Cybersecurity: An issue for both big and small businesses

Bill Kimbler, partner and business development lead at CW Technology in Duluth.

It seems every other day there’s a news story of some major company being hacked, its information being held for some insane ransom. Maybe it's a major fuel supplier or a meat packing plant. 

It’s easy for small and mid-sized business owners to write this off as a big company problem. 

In Minnesota, there were an estimated 3 million cyber intrusion attempts daily in 2017, according to an official statement from then-Gov. Mark Dayton’s office. The risk of hackers and ransomware is especially high for our area: Mining is the #1 industry hit, according to researchers affiliated with the Institute for Financial Studies in Romania. A 2020 article in Technology Trends reported that 43 percent of cyberattacks target small business with fewer than 500 employees.

With profit as their motive, and the tools to cast a wide net, hackers don’t care how small your business is. If you’ve got a business and you’ve got technology, it can be held for ransom. 

“For hackers, it’s all about money,” said Bill Kimbler, partner and business development lead at CW Technology in Duluth. “Very little of it is state-sponsored. (One country hacking another.) The size of the organization does not matter. They are just looking for someone to click on their virus.”

Kimbler works with companies to understand the malware threats specific to their organization, then develop disaster recovery and remediation plans. He also assists with protecting a company’s technology environment – the platform and infrastructure. 

The risk to small organizations is huge, he said, citing recent statistics that 60% of small firms that experience a cyber security attack go out of business within six months, Cybercrime Magazine reported in 2019.

The number one reason for this, Kimbler said, is that many of them don’t have a viable or solid back up. “Once they’re hit with these threats, they don’t have a way to restore.”

Without a backup, a business is faced with paying a ransom – which may or may not get them their information back. “There’s no guarantee you’re going to get the key to unlock your files. Some hackers will give the key and some don’t.”

And still, restoring the information can take a lot of time, costing days or even weeks. 

Cyber liability insurance will cover remediation costs, but it does not cover loss of business. 

With a plan in place, the proper tools and systems, a company can get up and running in a matter of days. Without it, it can cost weeks of business. 

How it’s done

The No. 1 way malware threats are introduced into an organization is email, said Kimbler, followed by general web browsing and clicking on ads and popups. An employee clicks on an email attachment that looks like a document. In reality, it’s a virus or intrusion method like a Ransomware file that launches a program. It starts locking files on that local machine first, and then as that machine is connected to a network, it goes to a server and starts locking those files. After the process starts it cannot be reversed. The individual does not know the process has even started until a sign comes up on the screen to pay a certain amount by a certain time or the ransom will increase.  

In some cases, an intrusion could go undetected for months or longer before an attack occurs, said Walt Swanson, a network engineering manager with Citon Computer Corp. “A lot of cyber criminals don’t do things right away, they hide behind the scenes collecting information – then they strike. It’s going to be calculated to do the most harm.”

In the most common malware situations, said Kimbler, hackers do not care about the data itself. They only lock it because it’s valuable to the business and therefore worth money. The options are to pay the ransom or use the company’s back up.

What you can do

“You want to look at your whole security platform,” said Swanson. “It’s not just about throwing away internet cookies once in a while. Leave the smallest internet footprint you can, use whatever settings you have on the system to keep yourself as private as possible. Should you save passwords on your system? No, get a password keeper. Security is a journey – there’s what can you do today, what can you do next quarter and what you can do next year.”

The threat landscape is changing so fast, he said, you have to stay up on it.

There are several key ways to mitigate threats. First, maintain a strong environment with a good firewall and know what is allowed and blocked on the network. Second, keep software up to date using vendor-provided patches. Third, do not allow users to download and install unsupported or free software. Fourth, back up all critical data and systems; this means having at least one copy offline. Finally, educate your employees. An employee who unknowingly clicks on a document can unleash a virus in the system without even knowing it.

“When you receive an unexpected email, take the time to review it before taking any action,” said Swanson. “When an email requests immediate action (open this attachment, click this link, or verify your cell phone number), think before you take that action. Even if I know the person, if this email was not something I would expect from them, I verify that they really sent this by another means, such as a phone call.” The methods are increasingly malicious, he said, citing an example of a co-worker having regular email exchanges with an individual at another company and then receiving an email from them to open an attachment that was completely off topic. A telephone call revealed the employee had been out all week. Their work email account had been hacked and was being used maliciously.

Kimbler also recommended training employees about what the threats are, how to identify them, how to protect the environment they work in, then what to do if they feel they’ve been compromised. “That employee training is a big piece. Very few do it.”

Test emails that look like legitimate emails can be sent to employees that will ask them to click on something. If they take the bait, they receive additional training. However, he pointed out, it’s important that the policy is not punitive; timing is essential if an employee thinks they may have inadvertently downloaded malicious software, and they need to come forward immediately. “With Ransomware, we’re talking by minutes,” he said.

And because no tool or training is 100 percent guaranteed, businesses need to have a solid back-up plan in place. 

Being prepared is key, said Kimbler. “Do not think you are protected because of size, industry or location. Have a plan. As an owner, you need to understand what the threats are, what you are currently doing, and what more you could currently be doing. This isn’t going away – this is going to be the no. 1 business technology challenge going forward.”

Swanson echoed this sentiment. 

“The world is changing. We need to change with it. Security isn’t an after-thought anymore. It’s business centric.”