Small companies targets for cyber-attacks that can force them out of business

Sixty percent of small businesses who have suffered a cyber security breach go out of business within six months. 

Allan Jacks, virtual chief information officer with Morefield Communications in Camp Hill, said there was a 424% increase in cyber breaches last year over 2020, with 43% of the victims being small or medium-sized firms. 

Financial, utilities, insurance, high tech, and medical businesses are the big targets, he said.  

The cost can be catastrophic. Jacks said the loss of personal information can cost a company $180 per file.  

“If 10,000 records are lost, that equates to $1.8 million,” he said.  

According to a report, the Cost of a Data Breach Report 2021 by IBM Security, small companies lost 38% of their business from increased customer turnover, lost revenue from downtime and increased costs acquiring new business due to a diminished reputation. 

Moorefield assists smaller companies who may not have budgets for IT personnel set up protections against such attacks and recommends cyber security insurance that can help pay for the loss of information, payments to those who lose information, forensics and even ransom payments, which are not recommended. 

“There is no silver bullet” to protecting against attacks, he said. “But without protections, criminals are more likely to pick the low hanging fruit.” 

In order to get cyber security insurance, he said, a company must be able to show it is up to date on protections. That insurance, he said, can keep a company afloat if an attack happens. 

President Joe Biden signed an executive order on May 12, 2021, requiring all government agencies to establish multifactor authentication and data encryption for information between government agencies and the private sector.  

That order, Jacks said, reaches more companies than people think, because many make small products for the government or even work with companies that work with the government. 

In the 2021 Data Breach Investigations report by Verizon Threat Research Advisory Center, Herbert Stapleton, deputy assistant director, FBI Cyber, wrote, “Over the past decade, cyber threat has grown exponentially with national, state and cyber criminals increasing the scale and scope of sophistication of their cyber attacks.” 

Addressing the complex environment, he wrote, requires a more comprehensive response than any single government agency, business, technology, or data source can provide. 

Stapleton said agencies from the public and private sector are working together to protect against these attacks and impose consequences. 

Data protections include things like receiving an approval message when logging into email or entering a code for remote access; gaining administrative access if working on a server; and having access to backup data separate from the network, Jacks said. 

“Companies need an instant response plan that is updated on a regular basis so everyone in the company knows what to do if a breach happens,” he said. “Insurers want to know if people are trained and if they know what to do if they get a phishing message.” 

They also want to know if companies have a patch management system and how quickly they can roll out patches for software. 

Microsoft said in its report that cyber-attacks are the new norm for small business. The reasons the report cited include the inability to afford dedicated IT staff, inadequate or non-existent computer and network security, lack of a backup plan, and employees unknowingly helping cyber criminals. 

“Many companies work with third party companies and need to know what is required to continue doing business,” he said. If the third party is breached, so are the companies they work with. 

“Over the past few years, insurers have been requiring companies to prove they are improving cyber security,” he said.  

So why are the attacks increasing? Jacks said more personal information is being stored including social security numbers, birth dates, credit card numbers, even driver’s license numbers. All of that can and is sold on the dark web, he said. 

Insured or not, companies need to be up to date on cyber security because, unless someone is interested in specific data, they will go after companies with low security.  

“The more security you have, the more they will look elsewhere,” he said. 

The Verizon report also showed the need for small companies to increase protection. The report said that in 2020, small companies had less than half the number of breaches than large companies. In 2021, the report said 307 large companies reported breaches while 263 small companies did. 

Often the issue is a company doesn’t have the resources to have an IT department like large organizations do. Jacks said his job is to fill that role by assessing a company’s security and recommending improvements.  

“In the past, many companies didn’t even consider this. Now they are. If things don’t look OK when you start looking, don’t put your trust in hope. We validate all of this,” he said. 

In fact, the only safe security for any internet accessible system is one that is powered off and disconnected, he said. 

Even then, when a system is booted back up, information can be obtained or held for ransom. Jacks explained that many hackers will take information, encrypt it, and return it. Then when the company goes to use the information, it can’t access it.  

That was the case at Lincoln College of Illinois, which shut down May 13. A statement on the college’s website said the college was a victim of a cyberattack in December 2021 that halted admissions and access to all institutional data.  

Once restored in March, the college tried strengthening its financial position but was unable to do so. 

In addition to patching software, running back-ups, and conducting penetration tests, Jacks said companies need end user training so if a breach occurs, it knows what to do immediately.  

“We do phishing tests (for clients) to see who clicks on suspicious emails. That way they learn what to look out for.” 

The bottom line, he said, if security isn’t monitored and protections aren’t in place, breaches will happen.