There isn’t a day that goes by where cybersecurity isn’t mentioned in the news headlines. The real trouble is that most people still generally relate such threats to only government entities or big business, but that’s wrong. The truth is that those attacks are the only ones making the headlines. The truth is that any electronic device can be targeted for an attack. This means everyone; individuals, small business and even non-profit organizations, need to become more aware of their use of technology as well as what data is being stored where and shared with whom before you face legal risks.
Why Small Business – or Anyone Else for That Matter?
The answer is simple – hackers and cybercriminals do what they do for their own personal benefit. While some are ego driven, the end game for many is to make a profit. They seek access to your personal information to steal your money, leverage your credit for their cause, or they want to use your computer or web server to target attacks on bigger fish like government entities or big business. In recent years, more conversations on Identity Theft has helped end users, like you and I, stop and think about our purchases and become more aware of how and with whom we are sharing personal information. While this was helpful, it is forcing hackers to diversify their strategy for gathering data.
Hackers Target the Weakest Link
So, who or what are the weakest links? In the business world, smaller businesses and non-profits are the easiest targets for cybercriminals because they are either unaware of the threats and/or they minimize the need for security because they don’t have the resources to properly protect themselves. Most even fail to have a proper recovery plan leaving them completely vulnerable. But really anyone who owns a website is at risk.
I had a recent conversation with an attorney, Scott Welch of Welch Law LLC, regarding the legal implications of cybercrime on small businesses and he too expressed concern about the risks they face. Here is an excerpt from our conversation.
JE: Scott, what information should be protected according to Missouri law?
SW: In 2009, the Breach Notification Law was passed in Missouri. It defines a breach as unauthorized access to personal identity information (or PII). That includes a person’s first name (or first initial) and their last name in conjunction with: social security number, driver’s license or other unique identification number created or collected by a government body, financial account, credit card, debit card account information with a security code or password, unique electronic id or routing cards in combination with a security code or password, medical or health insurance information.
JE: If there is a breach, what typically happens? Do they pay fines or something?
SW: Yes. If it is identified that personal information has been lost, stolen or compromised, (by either company admission or by the legal action filed against a company) the fees related to handling a breach could be overwhelming for a small business. It is estimated that a company will be required to spend approximately $200 dollars per record lost/stolen for one year of credit monitoring service. For example, if a database of 1,000 records was compromised, it could cost a company $200,000 in complying with their responsibilities under the law. Keep in mind that this doesn’t account for any fines or penalties assessed by the attorney general’s office. Altogether, the costs could be devastating for smaller organizations. As you know, there are insurance policies that will help cover such costs, but many businesses are unaware and unprotected.
JE: What Steps Do You Recommend To Your Clients Protect Themselves?
SW: Effective protection requires a multi-layered process that starts with the evaluation of what data is being collected, knowing where that data is stored, who has access to it (employees, volunteers, third-parties) and establish organization-wide policies supported by regular training to keep everyone in the organization on the same page. The best way to get started is to build relationships with trustworthy computer/IT, web management, insurance and legal professionals who know the right questions to ask and can help identify potential risks. They can work together to create a strategy that makes sense for that specific business.
Think your safe because you don’t collect data? Think again!
The fact that you have a website means you have server space that they could use to either launch a hack or create a web of diversion for those who might track their activity. It is important that you are regularly checking these files to identify if anything looks out of the ordinary. Additionally, you should be regularly backing-up your web files so you have a way to quickly recover from a malware or ransomware attack.
Right now you’re likely thinking… well doesn’t my web host do that? The answer is likely no. Most name brand hosting companies (like GoDaddy, BlueHost, HostGator, SiteGround, etc.) watch for unusual activity on the overall performance of the server; but if someone uploads a file containing malware to your web files, it likely goes undetected until it’s too late. And yes, they do perform nightly back-ups; but it is more for their own recovery means – not to restore your files. They can, but in most cases, it will cost extra fees to extract just your files from their archive process. Smaller hosting companies are more likely to offer more personalized services.
Case Study: Malware Injection
We had a health care client that refused our maintenance service on her WordPress website. Turns out she had an employee who felt comfortable with the technical aspects to maintain her site and was going to give that employee that responsibility. That was all fine, until that employee quit. A couple of years went by and we hadn’t heard from her until one day when a customer of hers called the stating that they kept submitting information to her on her “contact form” and had never heard a reply. She checked her messages and online data and never saw any inquiries, so she called us to see what was happening.
Turns out that since that employee left, no one was managing the required updates on her website or server leaving her WordPress system, theme and plugin files vulnerable for attackers seeking out known back-doors in these programs. At some point, someone found their way in and replaced her form with their own form. Essentially, every time one of her clients (or prospective clients) entered in their personal information to this form, it went to the hacker, not her. Because no data was being collected by her system; she had no clue how many people were affected by this hack or what personal information was lost because there was no way to tell who completed the form but that one client who called her.
We immediately suggested repair services removing the fraudulent form. In our debugging process we also found malware injected on her home page which meant that for every person who landed on that page, and scrolled down to the bottom of her front page content; they activated a script that re-directed them to a fraudulent website which loaded another script on their computer suggesting their computer had a virus and they must purchase a “Microsoft Virus Removal Service” to restore access to their files. The popup failed to close unless you closed your internet browser window; however, every time you re-opened the browser – the pop-up returned not letting you access the internet.
The Moral of This Story: While the employee knew how to do updates to the plugins and system; she had no technical knowledge to understand what files are regularly targeted by hackers and what to do to technically defend their site on a regular basis. These problems could have been avoided if she would have approved technical maintenance from her developer who knew how to execute a proper maintenance and recovery plan helping her keep her website healthy. Additionally, she could have avoided the fees she incurred related to the maintenance and recovery process to fix her website.
So What Does This All Mean For Your Business?
In today’s world, if you are a business owner and you have a website, it is essential for you to take responsibility for those files and make sure you’re doing all you can to maintain a safe browsing environment – not only for your guests but for the internet community at large. It is important to maintain an active relationship with a web developer or web management company and make sure that you (and they) are doing everything you can to keep your site healthy. Recent updates, like adding an SSL Certificate to your website, is being enforced by search engines to help keep the internet safe for everyone. Keep in mind – you are ultimately responsible for your website or blog. Maintenance of your website is typically an added service of most designers as it does take time to effectively perform technical oversight for you, so if you are paying for this service, then great. If not, you may want to investigate your options. As a business owner with a web presence, ultimately it is up to you to make sure you are compliant with necessary security measures to protect your business and customers.
If you are unsure what these measures are or how your business could be affected, please contact Golden Services Group and start a conversation about a Cyber Security Risk Assessment. We’d be happy to help you identify any vulnerabilities and learn what you can do to protect your business from the risks.
About the Author: Julia Eudy is the founder of Golden Services Group and experienced online marketing professional skilled in interpreting data analytics, writing compelling SEO-ready copy targeting engagement and creating a communication process to promote long-term referrals. She is also a STOP.THINK.CONNECT partner and can help you spot potential cyber-security threats and can help you limit risks for your business.