Silicon Valley Business Journal/Sean Teehan: Small-business owners can be prime targets for cyberattacks.

Silicon Valley Business Journal

Cybersecurity

Technology

Tech gains, cyber pains

The same advances that help entrepreneurs start businesses can be used to cripple them. Here’s how to protect yourself and how to respond if you become the latest victim of a cyberattack.

Small-business owners can be prime targets for cyberattacks.

Yuri_Arcurs

By Sean Teehan – Contributing Writer
Jul 5, 2019, 6:48am PDT

Editor's note: This story is part of a special report on cybersecurity for small and midsized businesses. Read about the top Silicon Valley cybersecurity startups here; where to start your cybersecurity process here; and what to do if your business has been attacked here.

It didn’t take long for Rick Snow to realize he’d made a potentially devastating mistake for his business.

One day in 2008, the owner of Maine Indoor Karting in Scarborough, Maine, received an email from what appeared to be his bank alerting him to unusual activity on his business account. He clicked the link that accompanied the message.

“It looked almost identical to the bank website, except when you logged in, it didn’t do anything,” Snow said. “So I knew right away that something was wrong.”

Within five minutes, he contacted his bank, closed the account and set up a new one, which required him to order all new checks and deposit tickets, change all automatic payments, and take care of all the other tedious details that come with changing an account.

But the account through which Maine Indoor Karting paid for everything, including its 25 employees, was safeguarded because Snow had acted so quickly.

Or so he thought.

A few weeks later, on a Friday evening, Snow checked the account. It had been cleaned out. Somebody had taken every penny using multiple wire transfers to banks around the country in increments under $5,000, apparently so they wouldn’t set off any red flags.

“I was absolutely shocked,” Snow said. “I frantically started calling these banks that the money went to.”

Snow was able to contact his bank on Saturday morning to stop the transfers. If he hadn’t checked the account on Friday night like he did, he probably would have been unable to halt payment during the three-day window between when a wire transfer is made and when it clears.

Snow to this day isn’t sure how the follow-up attack happened, but experts say there’s a litany of ways the hacker could have done it, from using malware to intercept communications between Snow and his bank to something like Snow using a similar password for the new account, one the hacker was able to figure out.

Before all this, Snow never thought about cybersecurity for his small go-carting business, he said. But following these episodes and other attempted cyberattacks in the intervening years, it’s become an unfortunate focal point for him.

“It’s hours out of the day that I’m committing to doing things that are not running a go-cart track, which is what I want to do,” Snow said. “That’s the biggest issue; that it takes time away from all the other things that you need to do as a small-business owner.”
The scope of the problem

Technological developments like online banking and social-media advertising have become a boon for many small and midsized businesses. Internet-based resources can cut down on the amount of time business owners spend going to the bank and money spent on newspaper or other more-traditional advertising vehicles, generally streamlining much of an enterprise so that more attention can be paid to the actual business.

But while leaving a door unlocked so a cleaning crew can come in after hours might be convenient, it also enables criminals to walk in and rob you blind. And that’s essentially what businesses with no cybersecurity have done.

According to a 2018 report by multinational tech firm Cisco Systems Inc., 53 percent of midmarket businesses say they have experienced a cyberbreach. Cisco’s research also found that 20 percent of these businesses (defined as having between 250 and 499 employees) reported that these breaches cost them between $1 million and $2.5 million.

The Ponemon Institute, a Michigan-based group that conducts independent research on consumer trust, privacy, data-protection and emerging data-security technologies, similarly found in 2018 that 67 percent of small to midsized businesses (companies with between 100 and 1,000 employees) had experienced a cyberattack, with 58 percent reporting at least one attack in the past year. Additionally, the FBI’s Internet Crime Report for 2018 found that more than 350,000 cyberattacks cost upwards of $2.7 billion across businesses of all sizes last year.

The numbers are staggering, but there are simple things businesses of all sizes can do to protect themselves, said Hemanshu Nigam, CEO of SSP Blue, a Los Angeles-based cybersecurity and cyberconsulting company, and a former prosecutor for the U.S. Department of Justice’s Computer Crime and Intellectual Property Section.

“There are so many different ways to do basic security that are not complicated, that are easy, that are cheap to do,” Nigam said. “At this time in our digital age, you really don’t have an excuse for not doing basic security anymore.”

When it comes to small and midsized businesses, there can be a false sense of security among company owners in thinking there are bigger targets for cybercriminals to attack, said Marian Merritt, lead for industry engagement for the National Initiative for Cybersecurity Education at the National Institute of Standards and Technology in Gaithersburg, Maryland. One of Merritt’s focuses within NIST is connecting small businesses to cybersecurity resources and alerting them to the fact that a company’s small size isn’t a sufficient deterrent for cyberbandits.

“Small businesses are vulnerable and are, in fact, a highly desirable target for cyberthreats simply because they may lack the resources to secure their environment,” Merritt said.

Phishing schemes are particularly common. In these cyberattacks, a bad actor sends an email that tries to get the person on the receiving end to click a link or enter some kind of information. The message might appear to be from your bank, as was the case for Snow, or a car insurance company or some other entity you deal with regularly. But taking the bait can give the cybercriminal access to accounts belonging to you or even control of your machine — which in turn could subject you to ransomware.

