Northwest Arkansas Democrat-Gazette
Small businesses on defense after Equifax breach
NEW YORK — The Equifax breach is reminding small business owners that they could be vulnerable to cybercriminals.
Companies that provide security and other technology services to small businesses say they’ve had an increase in calls from customers since Equifax revealed that the personal information of 143 million Americans had been exposed. The hack galvanized some owners into dealing with long-delayed problems.
“A customer called me today wanting to replace their one remaining XP computer,” says Bob Herman, owner of IT Tropolis, a tech service company in Fountain Valley, Calif. Microsoft stopped providing security updates for XP models three and a half years ago.
Small businesses often lag behind big companies in data security, not believing they might be targets. But 61 percent of the victims of breaches in 2016 were businesses with fewer than 1,000 employees, according to a Verizon survey. And experts say small companies are being targeted more because they don’t have the sophisticated defenses that big corporations do.
Still, Equifax says its systems were breached after it failed to correctly install a software patch designed to eliminate a vulnerability. Applying patches as soon as they’re available and watching for new ones are critical for a company to protect itself, experts say.
But many small business owners, sidetracked by other problems, don’t pay enough attention, says Diana Burley, a George Washington University professor whose expertise is internet security. Many don’t have staff members or vendors to monitor technology, and no plan to improve their security.
“When you’re in a crisis situation is not the time to develop a plan,” Burley says.
Small businesses can be harmed by cybercriminals in a variety of ways. Here are some companies’ experiences:
Towne & Country Building Inspection downloaded several apps to enhance the Google calendar the company uses for customer appointments. In July, owner Scot McLean noticed some glitches — an appointment might disappear, or show up on another day. The problems persisted for about a week, stopped and started again. Then suddenly, four weeks of appointments vanished.
McLean’s staff member in charge of technology determined that the apps were vulnerable to hacking, and someone was able to log in and erase the appointments.
“The hack cost us thousands of dollars in lost revenue,” McLean says. Towne & Country was able to re-create part of the calendar, but most of the appointments were lost. Some frustrated customers didn’t rebook, turning instead to other inspection services.
The Bayside, Wis., company eliminated all apps as well as plug-ins that added features. It changed its passwords and set up two-step verification, which requires a password and a single-use numerical code to log in.
Reuben Kats clicked on an attachment in an email nearly a year ago and soon found all the files of his website design business were encrypted and unable to be used. Grabresults.com was the victim of ransomware, or malicious software that hackers plant, hoping to extort money by holding a user’s files hostage until the hackers receive a ransom.
Kats avoided paying
because the Los Angelesbased company’s files were backed up on a secure online service. Although infected computers can be fixed by returning them to factory condition, erasing all contaminated files, he chose to buy a new one.
Kats realizes the culprit email had a phony address. Now he checks before he clicks.
“I make sure all emails are sent from the actual company domain name,” Kats says.
Hackers got into the website of Hyannis Whale Watcher Cruises in March 2016, just a month before the company’s seasonal boat trips were scheduled to start.
When website manager Melissa Marchand called the company that hosts the website, she learned there were 100,000 pages of pornography on the site. This was a crisis: 90 percent of the Barnstable, Mass., company’s tickets are sold online.
Marchand contacted a computer security company that began removing malware from the website, a process that took two days. By the third day, the cruise company was selling tickets again. Marchand estimates it took six weeks for the number of visitors to the site to return to normal.
“Fortunately, it was very early in the season. If this had happened in July, it would have been hundreds of thousands of dollars in revenue lost,” she says. The security firm now monitors the site, watching for signs of another attack.
Small businesses can become victims after hackers invade larger retailers such as Target or Staples and steal credit card data, or if information is stolen in other ways. A customer took a laptop to New York Computer Help in Manhattan for a screen repair and paid with a credit card, signing on an electronic signature pad. That night, owner Joe Silverman got a text from someone else asking why his card had been charged. The card was counterfeit, and Silverman was out $650.
Silverman says he’s careful with emails that likely have phishing links or that ask if he’ll do cash transactions, a hallmark of fraudsters. His website has safeguards against credit card crime. After this incident — not the first time he has been a fraud victim — Silverman and his staff are monitoring transactions closely, including sending test charges to card issuers to be sure a card is legitimate.
Managers at Boom-sourcing got a notification via one of its software programs in May that someone was trying to access its data without authorization. None of the business software company’s information was stolen, but “it woke us up to the vulnerabilities that a small business has,” manager David Hyde says.