Pay up… or else!

Learn how to avoid a cyberattack on your small business and how to respond to ransom threats.

The email from Amazon may look completely legitimate. It includes the same Amazon writing and gold smiley
face arrow. It says it’s from the Amazon billing department, which seems logical after recent purchases.

Upon closer look, the sender is not an Amazon.com email address, the domain is inaccurate, and the content of the message has grammatical mistakes and spelling errors.

These are all things business owners need to watch for, cybersecurity experts say. Small-business owners are
most often the easiest victims when it comes to hackers, ransomware and other cybersecurity threats, experts and data show.

Almost half of small businesses have suffered a cyberattack in the past year. This is mostly because small businesses are less likely to have protections in place to prevent an attack or to detect one when it happens. As a result, small businesses are less likely to be able to financially recover from a breach or hack, according to the 2018 Small Business Security Report, conducted for Hiscox, a U.S. insurance company that provides
cybersecurity insurance to small businesses.

“Small-business owners are at a relatively greater risk,” says Ali Pabrai, the chief executive of ecfirst, a compliance and information services security company headquartered in Waukee. “Simply for a lot of them, cybersecurity is not as high on the radar as it should be. They don’t have the resources or the budget.”

Experts say cybersecurity is a multi-level approach that involves three main areas: prevention, detection and
mitigation. Here are six questions to ask when considering whether your company is cyber secure:

1. What dangers exist?

Some small-business owners think their business is too small and will fall under hackers’ radar.

“What they don’t realize is they’re the low hanging fruit,” says Alex Romp, the president of Artech Solutions Inc., a West Des Moines information technology consulting firm that serves mostly businesses with fewer than 100 employees. “Most cyberattacks aren’t targeted attacks. They’re crimes of opportunity. A malicious person scans millions of IP addresses a day. They’re looking for vulnerability.”

There are multiple types of cyberattacks, but ransomware, which is a hack that locks the owner of the data out of its information and demands payment or a “ransom” for its release, is most visible, Romp says.

A ransomware attack can take one of two forms:

• The hacker preys on a specific organization and demands a large ransom for the release of files.

• The hacker casts a wider net to seek more modest payments. This is where small businesses often fall prey.

Ransomware is becoming more sophisticated: Nine out of 10 phishing or spear phishing emails are now ransomware. About 75 million phishing scam emails are sent every day, and more than 40,000 cyberattacks occur each day.

While ransomware is the most visible because employees or the business owner learn right away based on the ransom note, other cyberattacks are less obvious.

“The most dangerous are the ones when you don’t know about theft of data,” Romp says.

Hackers earlier this year used an email phishing scheme to gain possible exposure to personal information for about 16,000 patients of West Des Moines-based UnityPoint Health.

Officials quickly changed passwords and brought in cybersecurity professionals to secure the information, which potentially included patients’ dates of birth, medical record numbers, treatment information, surgical information, lab results, insurance information and more. Some individuals may have had their Social Security numbers
compromised.

UnityPoint sent a letter to the affected patients notifying them of the cyberattack and that they were not aware of any reports of identity theft, fraud or improper use of information as a result of the incident, and that the healthcare system was taking steps to prevent any future cyberattacks.

Older computer systems and operating programs without the proper patches or latest application software updates also are a backdoor into the network for hackers, Pabrai says.

“Hackers are very good at knowing vulnerabilities that can be exploited,” he says. “The owner might think: ‘Why should I upgrade or do this,’ but that could end up hurting them because it’s easy to exploit.”

The hackers behind the WannaCry cyberattack took advantage of flaws in older versions of Microsoft Windows. There was a patch available, but business owners had to be updated with their patches and run a supported version of Windows to prevent the attack, Paul Schwegler, the owner of Little Dog Tech in West Des Moines, writes in his blog.

2. Is a threat likely to occur?

As long as a company has employees, the answer is likely yes.

Pabrai says employees are a company’s weakest link when it comes to cybersecurity because they fall prey to email scams, or they infect the company’s network by bringing in a personal USB drive or connecting their work computer to their home wireless network, which likely has fewer protections in place.

Most ransomware attacks happen as a result of an employee clicking on a link in an email or opening an email
attachment that is an attack.

Cyberattacks are becoming more common as hackers get smarter. No system is 100 percent secure even with the most diligent security professionals attempting to provide protection against every threat, experts say.

According to Hiscox’s report, which is based on claims data, 47 percent of small businesses suffered a
cyberattack. Forty-four percent had between two and four attacks.

Cyberattacks happen frequently, local technology advisers say, but it is rarely reported to local law enforcement, according to the Waukee and West Des Moines police departments.

3. How do I thwart a would-be cyberattack?

Take preventative action, information technology managed services experts say. This includes a risk assessment to determine the business’ vulnerability.

Pabrai compares it to an annual check-up at the doctor’s office.

“If you don’t go to the doctor, you don’t know if you have an emerging health condition,” he says. “I think it’s very important at least once a year to get a health check in terms of cybersecurity, so the business can deter
insecurities.”

A risk assessment could show areas where the business is using an older version of an operating system and
needs to update it. Preventative action also includes the tools and solutions to prevent infections and detect
weaknesses in the network’s security. Education at all levels of the business about cyber threats also is paramount.

Business owners should treat cybersecurity as a line item in their budget process to ensure it receives proper attention. All employees should receive cybersecurity training as part of their onboarding process and through
routine trainings.

“It’s very important the small business owner make it a priority for there to be active communication and information for employees to know about scenarios of phishing and ransomware,” Pabrai says. “It needs to
be active training. It can’t just be once a year.”