When a link in the phishing email that is clicked downloads ransomware, it enables the cybercriminal to lock down your system and demand payment before allowing you to regain access. This can be especially disastrous to businesses when their systems to receive payments and send out payroll are compromised.

That’s why an important preventative measure every business should take is to back up all data both physically and on a cloud server, said David Ross, cybersecurity and privacy practices leader for public accounting and consulting firm Baker Tilly in Washington, D.C.

“If you have ransomware in there and you can’t access your data, you just wipe everything and restore it from backups,” Ross said. “You might be down a day or an hour or whatever it is, but that’s a reasonable mitigation, and that’s not that hard to do.”

It’s also prudent for small and midsized businesses that might not have the funds to hire a full-time cybersecurity staffer to enlist instead a third-party cybersecurity vendor, Ross said. Doing some due diligence and polling of other business owners about the best cybersecurity firms in a specific price range should turn up a quality, and affordable, option.

Cyberinsurance is another key measure. In some cases, it might be mandatory. For example, it’s required for doing business with certain larger firms that are wary of cybercriminals gaining access to their data through a smaller vendor, as happened to Target Corp. a few years ago when hackers gained access to its payment terminals and its customers’ credit card numbers through an HVAC company Target was using for its stores.

The coverage that’s available for various cyberinsurance plans varies by provider along with the price of coverage, said Ari Vared, an executive whose background includes working as vice president at San Francisco-based CoverHound, which assists companies on cyberinsurnace and other insurance coverage. Policies can provide access to not only a data-breach coach, but also to a lawyer and a public-relations firm to help in the aftermath of a cyberattack, Vared said.

Protection plans can come at a price almost any business should be able to afford, Vared added.

“We have some products that are as low as $10 per month. It depends on the type of business that you have and the type of coverage that you want to get,” he said.
A proper response

When it comes to mitigating cyberattacks, experts point to a framework developed by the National Institute of Standards and Technology as one possible best-practices offering. That NIST game plan features five steps:

    Identify: Before an attack, identify what data or systems are vulnerable or could be stolen.
    Protect: Safeguard data and systems with insurance and backups.
    Detect: Be aware of any anomalies in your systems to detect a cyberattack as quickly as possible.
    Respond: Take whatever action is necessary to stop the attack from continuing and contain the impact of the attack while managing communications with stakeholders like customers whose data may have been compromised.
    Recover: Restore the capabilities and services that were disrupted for your business during the attack.

The Respond step is an especially important one for companies to get right, said Nigam of SSP Blue. Nigam, who also during his career has handled corporate-crisis communications, said the most important aspect of a public-relations strategy following a cyberattack is to be as transparent as possible as early as possible.

“I’ve seen companies who decide to hide it and hope that nobody will find out, and then when it does get released — whether it’s six months or a year later or two years later — they find out how badly they have lost the trust of their customer, and it is not an easy thing to recover from,” Nigam said. He added that businesses sometimes must wait until they or law enforcement fully investigate and stop the attack so as not to prematurely tip off the criminal.

Reporting requirements for cyberbreaches vary by state, and there currently is no pertinent national law. However, if a company’s data breach impacts a customer in a state where the reporting requirements for businesses are more strict than the company’s home state, the company’s responsibilities likely will be gauged against those tougher, customer-state requirements, Nigam said.

In terms of lawsuits that could result after a breach, Nigam said one factor in determining liability is whether the breached business had taken steps in advance to protect its data.

“Most litigators are going to ask, ‘Did you take reasonable care in protecting the information of your customers?’” Nigam said. “If you say, ‘Well, I left everything open, and I even stored passwords in the clear,’ that is not reasonable care.”

Ultimately, for businesses considering their cybersecurity options, the process should boil down to risk management, said Michael Kaiser, a cybersecurity consultant in Washington, D.C., and former executive director of the National Cyber Security Alliance.

“If you’re going into business in general, it’s a risk: You have financial risk from the start, you have all kind of risks that you have to manage,” Kaiser said. “In cybersecurity, you want to make sure you’re making the right investment to protect the things that are the most important to you.”

Sean Teehan is a writer in Massachusetts. Reach him at spteehan@gmail.com.
Companies In This Article

Cisco Systems Inc.

San Jose, CA

Computer Networking

74,200 Employees

See full profile

Maine Indoor Karting LLC

Scarborough, ME

See full profile

Target Corp.

Minneapolis, MN

Retailer

$22.8B Revenue

350K Employees

See full profile
Deadline: Friday, July 26, 2019
Upstart Tech Awards

Is your Silicon Valley-based company behind cutting-edge technology that will change lives and businesses? Tell us about it and be part of the first Upstart Tech Awards.
Submit a Nomination
Back to Top

    Silicon Valley Business Journal

    User Agreement   |   Privacy Policy
    Your California Privacy Rights   |   Ad Choices

© 2019 American City Business Journals. All rights reserved. Use of and/or registration on any portion of this site constitutes acceptance of our User Agreement (updated 5/24/18) and Privacy Policy and Cookie Statement (updated 5/24/18). The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of American City Business Journals.