An employee at a small Florida-based manufacturer clicked a link in what seemed to be a legitimate email, but actually unleashed a ransomware attack. Malicious software locked up the businesses files, and was followed by a message demanding payment for the data’s release.
“I met the business owner at a national cybersecurity conference we presented,” said Daniel Eliot, director of small business education at the National Cyber Security Alliance (NCSA). “He met the demand and was fortunate enough to get his data back, but it was unsettling.”
It may have also been preventable. But that takes some planning, according to experts. “Don’t wait until you’re attacked to plan your defenses or responses,” said Eliot. “There are technological defenses, but you also have to train your employees in best practices.”
If a ransomware or other cyber-attacker does get through, “Your first step should be to isolate the infected computer from your network to limit the damage,” he noted. “Then, contact a cybersecurity expert — you should already have one either on payroll or as a third-party provider — and consult with them. If you have cybersecurity insurance [and you should], advise them of the breach. Finally, contact your attorney, because you may be responsible for notifying a variety of parties about the breach, and going through your lawyer may allow you to preserve confidentiality because of attorney-client privilege.”
Potentially devastating fallout
Small businesses can be targeted “not only for their information, but because they may be a gateway to larger companies,” said Jaideep Vaidya, a Rutgers University management science and information systems professor. “That’s what happened in the massive Target breach,” when digital credentials — reportedly hacked from a third-party HVAC vendor — were used to get into the retailer’s systems, snatching payment and personal information from millions of customers.
The fallout from a hack like that can decimate a small business, he warned. “Once customers find out — and they likely will, depending on state-level breach reporting requirements — they may abandon you.”
But securing the vaults doesn’t have to break a small business’ budget. A good defense will comprise multiple layers, he said, including commercially available — and relatively inexpensive — antivirus software, in addition to a firewall that can help shield a system from unauthorized access.
“Best practices include choosing complicated passwords, and changing them periodically,” he said. “Multifactor authorization [after a password is entered, a separate code will be sent to a mobile device, and that must be entered too] also enhances security. Additionally, software can be configured to automatically accept security updates, which are an important safety factor.”
If your website accepts payments, “ensure you’re compliant with Payment Card Industry Security Standards,” added Vaidya. If a ransomware or other attacker does get through, “periodic data backups, which are also not expensive and can be easily automated, can help you get back up and running.”
In addition to taking proactive defensive measures, it’s important to have an “after” plan, because “there’s no magic bullet,” said Scott Schober, president and chief executive officer of Berkeley Varitronics Systems Inc. He should know, since his company — which designs wireless threat detection tools — suffered a brutal cyberattack.
“I do a lot of client education work, with seminars and other activities for companies and government agencies,” he said. “That made me a target for hackers, who attacked my credit card, debit card, Twitter and other accounts. They were able to drain $65,000 from my business bank account,” which the bank replaced.
Hospitals and other health care providers have to be particularly careful about guarding their data from hackers, said Lani Dornfeld, a partner in the health law practice at Brach Eichler LLC. Civil fines under HIPAA, the Health Insurance Portability and Accountability Act of 1996, are bad enough — in 2018, health insurer Anthem Inc. paid a record $16 mil-lion fine to the U.S. Department of Health and Human Services’ Office for Civil Rights, following a massive breach — but cyber-leaks may also expose a victimized company to criminal charges.
“Under HIPAA, once you learn that you’ve been attacked and health information may have been accessed, you need to investigate as soon as possible,” she counseled. “If the attacker didn’t access sensitive data, you may be off the hook. But if the hacker did access data, the provider may have a duty to report the breach to a variety of parties and you could face civil penalties. Under federal regulation 42 CFR Part 2 [Substance Abuse Confidentiality Regulations], however, criminal charges may also be filed.”
She’s created a checklist, which includes pointers like assembling a response team as soon as possible — you should already have one mapped out — and keeping track of all relevant dates, along with a detailed journal or record of all actions, results and responses. “Gather, protect and save your evidence, and take reactive and proactive measures,” Dornfeld added, “in order to reduce fines and penalties, and protect against future attacks or incidents.”
Cyberhackers continue to attack him, added Schober, who has written a number of books on cybersecurity, including Hacked Again, which details his ordeal. “Think about security as a series of layers,” he said. “It’s like protecting your home. You have an automatic lock, and you back that up with a deadbolt. Then you add motion-sensitive lights and perhaps an alarm system. The idea is to get a thief to skip your house and go to a softer target.”
A company’s wireless network is an often-overlooked vulnerable point. “A sophisticated attacker may use Wireshark [a legitimate analytical tool that hackers sometimes use to reverse-engineer their way into a network], or they may start by just camping out in the parking lot of a business, like a law office or other professional services firm,” according to Schober. “They may stop in or call a receptionist and say they’ve got to send a proposal to the CEO — mentioning his or her name to add legitimacy — and then ask for the Wi-Fi password. Boom, they’re in and can infect the system with malware.”
Staff also need to be educated about not blabbing too much on social media, he added. “Don’t post things like ‘here’s where we’re eating dinner, or where we went on vacation,’ because those can all be pieces of a puzzle that help hackers to crack passwords,” Schober warned.
Another precautionary step is to check out the Dark Web — a part of the internet that’s often used by criminals, which can only be accessed with certain software — to see if your personal information is available for sale. When companies like Target Corp. and Equifax suffered breaches and exposed millions of bits of sensitive customer data, “people eventually found out, but in some cases it took a year or more until they were notified,” Schober said. “Business owners and others can use services like Cyberlitica, which scour the dark web, so they can get early warning and change their passwords and take other steps to protect their information.”
Vincent Lagonigro — an IT services provider who works with the CPA firm Levine, Jacobs & Co. and other businesses — said using dual factor authentication for emails and other accounts “can take a little longer, but can make it more difficult to penetrate your system.”
As a test, Lagonigro periodically sends out fake “phishing” emails — with bogus links that try to trick people into sharing valuable personal or company information — to client company employees, to see which ones take the bait. “We get a live report so we can see who’s entering credentials on a fake site,” he said. “It’s all part of a training effort that incorporates human behavior as well as technology.”
Other safeguards include Cisco Systems Inc.’s OpenDNS service, “Which can help prevent you from going to a site that may be hacked,” Lagonigro added. “Just the other day, a new client that provides financial information, and uses the popular WordPress website platform, was hacked. People who tried to click on their site were redirected to potentially harmful sites. Fortunately, OpenDNS’ zero hour response blocked it on a global basis almost immediately.”
Hackers present multiple threats to small business owners and others. But companies that keep up to date with security measures and training have a better chance of staying safe.