The belief that small- and mid-sized business owners do not need to make cyber security a top priority is a dangerous misconception. At the AAMA Summer Conference, Larry D. Sjelin, Sr., chief of staff, Center for Infrastructure Assurance and Security, University of Texas at San Antonio, spoke about how cyber thieves have increasingly targeted small businesses over the last four years.
Viewing small businesses as a soft, easy mark versus big companies that have ramped up cyber firewalls, hackers launched 43 percent of their 2015 attacks against businesses with less than 250 workers. And, an astonishing 60 percent of such businesses will close after a cyberattack. Sjelin quoted CFO Magazine’s statistic that cyber criminals raked in an average of $32,000 from small business accounts.
Art of the Hack
Hacking takes two primary forms: ransomware or stolen data. Ransomware is a type of malware that prevents or limits users from accessing their system. It does so by either locking the system's screen or locking the users' files unless a ransom is paid. In 2015, targets of such attacks reported $24 million in losses.
Inventive cyber criminals are developing even more robust “dark markets” for stolen data, including information, usernames and passwords. Lack of “cloud” security has been a common issue. All of the information has value—stolen credit card access information can be purchased for $10 to $35 per name, for example.
There are many methods hackers use to obtain this information. Common practices include impersonating an authority figure (IT, auditor, management), or email phishing (posing as a legitimate website to trick someone into divulging confidential information or clicking a malicious link). And, Sjelin noted, a laptop is stolen every 53 seconds. Is there sensitive information about your business on yours, such as proposals, financial records, client or employee information?
Protect Yourself: BCPs and DRPs
Despite the consequences, Sjelin reported that 87 percent of small businesses do not have a formal written internet security policy and 68 percent do not provide any formal cybersecurity training to their employees. Many small businesses have poor cybersecurity, lacking anti-phishing email measures, a chief cybersecurity officer, data encryption, or offsite backups of their websites.
He emphasizes it is important to have detailed cyber security policies and procedures documented and easily accessible for your employees. This includes a Business Continuity Plan and/or a Disaster Recovery Plan.
A BCP should do the following:
- Address cyber awareness training for everyone
- Identify resources that may potentially be lost at any time
- Detail methods of successfully recovering from those losses
- Invest in dedicated IT personnel
Cyber awareness should include training employees to spot suspicious activity; how, where and when to report these incidents; and to avoid social media and personal email on work computers, especially for those who directly handle customer or financial data.
A DRP spells out what to do in the event of loss of resources. It should consider the following:
- Identifying if any data was compromised
- Restoring service as quickly as possible
- Notifying authorities as soon as possible
- Closing any holes in security uncovered or created by the disaster
A simple immediate step is to use longer passwords and greater complexity to make it harder for hackers to brute-force a password—but don’t leave your password out where it is easily seen. Another is to back up everything and be sure the backup works.
Essentially, Sjelin warns that “if data is digital, it’s at risk.” Whether on a private or public cloud, security policies must be a priority in the next year. It goes beyond the cloud, too—threats abound for local data as well. Hardware malfunctions, disgruntled employees, network outages and more stand to threaten local data.
Given that the goal for the bad guys is to make money as easily as possible, it all boils down to controlling not just what’s in your digital wallet, but who.