seeing proof. Several recent large data breaches have been traced back to software patches not being made in a timely manner.”
No business is too small for an attacker, agreed Ellison Anne Williams, CEO of EnVeil, of Columbia. “If you have something of value — your data or assets — the attackers will try to break in and steal it,” she said. “Also, the perception is that small businesses do not have sufficient protective mechanisms in place and are therefore easier targets.”
Business owners might want to come from a place of knowing that attackers are breaking in and trying to steal their data, Ellison said.
“By practicing good data security and encrypting your data at rest, in transit and in use, you devalue the items that the attacker is breaking in to steal,” she said, “and thus deter an attack and make the ramifications of an attack of far less consequence.”