It wasn't a huge business, but it was about to get one big headache.
The South Jersey construction company didn’t back up its data and as a result incurred a ransomware attack. It contacted PCH Technologies for help.
“The company … like many smaller businesses, didn’t practice safe security and thought it was too small to capture a hacker’s attention,” PCH chief Timothy Guim said. “We were able to negotiate the ransom demand down to a ‘reasonable’ level, got the information back and now we provide IT security, data management backup and other services to the business.”
In another situation, Guim was approached by the chief financial officer of a large health care company at a cybersecurity educational seminar.
“The executive said he enjoyed the presentation and mentioned that the company’s internal IT department kept them safe,’” he said. “So I asked him if I could do a quick scan on his company on the dark web.”
That meant checking up on recent hacks on double-secret peer-to-peer sites and such. “After just a few seconds we found more than 70 ‘hits,’ including active references to his CEO’s password on hacker forums,” Guim recalled.
The bottom line: Companies both big and small are targets for cyber criminals. “In the 21 years that PCH has been around, we’ve never seen so many attacks against easy targets,” Guim said.
Some of the cyber theft targets consumers: Car dealers, retailers and other chain companies along highway rest stops are among the favorite targets for criminals to place point-of-sale and ATM skimmers to steal credit card information.
Said Daniel Smith, a security researcher for the emergency response team of Radware: “Then the information is sold on the dark web. Hackers frequently target low-hanging fruit, so smaller companies with a limited security budget may be at particular risk.”
Big-company hacks – such as the high-profile Equifax breach that compromised information on more than 100 million individuals – grab most of the headlines, but small businesses with weak security also may have high-value information that’s attractive to cyber thieves.
In fact, the chance that any particular business will be targeted “is almost like a numbers game,” said Randy Vanderhoof, executive director of Secure Technology Alliance. “Cyber criminals are always looking for credit card and other information that can be monetized.”
Smaller businesses may have weak passwords or may have gaps in their security systems that make them an easy target. “But there are many relatively easy protective steps they can take,” Vanderhoof said.
Best practices include safeguarding sensitive payment and other data by encrypting it, so even if it’s accessed it’ll be tougher to decipher. Other tips include encrypting usernames, passwords, social security numbers and other information, along with storing them on a separate secured server instead of the business’ primary operating network.
“Alert companies are also moving sensitive information to the cloud, where service providers offer more protection with sophisticated security systems and can patch holes easier,” Vanderhoof said
Some smaller businesses that can’t support a full-time cybersecurity team turn to managed security services providers, which offer security services to smaller organizations struggling to fill gaps in their security operations.
“We’re providing an increasing number of our products to Managed Security Services Providers that offer security services to smaller organizations,” said Joe Sorial, vice president of business development at Lumeta, which markets monitoring platforms and other cybersecurity tools.
Once organizations achieve “real-time visibility” into their environment, they need to update their security for known vulnerabilities, deploy proven security products and ensure that system access is limited to authorized individuals, Sorial said.
“There’s also a training component that should not be overlooked, to ensure that employees are not falling for some of the social engineering techniques, which manipulate users into performing unsafe actions or divulging confidential information,” he said.
Marios Damianides, an Ernst & Young partner and regional cybersecurity leader, said cyber risk remains on the rise “[because] there’s so much information about our activity, our movements, our likes and dislikes that’s available on so many platforms; it all represents more opportunity for criminals.”
One part of threat management is simply deploying and updating antivirus software and other tools, he said. “You also have to be aware of what you’re sharing and whom it’s being shared with,” Damianides said. “Antivirus tools protect against known threats, but criminals are always improvising new ones.”
Employee education and ongoing training, along with software filters and other protection, are some goods lines of defense, he added.
“It’s like having an alarm and monitoring system for your residence. It may not guarantee against a break-in, but it can discourage a thief and may limit the damage,” Damianides said.