While checking email, an employee of a small online retailer clicked a link, thinking it led to a popular shopping site. Instead, the entire company’s system became infected with Crytowall malware.
Hackers now had access to customer accounts with information like credit card numbers and social security numbers, as well as names and addresses—everything needed to steal identities.
Soon the retailer received a demand for $50,000 in ransom money. If the company paid, it would receive a decryption key to unlock its system. Management couldn’t figure any other way around the attack, so the ransom was paid. Then the key didn’t work. Eventually, this online business was forced to close because the owner couldn’t afford to rebuild his entire network system.
Know the Risks
Sixty percent of small businesses that experience a cyberattack close their doors after six months, reports the U.S. National Cyber Security Alliance. The cost for repair and recovery from an attack averages $690,000 for small companies and $1 million for medium-sized businesses, according to the Ponemon Institute.
Before a repair can be completed, much can be lost. Orders aren’t shipped, customers relying on product can’t wait and look elsewhere, and business is at a standstill. Cyber-attacks are a costly setback whether or not a company pays ransom.
“You’re never going to recapture that revenue,” states Andy Takacs, chief technology officer at Zumasys in Irvine, CA. “Maybe you’ll get the business back eventually, but you’ll never recover the business you lost because of the security breach.”
Size Matters
Owners and managers who think this will never happen to them—perhaps because their company is too small—should know hackers consider such businesses their best targets because many don’t have adequate or expensive security protection.
This is why it’s so important to have the necessary protections in place to prevent system breaches and reduce exposure, whether intentional or otherwise. It’s not a question of if it will happen, but when, according to Tom LaMantia, managing director and cofounder of Magenium Solutions in Glen Ellyn, IL, near Chicago.
Staying in Control
There are a number of safeguards businesses can take to make themselves less attractive to hackers or anyone intent on doing harm. Options include hiring a consultant who specializes in risk assessment or buying cyber security insurance coverage.
While checking email, an employee of a small online retailer clicked a link, thinking it led to a popular shopping site. Instead, the entire company’s system became infected with Crytowall malware.
Hackers now had access to customer accounts with information like credit card numbers and social security numbers, as well as names and addresses—everything needed to steal identities.
Soon the retailer received a demand for $50,000 in ransom money. If the company paid, it would receive a decryption key to unlock its system. Management couldn’t figure any other way around the attack, so the ransom was paid. Then the key didn’t work. Eventually, this online business was forced to close because the owner couldn’t afford to rebuild his entire network system.
Know the Risks
Sixty percent of small businesses that experience a cyberattack close their doors after six months, reports the U.S. National Cyber Security Alliance. The cost for repair and recovery from an attack averages $690,000 for small companies and $1 million for medium-sized businesses, according to the Ponemon Institute.
Before a repair can be completed, much can be lost. Orders aren’t shipped, customers relying on product can’t wait and look elsewhere, and business is at a standstill. Cyber-attacks are a costly setback whether or not a company pays ransom.
“You’re never going to recapture that revenue,” states Andy Takacs, chief technology officer at Zumasys in Irvine, CA. “Maybe you’ll get the business back eventually, but you’ll never recover the business you lost because of the security breach.”
Size Matters
Owners and managers who think this will never happen to them—perhaps because their company is too small—should know hackers consider such businesses their best targets because many don’t have adequate or expensive security protection.
This is why it’s so important to have the necessary protections in place to prevent system breaches and reduce exposure, whether intentional or otherwise. It’s not a question of if it will happen, but when, according to Tom LaMantia, managing director and cofounder of Magenium Solutions in Glen Ellyn, IL, near Chicago.
Staying in Control
There are a number of safeguards businesses can take to make themselves less attractive to hackers or anyone intent on doing harm. Options include hiring a consultant who specializes in risk assessment or buying cyber security insurance coverage.
Assessing Risk
“A high-level risk assessment will probably cost about $2,500 to $5,000 for one or two days’ worth of work,” LaMantia says. “Then at least once a year have that person, or another one outside your business, assess your risk.”
The first visit will provide a baseline that can serve as the beginning of a risk remediation plan, spelling out vulnerabilities so they can be addressed and reduced.
At this point, LaMantia says, “You can begin to understand what to do should a breach occur.”
Insurance
LaMantia recommends buying cyber security insurance if customer data is a big part of a company’s intellectual property.
Cyber and privacy policies can cover company liability for a data breach when customers’ personal information is stolen.
Policies generally cover some costs associated with a data breach such as notification costs, credit monitoring, fines and penalties, and losses associated with identity theft. Unfortunately, LaMantia notes, such policies can be expensive.
John Ahlberg, founder and CEO of Waident Technology Solutions with locations in Illinois and Wisconsin, believes the coverage is worth the cost.
Should a breach occur, cyber insurance will at least cover some of the financial losses, which could be catastrophic depending on the size or scope of the breach.
Educating Employees
Another facet of security is educating employees. Ahlberg recommends using the tests at www.knowbe4.com as a first step in determining if employees are ‘risk-savvy’ or likely to click on phishing or malware emails.
KnowBe4 has some free options like the Phishing Security Test and a Domain Spoof Test, but also offers a deeper Security Awareness Training program.
