President Donald Trump called cybertheft “the fastest growing crime in the United States by far,” and it doesn’t show signs of slowing down.
It is predicted that cybercrime global damage costs could hit $6 trillion annually by 2021, according to report from CSO, and that by 2020 more than 200 billion devices will be connected to the internet around the globe.
“As long as there are opportunities for people to steal identities and steal wealth, these cyberattacks will continue,” Columbia Mayor Steve Benjamin said. The mayor admitted he doesn’t have the answer, but the key is continued vigilance.
While much of the news focuses on the major disruptions such as the “WannaCry” ransomware that affected more than 70 countries in mid-May, many hackers are setting their sights on smaller targets.
In a January survey from Small Business Trends, it was reported 43% of cyberattacks last year came against small businesses. Contrast that to 18% in 2011. The survey also reported that only 14% of small businesses are prepared to defend against an attack.
Five years ago, the attacks against small business would probably result in no more than collateral damage, but that has changed dramatically, said Jason Greenwood, executive vice president of customer success at Vipre Security.
“With bad guys sharing code and creating tool kits, it’s enabling others to get in with very little expertise,” Greenwood said during a presentation at last month’s Cybersecurity Summit at the University of South Carolina Alumni Center. “As the barrier of entry drops, small markets are seeing more and more attacks. It’s definitely changed over time and it’s getting harder to defend.”
“Most small businesses are overwhelmed and under-resourced,” said Pete Seeber, CEO and co-founder of Rocus Networks, an IT security company. “It’s estimated that average cost of disruption to a small business after being hacked is upwards of $955,000.”
If you own a small business, then you are a target, Seeber said.
“You must have an incident response plan in place. We get phone calls all the time because a client has had a significant event, and they want us there right away,” Seeber said. “Even if it’s a basic response plan, know what organization to call, get the terms and conditions executed in advance and move on from the incident.”
Eric Goldstein, of the U.S. Department of Homeland Security, said the key is to know the risks involved when dealing with your business.
“We must remember that cybersecurity risk does not happen in a vacuum,” said Goldstein, who serves as branch chief of partnerships and engagement in the federal agency’s Office of Cybersecurity and Communications. “These are people breaking laws and causing damage. We have to think about making it harder for these people to commit crimes. Why might someone want your data? That helps you think about what to protect.”
Small business owners take on a certain responsibility when they acquire information from their employees, said Bess Hinson, an attorney with Nelson Mullins Riley & Scarborough. Names, Social Security numbers, driver’s license numbers are just some of the identifiable information owners are legally obligated to keep confidential.
According to the Small Business Trends survey, small business owners were most concerned with protecting customer records (66%), intellectual property (49%) and customers’ credit card and debit card information (46%)
Small business owners are usually attacked in one of two ways, either a web-based attack, or by phishing. Web-based attacks focus on an application while phishing focuses on a user.
Business e-mail compromise (phishing) involves hackers sending e-mails to employees posing as a boss or administrator. Most times they ask the person to wire money or pay a vendor, and immediately that money goes out the door.
Business e-mail compromise “is hard, because employees are doing this of their own accord, nobody is strong-arming them to make a payment,” said Ann Beauchesne, senior vice president for National Security and Emergency Preparedness at the U.S. Chamber of Commerce. “Many times these attacks can be avoided if the person just checks and verifies that the e-mail is legitimate. We caution people to slow down, take your time and be diligent.”
Fortunately, there are a few steps small business owners can take to help strengthen their security without calling a third-party service.
“Small business owners must understand what data they are actually holding,” said Mark Byers, director of product marketing at Fortinet. “Once you understand where the vulnerabilities are, you can start doing basic upgrades.”
Byers said one of the main ways to secure your business is to make sure the people in your organization are continuously changing passwords. According to a study done by Verizon PCI, almost 80% of data breached involve guessed or stolen passwords.
Another key, according to Byers, is making sure the software applications on your employee’s computers are up-to-date. This includes anti-virus, desktop and operating systems. Byers said 90% of attacks can be stopped just by making sure everything is up-to-date.
“As your business gets larger, you will need additional services such as centralized firewalls and centralized anti-virus which can be done by a third-party provider,” Byers said. “These depend on each business’s operation and size of scale.”
Seeber said every small business should go through a security assessment, or health check, to see where they are and where they need to be. It’s an outside expert coming in to give you a road map of how to move forward.
“We do these assessments from a business risk prospective and also a technology prospective,” Seeber said. “You can’t effectively perform a security assessment without using the technology piece. At the end of the day, the bad guys are using the same technology available to us, and we have to defend ourselves with technology that’s layered in the right place and protects.”