Local cybersecurity experts warn ransomware is costly threat to small business

Jul. 5—As businesses, utility providers, municipalities and even hospitals come under attack with ransomware each day in the United States, local experts in the cybersecurity space are warning small businesses that the time to prepare for a cyber attack is now.

Just last week, Cobb County Board of Commissioners discussed hiring four additional staff members to the county's information systems team after hackers launched a phishing attack on county email addresses earlier this month. Earlier this year, the Cobb County School District fell victim to phishing attacks, which resulted in sending out false emergency alerts. Drivers across the southeastern U.S. felt the pains of a cyber attack against Georgia-based Colonial Pipeline Company in May after the company was forced to take systems offline and disable the pipeline, resulting in panic buying and gas shortages.

According to Deborah Frazier, a local senior IT support and cybersecurity consultant and head of marketing and sales at Innovative Network Systems, Inc. (INSI), a Marietta-based cybersecurity provider, small- to medium-sized businesses are just as vulnerable. It's estimated ransomware will cost businesses $6 trillion annually by 2021 and that an attack will take place every 11 seconds on average, according to Cybersecurity Ventures.

Managed Security Service CEO Jeff Uhlich of Cybriant, an Alpharetta-based cybersecurity provider, said ransomware attacks are up 61 percent through May 2021 compared to 2020, with phishing attacks as the leading vector.

"In 2021, the average cost of recovery and ransom associated with a ransomware attack has been two times more than the 2020 average global ransom demand," he said. "During the first two fiscal quarters of 2021, not only did ransomware attacks continue to become more targeted and sophisticated, but the most prolific 'double extortion' ransomware operators have been observed holding enterprise networks hostage for eight figure sums of up to $40 million."

Stephen Nowell, VP of IT operations at INSI, said small businesses are known not to invest in IT security and are easy targets.

"They usually do not have or can't afford dedicated IT personnel, let alone an IT Security specialist on staff," he said. "The IT work is done by someone who does multiple roles or the business owner themselves, and they can't focus on just their IT needs."

Nowell said small businesses without IT staff usually have a hard time just keeping up with basic IT security, such as making sure antivirus software is up-to-date on computers — the bare minimum needed to protect against today's attacks.

"I've heard small business owners say, 'I don't have to worry about that, I'm the small guy. They are not going to get much out of me,'" he said.

To date, Nowell said he's seen hacks that have cost small businesses between $10,000 to $100,000 in direct damages, downtime and additional cost to undo the damage.

Small companies are often not aware of the weaknesses on their network, Frazier said. The mission of the cybercriminal is to exploit that weakness, whether it is within the network or uninformed employees, she said.

"These weaknesses include missing software updates/patches, failure to terminate old employees from the system, unwiped unused laptops, unprotected backups or unsecured servers," she said. "This is why small businesses must ensure a holistic approach to cybersecurity and IT support."

The biggest risk to small businesses is phishing, smishing and spear-phishing attacks, she said.

"These bad actors cast a wide (net) through mass emails hoping to entice untrained employees to click on a link with embedded malware," she said. "The association often appears to be from someone they are familiar with, like their bank, credit card company, or friend."

By clicking a harmful link unknowingly, employees of small businesses can cause ransomware, or at worse, the bad actor can explore all data and weaknesses on the server for an average of nine months before they are detected, Frazier said.

"Now, think of all the data that resides on the small network, including HR, financial, intellectual property and client network connections, and you will realize how incredibly vulnerable they are," she said.

One of the biggest risks today for small- and medium-sized businesses is called a supply chain breach, according to Frazier. Supply chain breaches occur when a vendor is compromised and allows the attacker to gain access to their client's data or network systems.

"Once inside the system, they worm there way around to find valuable data like social security, credit cards and phone numbers," Frazier said. "Many companies, industries and government entities now demand their vendors perform a risk assessment if they want to do business with them. In addition, all 50 states have rolled out security breach laws that hold vendors and partners responsible for the information they store, transmit or have access to outside their own network."

A majority of these attacks INSI sees are phishing emails and scams that get users to clink on links or provide personal information to hackers.

"We have seen brute force attacks on open ports where a hacker sets up a program that tries different passwords until (they guess) the correct one," he said. "Out-of-date network equipment is vulnerable to known exploits unless they are patched and kept up to date."

Hackers have also changed with the times; They now have programs that will try to familiarize themselves with all known vulnerabilities on network equipment, according to Nowell. Hackers are developing more complex viruses not only for computers but smart phones as well that are not easily detected, he said.

"Also some small businesses move their IT data to the cloud thinking their cloud provider will protect their data," he said. "However they do not properly configure security settings and their cloud accounts get hacked."

Nowell, who said he has been involved with several local companies that have been hacked, said some of these businesses had to shut down for days until all devices were analyzed and the servers were rebuilt from back-ups.

"Clients have been victims of phishing emails where they give up personal information and had identity stolen or given critical business info," he said. "(A hacker who has) gotten access to sensitive email accounts, finds out they can authorize payments, uses legit client and other business information but has them send money to a bogus bank account. More businesses have been victims of cyber attacks then what is reported because they do not want (it) be known that they have been hacked."

Companies looking to proactively prevent falling victim to cyber attacks should get educated on the subject and understand where they're vulnerable, Nowell said.

"Staff should also have security awareness training so that they understand the importance of simple things like keeping their password private, identifying suspicious emails and not clicking on them, or providing access to or information on their network to outside parties or vendors that should not have access," he said. "Then minimizing access to the business IT network and infrastructure is critical. Have someone who knows IT properly configuring a firewall that prevents network access from the outside then doing ongoing maintenance to keep it up-to-date and patching exploits... Enabling multi-authentication where possible and keeping a protected backup of all business data (in case) something happens."

Madison Hogan is the Lifestyle Editor of the Marietta Daily Journal, Cobb Life Magazine and the Cobb Business Journal. Follow her on Twitter @madisonhogan for the latest and greatest in lifestyle news around Cobb. Send tips to mhogan@mdjonline.com