HOW TO PREVENT A HACK ATTACK
Cyberattacks are a huge and growing threat to small businesses—but there are ways to fight back
REBECCA MILLER OF PEGGY JEAN’S PIES, a bakery in Columbia, Missouri, woke up one morning last summer to a less-than-sweet surprise: Online searches for her shop’s website were leading potential customers to an X-rated destination. “Not just porn—like, capital porn,” recalls Miller, a former lawyer who runs the shop with her mother, Jeanne Plumley. “Really, really bad porn.”
It took her most of the day and several hundred dollars paid to a third-party vendor to clean up the mess. “Who in the world hacks a pie website?” she still wonders.
Lots of people, it turns out. While attacks on big companies like Yahoo and Target grab more headlines, entrepreneurs are almost as vulnerable: In 2015, 43 percent of cyberattacks were waged against small businesses, according to Symantec. “Small-business people don’t realize that the bad guys look at them as low-hanging fruit,” says Michael Cocanower, founder of Phoenix-based IT consulting firm itSynergy, which works with small and medium-size businesses. Fortunately, there are plenty of steps you can take to make yourself less vulnerable—or, if the worst happens, to fight back. —VICTORIA FINKLE
Educate your employees
Attacks are getting more sophisticated, but most breaches still occur because of human error. That’s why experts suggest training employees for threats early and often. “It’s not just the IT department, it’s not just the CEO— it’s everybody’s responsibility,” says Scott Schober, chief executive of Berkeley Varitronics Systems, a Metuchen, New Jersey–based wireless security tech firm.
Jesse Harrison, the founder of Los Angeles lender Zeus Legal Funding, learned that lesson the hard way in December 2015. When one of his workers clicked on an infected email saying she’d won the lottery, all of the company’s computers and locally saved files became locked within moments. The email contained ransomware that encrypted the contents, with the hackers demanding that Harrison hand over $600 to get them released.
Now Harrison regularly shows workers samples of real and fake emails, quizzing them on how they’ll react if something suspicious shows up in their inbox. “It’s important for them to know not only when an email is a scam, but also how the scam works from start to finish,” he says.
Set up advanced bank alerts
Rick Snow, founder of go-kart track Maine Indoor Karting in Scarborough, Maine, logged on to his bank account late one night only to discover it had been drained. Someone had initiated $15,000 in wire transfers to banks across the country. Banks aren’t required to offer the same protections to business accounts as they do personal accounts in cases of cyber fraud, so the money would have been irretrievable if the transfers had gone through. “That would have cleared out all of our positive cash flow,” says Snow. He was able to stop the transfers at his local bank the next morning, but if he hadn’t caught it in time, “we would have been in dire straits.”
You can request two-factor authentication—in which the bank must confirm the transaction via a code sent to your phone—for certain kinds of activities, such as wire transfers. Or you can even ask the bank to turn off some online capabilities altogether. “I don’t have to do wire transfers very often, so at the time I instructed my bank not to allow those unless I physically came into a branch,” says Cocanower.
Update your software weekly
It can feel like a hassle, but keeping your software up to date is crucial for warding off threats. Symantec estimates that more
than three-quarters of legitimate websites have vulnerabilities that should be patched.
Miller now believes that malware infected her pie shop’s site through an attack on her web host. That’s a common vulnerability for small businesses, according to Schober, because third-party software and operating systems are constantly issuing security updates and patches that don’t install automatically. “It’s about staying on top of it,” he says. “If you don’t have that ability your- self, you’ve got to hire somebody to do that every week.”
Don’t trust just one backup
Keep your files in multiple places, including in cloud-based programs and external hardware not connected to your network. This guards against a few different kinds of disasters, including ransomware attacks that can deliberately target backup files. “If our building burns down, we’ve got our stuff in the cloud,” says Cocanower. But “normally we can go right to that onsite backup.”
After the Zeus Legal hack, Harrison realized he needed a better noncloud backup system—he now uses several external hard drives as well as an online drive to ensure he has access to what he needs. While he ultimately coughed up the ransom money, the hackers didn’t unlock his files—meaning Harrison had to spend days on the slow and frustrating process of redigitizing his paper files. “I had to re-create everything from scratch,” he says.
RESCUE ME Cyberattacks, malware, and phishing scams can cost your business thousands of dollars.