Cy­ber­at­tacks are a huge and grow­ing threat to small busi­nesses—but there are ways to fight back

Inc. (USA) - - FRONT PAGE -

REBECCA MILLER OF PEGGY JEAN’S PIES, a bak­ery in Columbia, Mis­souri, woke up one morn­ing last sum­mer to a less-than-sweet sur­prise: On­line searches for her shop’s web­site were lead­ing po­ten­tial cus­tomers to an X-rated des­ti­na­tion. “Not just porn—like, cap­i­tal porn,” re­calls Miller, a for­mer lawyer who runs the shop with her mother, Jeanne Plum­ley. “Re­ally, re­ally bad porn.”

It took her most of the day and sev­eral hun­dred dol­lars paid to a third-party ven­dor to clean up the mess. “Who in the world hacks a pie web­site?” she still won­ders.

Lots of peo­ple, it turns out. While at­tacks on big com­pa­nies like Ya­hoo and Tar­get grab more head­lines, en­trepreneurs are al­most as vul­ner­a­ble: In 2015, 43 per­cent of cy­ber­at­tacks were waged against small busi­nesses, ac­cord­ing to Sy­man­tec. “Small-busi­ness peo­ple don’t re­al­ize that the bad guys look at them as low-hang­ing fruit,” says Michael Co­canower, founder of Phoenix-based IT con­sult­ing firm itSyn­ergy, which works with small and medium-size busi­nesses. For­tu­nately, there are plenty of steps you can take to make your­self less vul­ner­a­ble—or, if the worst hap­pens, to fight back. —VIC­TO­RIA FINKLE

Ed­u­cate your em­ploy­ees

At­tacks are get­ting more so­phis­ti­cated, but most breaches still oc­cur be­cause of hu­man er­ror. That’s why ex­perts sug­gest train­ing em­ploy­ees for threats early and of­ten. “It’s not just the IT depart­ment, it’s not just the CEO— it’s ev­ery­body’s re­spon­si­bil­ity,” says Scott Schober, chief ex­ec­u­tive of Berke­ley Var­itron­ics Sys­tems, a Me­tuchen, New Jersey–based wireless se­cu­rity tech firm.

Jesse Har­ri­son, the founder of Los An­ge­les lender Zeus Le­gal Fund­ing, learned that les­son the hard way in De­cem­ber 2015. When one of his work­ers clicked on an in­fected email say­ing she’d won the lottery, all of the com­pany’s com­put­ers and lo­cally saved files be­came locked within mo­ments. The email con­tained ran­somware that en­crypted the con­tents, with the hack­ers de­mand­ing that Har­ri­son hand over $600 to get them re­leased.

Now Har­ri­son reg­u­larly shows work­ers sam­ples of real and fake emails, quizzing them on how they’ll re­act if some­thing sus­pi­cious shows up in their in­box. “It’s im­por­tant for them to know not only when an email is a scam, but also how the scam works from start to fin­ish,” he says.

Set up ad­vanced bank alerts

Rick Snow, founder of go-kart track Maine In­door Kart­ing in Scarborough, Maine, logged on to his bank ac­count late one night only to dis­cover it had been drained. Some­one had ini­ti­ated $15,000 in wire trans­fers to banks across the coun­try. Banks aren’t re­quired to of­fer the same pro­tec­tions to busi­ness ac­counts as they do per­sonal ac­counts in cases of cy­ber fraud, so the money would have been ir­re­triev­able if the trans­fers had gone through. “That would have cleared out all of our pos­i­tive cash flow,” says Snow. He was able to stop the trans­fers at his lo­cal bank the next morn­ing, but if he hadn’t caught it in time, “we would have been in dire straits.”

You can re­quest two-fac­tor authen­ti­ca­tion—in which the bank must con­firm the trans­ac­tion via a code sent to your phone—for cer­tain kinds of ac­tiv­i­ties, such as wire trans­fers. Or you can even ask the bank to turn off some on­line ca­pa­bil­i­ties al­to­gether. “I don’t have to do wire trans­fers very of­ten, so at the time I in­structed my bank not to al­low those un­less I phys­i­cally came into a branch,” says Co­canower.

Up­date your soft­ware weekly

It can feel like a has­sle, but keep­ing your soft­ware up to date is cru­cial for ward­ing off threats. Sy­man­tec es­ti­mates that more

than three-quar­ters of le­git­i­mate web­sites have vul­ner­a­bil­i­ties that should be patched.

Miller now be­lieves that mal­ware in­fected her pie shop’s site through an attack on her web host. That’s a com­mon vul­ner­a­bil­ity for small busi­nesses, ac­cord­ing to Schober, be­cause third-party soft­ware and op­er­at­ing sys­tems are con­stantly is­su­ing se­cu­rity up­dates and patches that don’t in­stall au­to­mat­i­cally. “It’s about stay­ing on top of it,” he says. “If you don’t have that abil­ity your- self, you’ve got to hire some­body to do that ev­ery week.”

Don’t trust just one backup

Keep your files in mul­ti­ple places, in­clud­ing in cloud-based pro­grams and ex­ter­nal hard­ware not con­nected to your net­work. This guards against a few dif­fer­ent kinds of dis­as­ters, in­clud­ing ran­somware at­tacks that can de­lib­er­ately tar­get backup files. “If our build­ing burns down, we’ve got our stuff in the cloud,” says Co­canower. But “nor­mally we can go right to that on­site backup.”

After the Zeus Le­gal hack, Har­ri­son re­al­ized he needed a bet­ter non­cloud backup sys­tem—he now uses sev­eral ex­ter­nal hard drives as well as an on­line drive to en­sure he has ac­cess to what he needs. While he ul­ti­mately coughed up the ran­som money, the hack­ers didn’t un­lock his files—mean­ing Har­ri­son had to spend days on the slow and frus­trat­ing process of redig­i­tiz­ing his pa­per files. “I had to re-cre­ate ev­ery­thing from scratch,” he says.

Illustration by MIGUEL PORLAN

RES­CUE ME Cy­ber­at­tacks, mal­ware, and phish­ing scams can cost your busi­ness thou­sands of dol­lars.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.