A small-business service provider had called one of its employees to do a phone-based termination, and conferenced in an attorney as a witness, when he got an unpleasant surprise. “During the call, the small-business owner realized that his computer files were being deleted,” said Michelle Schaap, who focuses on cybersecurity and corporate matters as a member of the law firm Chiesa Shahinian & Giantomasi. “No one had thought to terminate the employee’s computer-access credentials.”
When people think about computer break-ins, large companies usually come to mind: Think of Marriott International, which revealed in December that a breach of its Starwood guest reservation database exposed the personal information of up to 500 million people. But small business are equally vulnerable, according to experts, with some reports indicating that small and medium-size enterprises (SMEs) account for 60 percent of cybercrime attacks.
Small businesses often “lack back-up and robust IP solutions,” noted New Jersey Institute of Technology Associate Professor Kurt Rohloff, a co-founder and director of the institution’s Cybersecurity Research Center. “This means these businesses can be especially impacted if their operations are disrupted by loss of IT services.”
Besides being an academic, Rohloff owns a data encryption business — Duality Technologies, which provides encryption and other services — located in NJIT’s VentureLink incubator. “I interact with other small business owners there, and my experience is that a lot of them think cybersecurity is someone else’s problem,” he said. “I ask them about their password and other data security practices, and they fall short.”
That can be an expensive mistake, since recovering from a hack costs an average of $400,000, according to a recent report from insurance company Chubb. “This high price tag can result in the catastrophic end for an SME,” according to the company’s research. “The hefty cost of repairing the business and its reputation is exacerbated by the disconcerting fact that cybercrimes are not rare events. An FBI report notes that since Jan. 1, 2016, 4,000 cyber incidents have occurred every single day — a 300 percent increase from the year before.”
Always playing catch-up
Attacks on small businesses typically target sensitive information, “like employee social security numbers, bank account information, or credit card numbers,” added Rohloff. “These attacks are often rooted in ‘phishing’ emails,” or other fraudulent activity like texts or copycat websites, which try to trick people into sharing valuable personal or company information.
The challenge for business owners and others is that “hackers are always improving, and the good guys in tech are always trying to catch up,” said James Barrood. president and chief executive officer of the NJ Tech Council. “There are a lot of targets, including businesses, individuals, and nonprofits. Technology is part of the answer, but we also have to address human behavior, like clicking on bad links and inadvertently letting an intruder in.”
Many business owners “think they’re too small and believe that a cyberattack won’t happen to them, but that kind of attitude can make you even more vulnerable,” noted Michael Karu, a member of CPA firm Levine, Jacobs & Co. LLC. “We get attacked approximately 1,000 times a day, but we have multi-level technological protocols, like two-factor authentication, and human security protocols to keep out intruders.”
Two-factor authentication usually requires two kinds of logins — like entering a password, and then entering a one-time code sent to a registered cellphone number — before a user can gain entry to a site. It’s helpful, but not always bulletproof. Which is why businesses like Karu’s also carry cyber insurance coverage.
“Among other benefits, if a hacker does get into our system, the insurance will cover credit monitoring and other costs associated for anyone who’s affected by the break-in,” he said.
Karu chuckled as he recalled his own encounter with a would-be identity thief. “I got a phone call from someone who claimed to be from the IRS,” he said. “They said that I, of all people to pick — a CPA — owed the IRS $25,000. So I played along and asked if I could pay the amount in cash. Then I asked if, in the interest of safety, we could do the transaction at a local police station. The caller didn’t say a word, but just hung up.”