Amid the ongoing reports of massive data breaches and cybersecurity attacks, small businesses continue to struggle with protecting their internal networks and their customers’ personal information. A recent report from Continuum says that 77% of respondents expect to outsource at least half their cybersecurity needs over the next five years. Cyber attacks cost small businesses in the survey $53,987 on average, including $41,269 for companies with 10-49 employees. Five local experts came together in early September to discuss the challenges and offer solutions.
DBT: How has the landscape changed over the last few years?John Boykin: I think one of the false narratives is companies that say, “We’re not an e-commerce company, this doesn’t impact us.” This impacts all businesses.
Jake Blacksten: A lot of our small businesses come to us and say, “Well, I’m just a mom- and-pop shop, I sell biscuits, so cybersecurity doesn’t apply to me.” If you take credit card information, you collect data so it applies to everyone. We have to keep reminding small businesses that they’re not immune.
Keith Chisarik: I would say that cyber-attacks are much more sophisticated than they were a few years ago. Fighting them requires more expertise, training, education and diligence than ever.
Jim Garrity: It’s a lot like dynamite fishing right now. It’s very, very easy to penetrate environments so you have to make sure that you’re partnered up with people that can help you develop sound strategies.
Matt Denn: On the legal landscape, a lot of the change has been responsive to the comments that you just heard about the increased nature of the threat and the sophistication of the threat. Previously, a lot of the state statutes, including Delaware, were focused on the responsibilities of data holders after a breach occurred. There has been an increased focus, both on the statutory front and on the enforcement front, over the last couple of years, on what’s being done preventatively and what steps businesses and individuals are taking before a breach occurs to try to ensure that A) it doesn’t and B) that there can be an effective response, if it does.
What’s the fastest growing area of concern for businesses?
Boykin: Social engineering, where they’re not actively stealing your money and your funds but doing invoice manipulation or sending phishing emails where they’re actually tricking people into parting with their funds. We have people who are transferring hundreds of thousands of dollars to bank accounts that aren’t where the money is intended to go. What we’ll see a lot of times is someone is getting into one of their vendors’ system and then sending an ACH change information request so when the client gets a legitimate invoice, they’ll pay it, but it’s going to a different bank account.
What do you advise people to do in that case?
Boykin: Have the appropriate insurance coverage that will indemnify them in that situation, but more important, create a policy/procedure that requires your team to confirm any outgoing ACH by phone.
Garrity: That was one of the big concerns of a new client recently. I walked into mortgage lending one day, and said, “OK, I’m brand-new. When do we get paid, every two weeks?” I was asking some very basic questions and then went to a different department and asked, who’s our payroll provider? I waited a couple of weeks and then one morning, I sent what looked like a legitimate ADP email about paychecks with a link so they could look at it online. But behind the scenes, the backend hyperlink went to another website. I had an internal web server that posted a page that said, “You’ve been hacked.” And, then our help desk started blowing up with calls.
Boykin: It’s attacking the human element. You can have all the technical capabilities in place, but we can’t get rid of the human element.
Chisarik: Roughly 90% of breaches occur through social engineering, spear-fishing or email attacks. I stress ongoing training with my clients. Many will provide training once per year, to comply with their insurance, but if a new employee comes on board, they miss the training session. Spear fishing is a targeted email attack designed to get you to either click on a link or give up some information either through intimidation tactics. Fear is something that attackers use a lot. It’s like, “Hey you’ve done something wrong,” and it says in the email, “If you don’t do this, your boss is going to find out, or we’re going to put it out on the internet that you were doing things that you weren’t.” They ignore all their training and it’s almost instinctual. It’s human nature, to want to protect yourself and people really prey on that.
Blacksten: Physical security is just as important as network security. Everyone trusts a person with a computer claiming to be IT. They walk right in and are granted access to everything simply because employees don’t have the proper training to verify a person’s credentials. We train on password security, email phishing, data segregation, but the most difficult part to overcome as humans is the over-willingness to trust people. Verifying that the IT person was called to fix your computers is key. Double-check that something is broken and needs fixing. We also find a lot of our small businesses are very eager to connect everything. They’re hooking up their cameras, door locks, lights all on the same network they do business. You name it, they’re hooking it up to Alexa or Google. If you don’t have a secure network, which small businesses usually don’t, then you are granting hackers access to everything. Small businesses want to offer public Wi-Fi but they don’t separate it from their internal network. An attacker just has to connect
to the free public Wi-Fi then in one hop they are in the business network. Small businesses try to compete with the chains and offer all these amenities, yet they don’t have the experience nor the knowledge to combat the issues that could come with it.
Garrity: Creating separation from your own internal Wi-Fi is one thing, but guest Wi-Fi is still a responsibility for companies that offer it. If you walk into some coffee shops that aren’t particularly tech-savvy, a lot of times you’ll see a guest Wi-Fi network, but the easiest thing you could do as a technology professional is to start to scan that network to see who’s doing what. You can actually isolate each guest Wi-Fi used so that I can never scan anybody but myself and the outside internet.
Are any of the threats different for very small businesses?
Garrity: Take an up-and-coming brand-new company that’s got some intellectual property; that’s where it becomes really dangerous.
Chisarik: We’ve found that a lot of small businesses don’t even have the bare minimum of protection. It might be because they’ve got a friend or family taking care of their security. And, they often don’t even start because they think that this is going to be expensive. And, it doesn’t have to be, there are even free resources available.