‘Attacks are ubiquitous’

What do Home Depot, Target, the White House, the State Department and Sony Pictures have in common? They’ve all been the targets of high-profile cybersecurity attacks over the last year.

Nonetheless, while it makes headlines when the hackers hit big companies, the bad guys are far more likely to attack small businesses — and those businesses may not even be aware they’ve been hacked, experts say.

“Attacks are ubiquitous whether you’re big or small,” says Danyetta Fleming Magana, president of McLean-based Covenant Security Solutions, an information security and cyber solutions company.

Ted Brown, vice president of IT operations for Reston-based Network Alliance, an information technology consulting and management firm, says “Small businesses kind of feel that they’re too small to worry about, that they’re not really targets of these kind of attacks. … [They] seem to think that … they may not need the same kind of protection, or they’re not vulnerable, but it’s quite the opposite.”

In fact, according to Verizon’s annual Data Breach Investigations Report, in recent months as many as 71 percent of cyber attacks have been waged against small businesses with fewer than 100 employees.

“First and foremost, don’t be naïve,” says Harvey Johnson, a senior manager with Richmond-based accounting and business consulting firm PBMares. “All of the security experts say it’s not a matter of if you’ll be attacked; it’s when and by who.”

The first thing to understand is that hackers aren’t necessarily targeting specific businesses — they may be running automated attacks looking for Internet-connected networks that are easy to attack, experts say.

Small businesses often think they don’t have data worth stealing, but that’s not the case, he says. Hackers are seeking credit card data, Social Security numbers, user names, passwords — anything that can be used in identity theft. Small law firms, health clinics, accounting and financial firms, and other businesses may routinely keep such records on their clients and employees.

“This is going on the black market for anywhere from $25 to $125 per record depending on how much information you have,” Johnson says. “The more data a hacker gets on a single individual or business, the more valuable it is.”

It’s also likely that criminals may be hacking into a small business in order to strike at a bigger target, namely that small business’s clients, Magana says. In the Home Depot and Target cases, hackers used stolen credentials from small third-party vendors to access the big retailers’ networks.

Hacking is a low-risk, high-reward crime because most of the hackers are working overseas, and they rarely face prosecution. And because of a lack of resources, it can often take six months to a year before a small business even realizes they’ve had a security breach. During that time, identity thieves can take out lines of credit and establish aliases with the stolen data. “I’ve heard stories about people who have had entire homes purchased [using their stolen personal data], and they had no idea about it,” Magana says.

So what can businesses do to protect themselves?

One step is to conduct an information security risk assessment and establish data security policies such as requiring employees to regularly change passwords, Brown says.

Training employees in data security basics such as how to identify possible phishing attempts is also essential, Johnson says. Some hackers may employ fake email addresses to impersonate company officials, such as board members or CEOs, in order to request passwords or data from employees.

Johnson also suggests being prepared for the worst-case scenario and taking out additional insurance coverage against loss from data theft. Adding such coverage is relatively inexpensive for small businesses, he says, but it can be the difference between a small business staying in business or closing its doors, he says, as the financial fallout from a data breach can be ruinous.

Brown recommends that companies strengthen their network security by installing real-time intrusion prevention systems (IPS) and intrusion detection systems (IDS), which can range from roughly $8,000 to $20,000 for a small business. “You wouldn’t let a stranger walk past your front-desk person and start rummaging through peoples’ desks without raising an eyebrow, so why are you letting people do that on your network?” he asks.

“Having a firewall in place is no longer the maximum,” Brown adds. “A lot of people, when they get a new network, they get a firewall in place, and they put an antivirus program on their computer, and they wipe their hands and say, ‘We’re good,’ but that’s the bare minimum of what’s needed.”

Bringing in an IT person once in a while when something’s broken isn’t a good strategy, says Brown, who urges small businesses to instead invest in installing a 24/7 system that can monitor intrusions and send remote alerts such as hardware systems created by computer security firm Kansas-based RiskAnalytics. The systems are installed onto a business’s existing network.

Anti-virus and anti-spyware software are great, Brown says, but they have limitations. Intrusion prevention and detection systems are more robust than software and can better detect communications anomalies in your network and shut down the connection before data can be stolen, he says.

Because most attacks are coming from overseas, there is a good chance those attacks will happen after office hours when it’s daytime in Europe and Asia, he says. That’s why it’s important to have a 24/7 monitoring system that can send you alerts in real time.

Good cybersecurity systems can block network traffic from some or all foreign nations. “We have a litany of countries we block right off the bat” for clients, Brown says.

While hackers come from across the globe and can hide their locations or make it appear as if they are coming from somewhere else, most don’t bother. The hotspots for hackers tend to be Russia, China, Turkey, former Eastern Bloc republics and Saudi Arabia, but hackers also strike from the United States, France and Germany. “It’s not just one country, but you can really see who the big hitters are and isolate your network from them,” Brown says, and if you don’t need to do business with foreign companies, you may want to completely cut off network access to all foreign IP addresses.

Other good tips, Johnson says, include restricting employees’ abilities to download programs and files onto their computers and keeping sensitive data such as payroll information on an internal network that isn’t connected to the Internet if possible. It’s also critical to change default passwords on routers and servers; keeping default passwords is like leaving one’s door unlocked, he says.

If you do all this, you may avoid data breaches, but it’s not a given. A determined hacker may succeed no matter what, experts say.

However, hackers are “going to look for the path of least resistance,” Johnson says. “If you’ve got your guard up, they’ll probably move on from you and go on to the next small business.”