Cyber attacks on small business -- it's a matter of when, not if

Computer hacker silhouette of hooded man
Russia's TASS and RIA Novosti news agencies quoted Prague's Russian Embassy spokesman Alexey Kolmakov as saying that it was insisting that the suspect be handed over to Russia.

Gary Wieder, the lead information-technology support person at Craft-Bilt Manufacturing, still remembers what it felt like when he learned that malware had struck the company’s computer system about a year ago.

“Panic ensues. Your blood pressure goes up very quickly,” said Wieder. Luckily, he said, the Souderton-based manufacturer of awnings, sunrooms and patio rooms had a good backup system, so a little inconvenience was the only fallout.

But the experience was jarring enough to prompt him to attend Tuesday’s gathering of small and medium-sized businesses at the Montgomery County Public Safety Training Campus in Conshohocken. Wieder and about 60 other business and government IT executives heard an array of cybersecurity experts from the state and national Homeland Security offices. 

Their underlying message? Even small businesses are readily and regularly targeted by hackers seeking either money or mayhem. It's a matter of when, not if.

Although it was strictly coincidence, Tuesday’s session comes at a time of growing awareness of the threat of cyberattacks. The CIA and the FBI have agreed, and President Trump has acknowledged, that Russians hacked Democratic National Committee computers prior to November's election.

When it comes to homeland security, people “always think of homegrown violent attacks or an active-shooter incident or a threat from ISIS, but people overlook the cyber threat,” one of Tuesday's speakers, Marcus L. Brown, director of the Pennsylvania Governor’s Office of Homeland Security, said in an interview. “Even the rhetoric that elections could be hacked raised awareness of the threat of cyberattacks.”

Small businesses have to take protective measures, Brown said, because they probably don’t have the resources to recover from the kind of massive data breach that Target Corp. experienced in 2013. That hack ultimately cost Target about $300 million, speakers said Tuesday.

“Our entire society is so connected,” Brown said. Hackers can enter company computers through links from smart HVAC systems, through outside vendors, and through emails to and from suppliers or customers.

Small businesses need to raise security awareness, said Erik Avakian, chief information security officer for the Commonwealth of Pennsylvania’s Office of Administration. Just as people routinely lock their doors when they leave home, companies need to build a culture of “cyber hygiene” at work. They must teach employees how to spot threats, and praise them when they do.

“Ransomware is the attack du jour,” Avakian said. Hackers lock up a system by encrypting the content, then demand a payment, often through Bitcoin, to provide a key that will unlock the code.

Small businesses should start by analyzing what data they have and who has access to the data, he said, drawing the parallel between that exercise at work and what a homeowner might do, such as photographing valuables in case there is a burglary. If it is difficult for security or IT people to persuade company owners to invest in analysis and prevention, he suggests drawing a cost-benefit analysis.  

At Tuesday’s seminar, estimates of the costs ranged from $125 to $205 per hacked record – that includes legal help, compliance and notification, defense against lawsuits, IT consulting to stop a data breach, consulting to recover data, crisis communications, and new systems. And those are just the quantifiable costs. Loss of customer trust is harder to measure.

Bradford Willke, eastern U.S. supervisory cybersecurity adviser for the U.S. Department of Homeland Security, urged the group to turn to the government for help. The federal government offers free scans of systems to look for anomalies, recommending fixes. It also publishes extensive security checklists that can help businesses organize their defense.

The session Tuesday included a run-through of the consequences of a cyberattack, presented by attorneys from McNees Wallace & Nurick’s privacy and data-security practice group. Even assuming a breach can be stopped and data restored, complicated consequences can linger. For example, European privacy laws are stricter and require that customers be notified when information is stolen that wouldn’t be deemed private in the U.S.

Get cyber insurance, urged McNees partner Devin Chwastyk, who heads the firm’s data-security practice. “Your commercial general-liability policy will not cover you,” he said. Obtaining insurance will help strengthen firms’ defenses against cyberattacks. To write policies, insurance companies will conduct audits and insist on best practices.