“Educate your team on a consistent basis,” Alhberg suggests. “Tell them stories (about what can happen), show them examples, and talk about security at staff meetings. Ask them to be cautious and think twice if something feels out of place.”
Examples include emails with photo links saying, “Check these out” or similar innocuous invitations. Employees should stop and think about whether the CEO or vice president would really send them photos while on vacation.
Almost all malware infections occur because a user clicked on a link or attachment in a message and ended up at a rogue website, Ahlberg says.
Rogue Senders & Ex-Employees
Another prevention measure is to pay close attention to email senders. Scammers know how to trick us, contends Takacs, and will register live working domains which won’t be filtered out by spam detectors.
Another ploy is using replicas of trusted domain names, altering just a letter here or there.
Terms & Definitions
Decryption key – this key, which may come in the form of a password, replaces encoded text with words you can understand.
Firewall – a function of the computer system that provides a barrier between internal and external networks, filtering out viruses and hackers.
Malware – short for malicious software, malware gains access to computers or systems to damage or immobilize them.
Phishing – emails that appear to come from authentic sources asking for personal information, including passwords and credit card numbers.
Ransomware – a type of malware that halts systems until users pay a ransom.
Spyware – computer software installed on a computer without the user’s knowledge to capture data like user names, passwords, and credit card numbers.
Two-factor authentication – sometimes shortened to 2FA, this is a second layer of security beyond just using a password to verify identity.
If employees are familiar with “wrightstrawberries.com” as an email sender, when “wrightstravvberries.com” shows up, it’s easy to miss.
Additionally, companies should print a list of who has access to the server and applications, notes Ahlberg. Review the list at least every six months to ensure only the people who need the logins are on it—not former associates who might still have access after leaving the company.
“For the most part, these suggestions cost very little beyond the time needed to execute, review, and educate,” points out Ahlberg. “They’re also easy to do and go a long way to protect your infrastructure.”
Password Protection and Authentication
Of course, hackers can also break ‘weak’ passwords. These days, with so many devices and services requiring passwords, users have more than they can remember for both personal and work applications.
So most create passwords from meaningful names, dates, and words and tend to reuse them, or modify them by add-ing a letter or symbol to the beginning or end.
This is a bad move as hackers can easily break these patterns, but will have a much tougher time getting to information if all the passwords are different.
Creating Better Passwords
Employees should create strong passwords with a variety or letters and numbers, and change them often, usually every three months or so.
The definition of a ‘strong’ password, however, varies, as some believe length trumps complexity.
Ahlberg thinks passwords should be at least eight characters long and include both upper and lower case letters, special characters (i.e., dollar signs, ampersands, exclamation points, etc.), and should not be proper words.
Takacs recommends passwords be 14 or 15 characters long, and, he chides, never use the same password between any two services like for Facebook, a bank, or a work account. “Not having a good password policy is a mistake many companies make,” he confirms.
For those struggling with the sheer volume of passwords, there are tools available to help. Password managers will not only store passwords but create them, so users only have to remember the password to get into the program. Some programs are free, such as LastPass and Dashlane.
Takacs also recommends using two-factor authentication for account logins, which adds a second level of security. An example is the personal identification number (PIN) used with some debit cards, bank accounts, or phones, which can also be a fingerprint.
Other logins will send users an email or text to confirm identity before granting access to sensitive information.
Always Update
Logically, having the latest security software, operating system, and web browser provides layers of defense against malware, viruses, and other threats. And a crucial part of this protection is always updating applications when prompted to do so.
“Update Windows and any other business application used on a regular basis,” instructs Ahlberg. Further, he notes, “make sure those updates took place, ask for status reports.”
Outdated operating systems are a major no-no as they are no longer supported by Microsoft’s protection. Just as dangerous is not staying current on new system patches to protect PCs from viruses, spyware, and other attacks.
A perfect example was the WannaCry malware attack that affected users in more than 100 countries last May. Those who had applied Microsoft’s Windows patches released in March were spared; others were forced to pay a bitcoin ransom to counteract the infection.
Victims who had complete backups of their files were also better off, and it goes without saying that files should be regularly backed up, with data stored in the cloud or offsite.
Put Up a Firewall
Another line of defense is a firewall to prevent hackers from gaining access to data on private networks. Firewall efficacy should be checked regularly and any employees working offsite should have protective measures in place.
“Your firewall needs to be current and licensed for perimeter antivirus (services),” explains Takacs.
“Most newer generation firewalls can scan incoming traffic for virus signatures,” adds Takacs. “Sometimes referred to as ‘next-gen’ or UTM (unified threat management) firewalls, they can employ a variety of protection services such as antivirus, web application filtering, intrusion detection, etc.”
End Notes
In sum, there are many ways to protect your business from security risks. Eliminating as many risks as possible is the best course of action—including educating employees and vigilance in maintaining an aligned security strategy throughout the company.
Hiring an expert or buying specialized insurance are also options worth pursuing. Doing so will not only increase security but save money down the road, by lowering the risk of a hack or breach, as well as a costly system repair.
As the old adage says, an ounce of prevention is worth a pound of cure.