A cyberattack can be devastating for a business of any size. Just ask a Northeast Ohio medtech CEO who endured a 鈥渢wo-week panic attack鈥 after a Romanian cyber-criminal gang shut down his operations in February 2019.
Using a 鈥淕andCrab鈥 ransomware strike 鈥 a type of malware that encrypts a victim's files and demands ransom payment in order to regain access 鈥 the crooks quite literally held the midmarket firm hostage before the malicious software could be lifted.
The attack froze employees out of the company鈥檚 PCs, servers, email files and inventory management system.
鈥淚t was a moment where someone else is controlling your life,鈥 said the CEO, who wished to remain anonymous for security purposes. 鈥淎 nightmare I don鈥檛 recommend ever wanting to relive.鈥
The ultra-connected global business environment
The medtech company鈥檚 recent troubles are emblematic of the current ultra-connected global business environment. With heightened digital connectivity comes increased cybersecurity risk, a threat landscape that continues to shift with the prevalence of remote work, said Ellen Boehm, senior vice president of IoT (Internet of Things) strategy and operations at , a Cleveland software solutions company.
鈥淲e鈥檝e been going down this path for years,鈥 said Boehm. 鈥淐OVID accelerated the need for more secure systems to realize this connected world.鈥
Protecting vital company assets can be a tall task for small-to-medium sized businesses lacking a dedicated information technology team or the time to focus on cybersecurity, said Boehm. Still, she believes these businesses are ignoring online safeguards at their peril.
In 2019, approximately 76% of American businesses experienced a hack, with 60% of small companies failing within six months after a breach, according to .
Ongoing work-from-home protocols have employees accessing sensitive company data via personal laptops, iPads or while using their home Wi-Fi networks. Unsanctioned devices may not be under an employer鈥檚 network, providing gaps for hackers and raising the probability of a successful attack.
KeyFactor took three months to remotely secure its own systems during the height of the COVID-19 pandemic, despite a background in software security that gave the company a leg up over most industries. Some smaller clients were left defenseless in those early days, as they did not have the staff or expertise to plug virtual gaps.
Small and medium sized businesses 鈥渁re typically outsourcing IT,鈥 Boehm said. 鈥淥r they don鈥檛 need to hire a person to do these detailed infrastructure pieces because there isn鈥檛 a full-time need.鈥
Not too small to be hacked
Even having cybersecurity protections in place is no magic shield against a determined hacker, noted the medtech CEO. Criminals infiltrated his system by exploiting remote monitoring software that the firm鈥檚 service provider had yet to patch against GandCrab.
During its long recovery period, the company could not bill customers or operate an inventory control system. A team of consultants, security people and forensic investigators labored on nights and weekends to regain system access as the business scrambled to meet orders.
鈥淲e went back to the paper mode of business until we could get back in the normal stream of things,鈥 the CEO said. 鈥淲e all had to be on our toes, and there wasn鈥檛 a lot of sleep in those two weeks.鈥
Rest came easier when the company's service provider paid the ransom. In response to the new remote work environment, the enterprise also bolstered its online systems with a refurbished firewall, isolated backups, better defensive software and an updated patch schedule.
鈥淢y advice to businesses is to get comfortable with your service provider,鈥 said the CEO. 鈥淒o they have the sophistication and tools you need? Are they stretched too thin? Are you getting a good response time from them? Those are important questions.鈥
Businesses across industries are impacted by cybercrime, including entrepreneurs who maintain they are invisible to bad actors, noted John Nicholas, professor of computer information systems at the University of Akron.
However, ransomware and other dangers lurk, with global ransomware costs predicted to eclipse $265 billion by 2031, .
Small businesses with fewer security measures in place are an attractive target for ransomware thieves 鈥 those affected may find their files inaccessible until they provide a hefty payoff, Nicholas said.
Modern phishing emails are more sophisticated, as well, evolving everything from typical 鈥淣igerian prince鈥 scams to intricate emails impersonating a victim鈥檚 bank or PayPal account. Phishing is an attack meant to reveal a victim鈥檚 personal information 鈥 credit card numbers, bank data and more 鈥 through websites that pretend to be legitimate.
Then there are 鈥渧ishing鈥 cons, where scammers claim that work needs to be done on an employee鈥檚 computer. The attacker then directs recipients to a fraudulent website that downloads malware into the system. Malware is an umbrella term for software designed to covertly infiltrate a device, with lost data or system damage the most common end result.
With more people working from home, the already rising wave of online crime has grown into a tsunami, said Nicholas. Even if many of these attacks are obvious spoofs, just one employee taking the bait can be enough to compromise an entire network.
Put simply, today鈥檚 businesses cannot have workers operating from unencrypted personal devices, particularly with artificial intelligence and machine learning providing yet another vector for the bad guys, added Nicholas.
鈥淚f I were running a small business, I would invest in some laptops and tablets and have my IT people secure them,鈥 Nicholas said. 鈥淓specially in the event employees drop or lose equipment, that data will be encrypted and can鈥檛 be viewed by anybody without great effort.鈥
Companies without IT staff would be wise to let a third-party provider iron out any network weaknesses, said Nicholas. At the least, business owners should find a local university or chamber of commerce where cyber-related advice may be offered for free.
鈥淪mall businesses should take this seriously 鈥 don鈥檛 fall into the fallacy that you鈥檙e too small to be hacked,鈥 said Nicholas. 鈥淚t鈥檚 not about the size of the company, it鈥檚 about getting hands on as much data as possible. So take it seriously and do your homework.鈥
Preparing for disaster
No matter their size, small-and-medium-sized businesses should be constantly preparing for the worst, said Nathan Sterrett, a certified information systems security professional based in Kent. Sterrett鈥檚 firm runs tabletop exercises for IT staffers and executives alike, providing incident-response options as well as important knowledge on the harmful impacts of data loss.
鈥淪ecurity challenges come with loss of data control, as it鈥檚 not just being worked on at the office, it鈥檚 being worked on on a couch or laptop, too,鈥 said Sterrett. 鈥淓specially with some of the new technologies that became mature during COVID like Zoom and Microsoft Teams.鈥
鈥淭hat鈥檚 where the risk is coming from, because people don鈥檛 understand what they鈥檙e giving employees access to, or the consequences of that down the road.鈥
With 12 years in the industry, Sterrett has seen first-hand what a cyberattack can do to a company. One client, a maker of turnkey systems for manufacturing processes, got slammed by a ransomware breach that hamstrung its email systems as well as a code repository used for application development.
Sterrett helped the company move its code network onto cloud storage, while implementing stronger security controls onto user workstations. Some semblance of business normality returned after a couple of weeks, although it took two full months before the business returned to its pre-attack status.
Businesses with a 鈥渃loset full of servers鈥 should consider digitizing their data, and be willing to spend $20-$100 a month to have a new cloud system managed by a provider, Sterrett said.
As for day-to-day work, Sterrett suggests businesses employ multi-factor authentication (MFA) instead of relying on basic usernames and passwords. MFA validates the identity of specific users, providing tiers of protection on top of standard login procedures. A business password manager adds another layer, giving businesses password generation capabilities along with a safe location to store login info.
Businesses cannot sit back and hope for hackers to pass them by, said the medtech CEO and recent ransomware survivor. Thinking of cybersecurity as insurance is preferable to answering some truly scary questions when it becomes too late.
鈥淵ou鈥檝e got to spend the money to protect your system, otherwise you will be taken out,鈥 the CEO said. 鈥淵ou have to do the basics and get the best tools you can afford. If you don鈥檛, you're asking for trouble.鈥