Half of the nearly 500 small businesses across Michigan that have completed a cyber-security assessment since December remained largely unaware of the daily risks they face.
About 10 percent of the small businesses rated as “code red” in the assessment, with “very low awareness of cyber security,” said Keith Brophy, director of the Michigan Small Business Development Center. Another 40 percent rated “code yellow” with a “weak” awareness of potential risks.
The remaining 50 percent rated “code green” and “they seem to be very well versed on the topic and what we would consider cyber safe,” Brophy said.
The early results from the free online assessment that the SBDC offers indicate that despite high-profile data breaches, many small business owners are not fully aware of the risks and what they need to do to protect their companies, Brophy said.
“A good share of small businesses do not see this as an ongoing part of the business practices that need to be built into their businesses,” Brophy said. “It’s nebulous. It’s still seems to be viewed as a techy thing.”
Small businesses should take just the opposite view, especially amid an escalation in cyber threats, Brophy said.
In fact, about 20 percent of the small businesses statewide that took the assessment reported they had experienced a security breach that hurt their operations. Another 20 percent simply answered they “didn’t know if they had been hit or not,” Brophy said.
In the National Small Business Association’s 2015 economic report, 17 percent of small business owners reported they had suffered a cyber attack at least once, and 21 percent had been hit two to five times. On average, an attack cost those businesses $7,115. Companies that had their bank accounts hacked lost an average of $32,020, according to the NSBA.
Small business owners need to “have an ongoing game plan” and look at cyber security the same way they look at how well their stores or facilities are physically protected against risks such as fires or break-ins. Regular staff training on how to recognize threats such as phishing emails and annual cyber security audits should become the norm, and not something that’s done only periodically, Brophy said.
“This needs to be built into your business,” he said. “Every business should take their internal team through a cyber risk and how it matches to that business because the steps to keep the business safe are going to evolve every year.
“The state of the art and the vulnerabilities are evolving that quickly.”
Andrew Smith, director of technical services at I.T. Resource Inc. in Coopersville that works with the SBDC on the cyber-risk assessment, said businesses of all size need to treat cyber security the same say they do the security of their office, store or shop.
With so many laptops, smartphones, and tablets around and given the level of connectivity today as “the Internet of things gets larger and larger,” potential threats are constant, Smith said.
Just as a businesses owner locks the doors at night when they leave, they need to ensure their I.T. system is as secure as possible, he said. Small business, for instance, should avoid leaving their wi-fi signal on all night and open to attack from the outside.
“Cyber security is almost to a point where it is as important as physical security because it’s always at risk and everybody is a potential invader,” Smith said. “A lot of small businesses don’t see what we call ‘logical security’ as important as physical security. They see the physical security because they can feel it and touch it.”
SCAMS HARDER TO DETECT
Most small business owners and managers have a “foundational knowledge” about cyber risks “to give themselves some basic protections,” said John Hey, chief operating officer with I.T. firm Trivalent Group in Grand Rapids.
Trivalent worked with the SBDC on content that goes along with the online assessment.
Small business owners generally know about spam, computer viruses and phishing — “the things that have been around and the things that we’ve had to deal with for some years,” Hey said. Weaknesses often come from a lack of knowledge about how rapidly threats are advancing and the sophistication and ability of hackers and cyber thieves to infiltrate a system, he said.
As with most technology, the “human element” is often the weakest link, Hey said.
“You can really undermine the best cyber security around with poor behavior and a lack of knowledge, or even base physical security. Those are things that can undo the best of measures,” Hey said. “It’s education and behavior. It’s the human element that really seems to be the biggest soft spot beyond just the technical measures that you can take to protect yourself. The foundational knowledge runs out after the ABCs.”
Phishing emails “are getting to be so hard to discern, that most tools are not going to find them or stop them,” Hey said. He advises clients to simply “default to suspicion” when they get an email from someone or an organization they don’t recognize.
One hot topic that Hey was seeing more frequently about a year ago was “ransomware,” where a cyber thief accesses a company’s system, encrypts and locks their data, and then demands payment to release it.
Trivalent has had clients with the right software and security measures, yet their system got breached and compromised because someone opened an attachment on an email, Hey said. In some instances, the company had to “pony up” and pay to get their data back, he said. In others, Trivalent was able to restore it.
SHARING BEST PRACTICES
The SBDC began offering the free online security assessment late last year using the website smallbusinessbigthreat.com. Small businesses that complete the assessment anonymously receive a report on the results.
Along with the assessment, the SBDC has been offering training through seminars and webinars, and a sharing of best practices.
The SBDC targets a goal of increasing cyber security awareness among 10,000 people statewide in 2016. As of the first week in April, 3,700 people had used the website to access information. About one-third of the visitors had started taking the risk assessment, and 484 had completed it, Brophy said.
The early results from the assessment reflect a “false sense of security,” along with the notion that hackers and cyber thieves target large corporations, not small businesses, Brophy said.
That thinking is common for small business owners, according to Hey from Trivalent.
“The small business owner has to shed that thinking — ‘I’m not interesting. I’m not a target because of who I am. I’m small.’ When in fact you are exactly a target because of those reasons,” Hey said. “The problem is that because you’re a small business and you probably are less sophisticated, you’re an easier target. Someone with malicious intent can go and reap their spoils on the backs of multiple, easier-to-compromise targets. That’s a lot less risky than trying to crack Target or Chase Bank or whatever it happens to be.”
The companies who have done the SBDC assessment so far have shown a weakness in areas such as online credit card shopping, the physical security of computer equipment and password protection.
Just two years ago, an eight-digit password with random characters and numerals was sufficient. Today, the automated tools used by hackers are more effective and passwords need to be reset on a regular basis, Brophy said.
“We’ve been surprised that those areas that seem to be some of the more covered areas out there are the ones where we’re seeing the lower scores,” he said. “Individuals just may have an outdated perspective for the state of cyber risk today.”
Among the mistakes that Smith of I.T. Resource often sees is a lack of staff training or follow-up on security.
As risks evolve, the potential targets need to evolve as well as keep up, Smith said.
“The biggest mistake is, ‘I put it it. It’s going to work forever now.’ Unfortunately, every time something is built, somebody builds a way to get into it,” he said. “So you have to patch, you have to follow up, you have to make certain you take your security seriously all of the time.”