The email looked legitimate, as Troy Carlson recalls.
But once it was opened, the results were nothing short of a disaster for his client, he says. That one email launched a crypto-locker program and seized control of the business’s computer systems. The ransom to unlock the system was a few thousand dollars.
“But what small business has $5,000 they can readily hand over?” asks Carlson, a strategic risk adviser with McClone, explaining the invasive cyber threats faced by today’s small and medium businesses.
The client came up with the money, paid the ransom and was able to regain the use of the computer system, only to find the cyber attackers had also copied client, employee and other company information — all of which resulted in ongoing costs for notification and credit monitoring.
“It’s the sad truth, it can be something as simple as an email that’s disguised to look like an invoice or something you routinely receive,” says Carlson, who advises clients on their potential cyber risks and insurance policies that can protect them. “If your company has email and an Internet connection, you are at risk of being breached.”
The pace of such attacks is increasing.
While major breaches at companies such as Yahoo, LinkedIn and Target have grabbed the headlines, small- and medium-sized business are increasingly finding themselves under siege as attackers look for smaller scores that attract less attention.
About half the nation’s small and medium businesses reported being the target of a cyber-attack in 2014, Securities and Exchange Commissioner Luis A. Aguilar wrote in 2015, a 44 percent increase from 2013. The average loss was $20,000, up from $8,699 in 2013, according to federal surveys.
Small and medium businesses are attractive targets for a number of reasons, but foremost among them is that they are easier targets than larger organizations, federal security experts say. They face precisely the same threat landscape that confronts larger organizations, but must do so with far fewer resources.
With all the other issues a small business owner faces, it can be difficult to think about the myriad of threats posed by cyber attackers, Carlson says.
“As a business owner, you have a million important things going on in your head,” Carlson says. “It’s hard to keep in mind that a hacker in Russia or other location may be watching you.”
The internet is not the only source of threats.
While email and “phishing” may be among the most prevalent forms of cyber-attack, direct attacks against companies and consumers such as skimming are also on the rise, says David Leibl, a network security supervisor for Kwik Trip.
The practice of skimming — attaching a physical device to capture or transmit credit card and other information — recently made headlines when the Wisconsin Department of Agriculture, Trade and Consumer Protection reported a skimmer had been found attached to gas pumps at 15 locations, including Appleton, Oshkosh and Random Lake.
Though no Kwik Trip stations were affected, Leibl says the threat is unrelenting. It’s a particular challenge since Kwik Trip’s business model depends on ease-of-use, essentially inviting customers to use their cards for the convenience.
“We knew this was coming to the Midwest,” Leibl says. “We are constantly battling to stay ahead.”
There are resources available for even the smallest of businesses to arm themselves for the battle.
The first step is to understand just what the risk is. This is where folks such as Carlson come into play. Most insurance companies provide policy riders to cover cyber liability, he says. A critical first step is to determine just what the liability — and costs of a potential breach — would be. Costs and regulatory hurdles increase for companies operating in multiple states, important items to consider when determining your potential risk.
Developing a good relationship with a knowledgeable IT provider is also a must, Carlson says.
It’s not always a fun conversation, he says, but ultimately an important one.
“Part of my job is to help people understand their exposure and how they can protect themselves,” Carlson says. “There is nothing boilerplate about cyber liability.”
The federal government, through the Department of Homeland Security, has also stepped in with resources for small and medium businesses. In addition to publishing regular best practices and sharing information on the latest threats, DHS has put together training and assessment tools to help small businesses combat cyber threats.
“This is not just an IT issue, this is a business risk,” says Hala Furst, the cybersecurity and technology business liaison for DHS’ Private Sector Office. “Small and medium businesses provide more than half of the nation’s employers. The impact of these crimes can be huge.”
Some of the least expensive – and easiest – steps a business can take are the ones that are also most often overlooked, she says. Regularly changing passwords, not publicly labeling things as confidential, not sending protected information via email and not using untrusted flash drives can go a long way toward better security.
“Sometimes the biggest risks are the most obvious, sort of like not locking the front door,” Furst says.