Romp agrees that employee training is critical because it teaches how to recognize phishing emails. His company offers online training and simulates phishing attacks to see how employees respond. If an employee clicks on a faux-phishing link, it leads the individual to a refresher training and the business owner is notified.

Even though the warnings are there, business owners often don’t make changes — even after an attack — or
take precautions. According to Hiscox’s report, 50 percent say it’s because they don’t have enough money in their budget to pay for cybersecurity services.

A business with 25 or fewer employees could spend between $1,000 and $1,200 a month for cybersecurity
support alone. That amount doublesfor the services of a managed IT services company that provides all IT
support and training and serves as the company’s help desk for any issues.

Cybersecurity experts recommend a multi-level approach that begins with education of the business’ employees.
Even if the company outsources its data protection, the business owner or manager must ensure employees do
their part in-house to follow protocols and to keep data secure.

Basic layers of cybersecurity include:

• Regular back-ups of the company’s data.

• Installation of software programs that search for and stop viruses, malware, ransomware and other potential attacks. This includes firewalls and data encryption programs.

• Assurances that all programs have undergone appropriate updates and patches to ensure the most effective
version is in operation.

• Protection for the company’s website from hackers.

• Educating employees about the dangers and provide regular tests to ensure they follow procedures.

• Hiring an information technology consultant or managed services provider to oversee and test security procedures.

4. Could my business recover?

Any ransom can be devastating to a business owner because it can disrupt operation, ruin the business’ reputation or brand, and cost thousands to millions of dollars and volumes of employees’ worktime to remedy.

Schwegler writes that paying a ransom or restoring data from a backup may seem like a quick fix, but there’s more to consider.

“There’s still the downtime involved to restore all your data — possibly days — and that’s a lot of lost productivity,” he says. “Plus, if word gets out that your data has been compromised, you may find confidence in your business plummets and your existing clients head elsewhere.”

Business owners need to consider what it would take to recover from a ransomware attack, which is why a good back-up system needs to be in place. The golden rule of business from the IT perspective is to backup all data, Romp says.

“Everyone needs to have a backup that gets (the data) off site,” he says. “It’s vital. A backup is going to save you from any number of technology disasters, obviously, a ransomware attack or critical hardware failure.”

He points to a client who had its business burn down. All of the client’s data was stored in a cloud-based system, so the business was back in operation within 12 hours.

If the data is backed up, the business owner also needs to consider how much time it will take to restore the information. The frequency of a data backup will depend upon the nature of the business and its tolerance for risk and is something the business owner will need to consider, experts say.

Small-business owners estimated the average cost for cybersecurity incidents in the past year to be about $34,600, according to Hiscox’s claims data. This can escalate into hundreds of thousands of dollars or even millions for larger companies with more employees. The company also could be held liable for contract violation
if any client’s personal data was compromised during a hack.

Depending on the severity of the attack and the data that was compromised, business owners may have to notify customers and publicly explain how they will ensure future attacks do not occur.

5. What do I do if I have an attack?

Every ransomware attack is different, so it’s important the business owner and their IT services team evaluate it.

Detection is a big component in stopping an attempted ransomware or cyberattack. Both thwarted and successful violations need to be tracked, and alerts need to be put in place that automatically monitor and provide a notification that the network has been attacked.

If a business owner, manager or employee suspects the network could be infected, experts advise they do not turn off the machine but instead immediately disconnect the infected computer from any network it’s connected to, turn off wireless access, and unplug any USB or external hard drives. He recommends not trying to erase anything or not to try to clean up the computer.

Instead, consider the scope of the attack: Was the machine on a shared network when the user first noticed suspicious behavior? Was the operator using any external drives? Is the computer connected to cloud-based storage? Did the user open an email or visit a website?

If the business has no way to recreate the data and no backup and must have the information, then it will be stuck paying the ransom, Romp says.

“The FBI tells you not to pay the ransom, but frankly, if you’re a business owner and you don’t have a backup, you’re either going to pay the ransom, or you’re going to go out of business,” he says.

Business owners used to be able to pay a ransom and were guaranteed they would receive their data. That isn’t always the case. There’s no guarantee the data will be returned in a usable format or files could be locked and unable to be unencrypted. Paying the ransom could make them a target for future attacks.

An IT services provider can help the business owner determine if data can be restored from a recent backup, whether to decrypt files from a third-party decryptor, consider the data a loss, or negotiate/pay the ransom as a last resort.

6. What future steps do I need to take?

IT experts say business owners need to act to ensure future attacks do not occur. This includes a plan for how to handle all incidents, from detection of an attack and containment to notification of appropriate individuals and
assessment. Each person who will be involved needs to be notified of his or her specific roles and responsibilities prior to any incident. Response plans need to be regularly updated to account for new types of threats.

According to Hiscox’s report, about 65 percent of small-business owners failed to act following a cybersecurity incident, and only 16 percent of the small businesses surveyed were very confident in their cybersecurity readiness.

Most did not have a strategy for cybersecurity readiness or anyone charged with overseeing the area or outsourcing the service. Less than one-third of businesses conducted phishing experiments to check employees’
behavior and readiness to thwart any future attacks.

Experts also recommend business owners have a standalone cyber insurance policy to protect the company in case of a cyberattack. The policy is designed to cover privacy, data and network exposures.

West Des Moines-based Farmers Mutual Hail Insurance Co. of Iowa announced this year it is now offering cyber risk protection insurance to individuals, families or farms who are victims of a computer attack, cyber extortion, online fraud or a breach of personal information. ♦