Editor’s Note: This article originally appeared in the spring issue of Business Leader, a quarterly magazine produced by the Leader-Telegram. To view that and other special publications, go to leadertelegram.com/magazines.
One of the most dangerous things a small or medium-sized business can do is assume that their data isn’t valuable — and that it doesn’t need to be protected from scammers, hackers or thieves.
At least, that’s what several local information technology professionals say.
“Small and medium-sized businesses have valuable data,” said Rick Hannam, channel account manager at WatchGuard Technologies’ Minneapolis-area location. “Small companies still have data worth big money. Everybody has personal identifiable information in their system … you’ve got names, social security numbers, dates of birth. If someone gets into your QuickBooks, that’s a lifetime of identity theft.”
Phil Swiler, director of membership development at the Eau Claire Area Chamber of Commerce, believes that Chippewa Valley business owners are eager to learn more about protecting their companies’ data from internet threats.
“A lot of people have perceptions of cybersecurity and IT, but it’s not their business, so they don’t really educate themselves,” Swiler said. “They just know they need a firewall and that’s going to stop everything. That’s just not the case.”
What’s at risk
Large businesses aren’t the only ones who face cyber threats. Some cyber criminals even specifically target smaller companies, Hannam said.
“(They’re) a weak link,” Hannam said. “The amount of cybersecurity protection a smaller business has will be less, typically.”
John Kolar, a Twin Cities-based fraud manager at Wells Fargo, said real estate, higher education, energy groups and small businesses are often hit harder by fraud.
In addition to the cost of hiring IT security — or contracting with an outside business to provide those services — small businesses often face more challenges in preventing fraud, he said.
“As a small business, when you’re trying to grow revenue and grow your business, you have to pay attention ... if you’re using a (cheaper) version of email, Gmail, Yahoo Mail, you have to make sure that’s secure,” Kolar said.
What kind of protection does a business need against cyber threats? The most important part of the equation — and the hardest — is educating employees, Hannam said.
Training staffers to recognize and flag phishing attacks — typically an email sent to someone within the organization that attempts to trick them into handing over a password, account number or social security number — is the most difficult part about securing a business’ network, he said.
With a password or other information, scammers can steal money or personal information from business’ online systems.
Phishing attacks often aren’t the poorly-worded, often-misspelled emails that blatantly ask the recipient to hand over their credit card information anymore. Phishing emails can be modeled to look like they’re coming from within the business, even from an executive or administrator, asking the recipient to wire money or open a file.
“You’d think that most people can recognize a phishing email and won’t click on it,” Hannam said. “Even the smartest people can fall for basic attacks.”
What can businesses do?
For one, start implementing a system called multi-factor authentication, Hannam said: “It’s easy, and the exponential level of security you get from adopting that is really dramatic.”
Passwords can be cracked. But with multi-factor authentication, once an employee enters their username and password, they’ll have to confirm the login a second time by entering a password, PIN number, face scan or fingerprint — through a mobile phone, token or other device.
“It’s a very powerful tool and it’s very, very useful,” Hannam said.
For businesses with accounting and payroll employees, Kolar recommended using “dual custody,” a strategy requiring two users on different devices to initiate and approve online payments.
“It’s a multi-layered approach,” Kolar said. “Put the products and services in place to protect your transactions, but also train your people.”
Hannam cautioned against business employees using wireless internet in public places, like coffee shops or hotels, saying scammers can easily crack encrypted passwords if someone is connected to a public hotspot.
“When you have people out on the road or working remotely, everyone should realistically be doing it in the same way. It’s your best bet to be protected,” said Josh Hanson, a consultant with Eau Claire IT service firm Imagineering.
Since new viruses and malware are constantly being created — hundreds of thousands of new malware threats hit the internet every day, Hannam said — Hanson also recommended businesses keep their firewalls up-to-date.
“If you have older equipment that’s no longer getting updated, you’re getting the base level protection, but anything new coming out you’re not protected against,” Hanson said.
Businesses should also consider keeping offline backups of their data in case of disaster, Hannam said.
“Nobody can stop everything,” he said. “Having a good backup and recovery strategy allows you the difference between an inconvenient day and a really bad day.”
Kolar encouraged business owners to talk to other people in their industries who have experienced fraud.
“It’s really hard to share a fraud incident because you don’t want your name in the papers, but that’s the best way to learn,” he said.
Looking at the Chippewa Valley
Hannam, Hanson and Kolar — along with several other western Wisconsin and Minnesota security professionals — spoke to Chippewa Valley business owners and IT professionals at the Chamber’s first-ever Cyber Security and Technology Conference on March 5 in Eau Claire.
“What I’m really happy about is the eclectic melting pot. We had people driving one to two hours away to come,” he said.
Swiler hopes to grow the conference into a large regional gathering that attracts business owners and security professionals from the Twin Cities and Madison areas — and he’s encouraged by the response in the Chippewa Valley.
The next conference is slated for 2022, Swiler said.
“This is whether you’re a small business that owns a garage, or if you’re doing Visa and Mastercard transactions, or if you’re handling any money at a counter, hiring part-time employees … I think there’s a craving for (that) knowledge in this region,” he added.