By Robert Lerose
Small and midsize business owners who think that only big-name companies like Equifax and Yahoo are at risk for data breaches are making a serious miscalculation. A 2015 report from cyber security firm Symantec found that 43 percent of cyber attacks were against firms with fewer than 250 employees. The results can be catastrophic: 60 percent of those small companies go out of business, according to the U.S. National Cyber Security Alliance.
Cyber attacks can take many forms. One of the most common is ransomware, a virus that is activated when an employee clicks on a dubious link or downloads a file from an unknown party, encrypting all the computers in a network and denying access to the company’s data until a ransom is paid.
Another kind of attack is a bank transfer request, where an email that looks like it came from the company itself is sent to an unknowing employee asking for money to be sent that winds up in a hacker’s bank account. “They look like they’re from the CEO and they say not to call them because they’re on vacation and just to send the money right away,” says Rich Tehrani, CEO of Apex Technology Services with offices in New York City and Connecticut. “They’re very experienced in how to form these emails so they look really good.” He adds that employees should be alert for telltale signs of fraud, such as spelling that is off or an overseas address.
Tehrani says that the best way for businesses to protect themselves is to use trained experts, both an in-house expert and someone on the outside who can assess those systems regularly. “Make sure you have backups done every day and that they are stored in the cloud. Make sure backups have multiple versions of the backup,” Tehrani says. “We get calls from companies that say: ‘I do backups, but I just backup one day.’ If you got your ransomware yesterday, then your backups now have ransomware. You have to audit your backups.”
Employees need to have regular training on risk-reducing protocols at work. For example, they should never use the company’s email address for any of their personal or social media activities. Businesses should also have a plan in place before an attack happens to know how to respond efficiently and effectively. “Cyber security is not an IT problem,” Tehrani says. “It’s a business problem.”
Installing up-to-date solutions
Having the most up-to-date protection is a given. But according to CSID, a provider of identity theft and fraud detection systems, only 38 percent of small businesses regularly upgrade their software solutions—a major risk factor. For example, exploit kits are used by cyber criminals to look for vulnerabilities in outdated software and install damaging code or even bots.
“A bot is an Internet robot and it means your device has been compromised and can be controlled by some remote command center,” says Jim Krantz, founder of New York City-based Krantz Secure Technologies, a company that provides network infrastructure, IT security, and cloud solutions to small and medium-sized businesses. “There is an endless list of what can happen. They can potentially steal your data, get your passwords, have access to your bank account, maybe even listen to your conversations through your own PC mic or watch you over your PC web cam.”
Krantz says that companies should provide security awareness training for their employees that is readily available from companies like Krantz and other tech firms to instruct them in how to protect their company’s data and system integrity.
Besides having next generation firewalls and backing up systems on- and offsite, Krantz recommends using GEO IP filtering, which allows you to block computer connections from certain geographic locations—such as hostile foreign countries—that you’re unlikely to communicate with regularly.
Two-factor authentication adds another layer of protection, Krantz says. Essentially, before a user can access a company computer, he or she must provide not only their name and password, but another piece of information that verifies their identity, such as a fingerprint or code sent to their smart phone.
“If an executive of a smaller business has not been focused on cyber security, a good place to start is with a high-level security assessment to determine their risk level and prioritize remediation,” Krantz says. “Executives need to appreciate the importance of this and take ownership of getting this stuff in place.”