Remote work provides new cybersecurity challenges for small businesses
A cyberattack can be devastating for a business of any size. Just ask a Northeast Ohio medtech CEO who endured a “two-week panic attack” after a Romanian cyber-criminal gang shut down his operations in February 2019.
Using a “GandCrab” ransomware strike — a type of malware that encrypts a victim's files and demands ransom payment in order to regain access — the crooks quite literally held the midmarket firm hostage before the malicious software could be lifted.
The attack froze employees out of the company’s PCs, servers, email files and inventory management system.
“It was a moment where someone else is controlling your life,” said the CEO, who wished to remain anonymous for security purposes. “A nightmare I don’t recommend ever wanting to relive.”
The ultra-connected global business environment
The medtech company’s recent troubles are emblematic of the current ultra-connected global business environment. With heightened digital connectivity comes increased cybersecurity risk, a threat landscape that continues to shift with the prevalence of remote work, said Ellen Boehm, senior vice president of IoT (Internet of Things) strategy and operations at KeyFactor, a Cleveland software solutions company.
“We’ve been going down this path for years,” said Boehm. “COVID accelerated the need for more secure systems to realize this connected world.”
Protecting vital company assets can be a tall task for small-to-medium sized businesses lacking a dedicated information technology team or the time to focus on cybersecurity, said Boehm. Still, she believes these businesses are ignoring online safeguards at their peril.
In 2019, approximately 76% of American businesses experienced a hack, with 60% of small companies failing within six months after a breach, according to the Ponemon Institute.
Ongoing work-from-home protocols have employees accessing sensitive company data via personal laptops, iPads or while using their home Wi-Fi networks. Unsanctioned devices may not be under an employer’s network, providing gaps for hackers and raising the probability of a successful attack.
KeyFactor took three months to remotely secure its own systems during the height of the COVID-19 pandemic, despite a background in software security that gave the company a leg up over most industries. Some smaller clients were left defenseless in those early days, as they did not have the staff or expertise to plug virtual gaps.
Small and medium sized businesses “are typically outsourcing IT,” Boehm said. “Or they don’t need to hire a person to do these detailed infrastructure pieces because there isn’t a full-time need.”
Not too small to be hacked
Even having cybersecurity protections in place is no magic shield against a determined hacker, noted the medtech CEO. Criminals infiltrated his system by exploiting remote monitoring software that the firm’s service provider had yet to patch against GandCrab.
During its long recovery period, the company could not bill customers or operate an inventory control system. A team of consultants, security people and forensic investigators labored on nights and weekends to regain system access as the business scrambled to meet orders.
“We went back to the paper mode of business until we could get back in the normal stream of things,” the CEO said. “We all had to be on our toes, and there wasn’t a lot of sleep in those two weeks.”
Rest came easier when the company's service provider paid the ransom. In response to the new remote work environment, the enterprise also bolstered its online systems with a refurbished firewall, isolated backups, better defensive software and an updated patch schedule.
“My advice to businesses is to get comfortable with your service provider,” said the CEO. “Do they have the sophistication and tools you need? Are they stretched too thin? Are you getting a good response time from them? Those are important questions.”
Businesses across industries are impacted by cybercrime, including entrepreneurs who maintain they are invisible to bad actors, noted John Nicholas, professor of computer information systems at the University of Akron.
However, ransomware and other dangers lurk, with global ransomware costs predicted to eclipse $265 billion by 2031, according to Cybersecurity Ventures.
Small businesses with fewer security measures in place are an attractive target for ransomware thieves – those affected may find their files inaccessible until they provide a hefty payoff, Nicholas said.
Modern phishing emails are more sophisticated, as well, evolving everything from typical “Nigerian prince” scams to intricate emails impersonating a victim’s bank or PayPal account. Phishing is an attack meant to reveal a victim’s personal information — credit card numbers, bank data and more — through websites that pretend to be legitimate.
Then there are “vishing” cons, where scammers claim that work needs to be done on an employee’s computer. The attacker then directs recipients to a fraudulent website that downloads malware into the system. Malware is an umbrella term for software designed to covertly infiltrate a device, with lost data or system damage the most common end result.
With more people working from home, the already rising wave of online crime has grown into a tsunami, said Nicholas. Even if many of these attacks are obvious spoofs, just one employee taking the bait can be enough to compromise an entire network.
Put simply, today’s businesses cannot have workers operating from unencrypted personal devices, particularly with artificial intelligence and machine learning providing yet another vector for the bad guys, added Nicholas.
“If I were running a small business, I would invest in some laptops and tablets and have my IT people secure them,” Nicholas said. “Especially in the event employees drop or lose equipment, that data will be encrypted and can’t be viewed by anybody without great effort.”
Companies without IT staff would be wise to let a third-party provider iron out any network weaknesses, said Nicholas. At the least, business owners should find a local university or chamber of commerce where cyber-related advice may be offered for free.
“Small businesses should take this seriously – don’t fall into the fallacy that you’re too small to be hacked,” said Nicholas. “It’s not about the size of the company, it’s about getting hands on as much data as possible. So take it seriously and do your homework.”
Preparing for disaster
No matter their size, small-and-medium-sized businesses should be constantly preparing for the worst, said Nathan Sterrett, a certified information systems security professional based in Kent. Sterrett’s Arwood Security Consulting firm runs tabletop exercises for IT staffers and executives alike, providing incident-response options as well as important knowledge on the harmful impacts of data loss.
“Security challenges come with loss of data control, as it’s not just being worked on at the office, it’s being worked on on a couch or laptop, too,” said Sterrett. “Especially with some of the new technologies that became mature during COVID like Zoom and Microsoft Teams.”
“That’s where the risk is coming from, because people don’t understand what they’re giving employees access to, or the consequences of that down the road.”
With 12 years in the industry, Sterrett has seen first-hand what a cyberattack can do to a company. One client, a maker of turnkey systems for manufacturing processes, got slammed by a ransomware breach that hamstrung its email systems as well as a code repository used for application development.
Sterrett helped the company move its code network onto cloud storage, while implementing stronger security controls onto user workstations. Some semblance of business normality returned after a couple of weeks, although it took two full months before the business returned to its pre-attack status.
Businesses with a “closet full of servers” should consider digitizing their data, and be willing to spend $20-$100 a month to have a new cloud system managed by a provider, Sterrett said.
As for day-to-day work, Sterrett suggests businesses employ multi-factor authentication (MFA) instead of relying on basic usernames and passwords. MFA validates the identity of specific users, providing tiers of protection on top of standard login procedures. A business password manager adds another layer, giving businesses password generation capabilities along with a safe location to store login info.
Businesses cannot sit back and hope for hackers to pass them by, said the medtech CEO and recent ransomware survivor. Thinking of cybersecurity as insurance is preferable to answering some truly scary questions when it becomes too late.
“You’ve got to spend the money to protect your system, otherwise you will be taken out,” the CEO said. “You have to do the basics and get the best tools you can afford. If you don’t, you're asking for trouble.”