BLACKSBURG — In an auditorium at the Inn at Virginia Tech last month, small-business owners, professionals and technology experts shared horror stories. They weren’t tales of irate customers, unreliable vendors or poor employees, but of unseen villains that wreaked far more havoc on their businesses: cyber security threats.
One woman told a story of the data breach that hit her family’s legal business when a hacker used a fake email account to take information from clients and then held the data for ransom. Someone else told of an executive who mistakenly sent employees’ tax information to Nigerian thieves who collected thousands of dollars of tax refunds. Another man said he worked with a company in the New River Valley that was scammed into sending a vendor payment to a hacker. When the vendor didn’t get paid, it came after the company, nearly leaving it bankrupt. There were more stories of unnamed small to mid-size businesses that found themselves near financial ruin because of cyber attacks.
The gathering was part of a cyber security forum hosted by the Small Business Development Center that was designed to raise awareness of the dangers of data breaches at small businesses, and to discuss how to prevent them. But the first step in the process is admitting that security attacks are something to fear, according to event speakers.
“Death, taxes and cyber security are the three things small-business owners don’t want to face,” said Bart Smith, the director of the Small Business Development Center.
He works with about 350 small businesses a year in the Roanoke and New River valleys. Hacking has become a serious issue that he’s dealing with more and more, he said, usually after it has already caused damage. After seeing these problems and the emphasis that the Small Business Administration has put on cyber security, he and others created a plan for the forum, which was held Oct. 26 in Blacksburg. The SBA provided funding for it.
The small-business center and the Roanoke-Blacksburg Technology Council heavily advertised the program, which included a panel of local experts and a chief security strategist from AT&T’s security services sector. About 40 people turned out for the event. Smith said he was pleased with the crowd because it’s often hard to get people, especially small-business owners, to pay attention to cyber security warnings.
“It’s such a head-in-the-sand topic,” he said. Often employers avoid it because they think it’s complicated and expensive and is more likely to affect large companies than small operations. News reports on cyber attacks generally follow large breaches at big companies, such as Equifax, Yahoo, eBay and Target. Attacks on small business often remain hidden, since many companies don’t want the public to know about them, and they affect far fewer people in any case.
Multiple speakers cited data from a report from cyber security firm Symantec, which determined that 43 percent of of cyber attacks last year went after businesses with fewer than 250 people, costing an estimated hundreds of millions of dollars through theft and interruption of services. It’s a problem that’s growing more serious as businesses become more reliant on internet services.
Steve Vance, an Internal Revenue Service special agent, said since April 2016, he’s been involved in six breaching incidents involving W2 tax forms in the region, which includes Roanoke and Lynchburg. The first five attacks involved about 1,500 people and $800,000 worth of tax refunds. The sixth breach he worked with involved 1,400 people and about $1.6 million in refunds, much of which has already been wrongfully distributed. Many of the hackers are based in foreign countries.
“One thing that was said over and over in the forum, is that business owners need to start thinking, ‘It’s not if that happens to me, it’s when,’” said Diana Ayers, an executive with AT&T Small Business Solutions, who is based in Roanoke. AT&T is a large provider of internet services for businesses, and cyber security is something more clients are seeking, she said. However, Ayers said there is sometimes a missing link in understanding its importance. She said this is often a result of the language in the technical environment, which can be hard to understand.
The language definitely grabbed the attention of Lynda McNutt Foster, CEO of Cortex Leadership Consulting. She works with business owners and professionals and said a lot of words that cyber security experts use to warn about attacks — terms like “actors” instead of hackers, and phishing, malware and ransomware — aren’t going to trigger a strong reaction from people. But hearing stories of local data breaches left an impact. Hurting the brand and reputation of a business will grab the attention of most professionals, she said.
“I think they think about the systems themselves going down and the interruption in services that could occur,” said Foster. “I don’t think they think about it from a brand reputation standpoint and the devastation that could occur from it. I don’t think they are thinking about it from a legal aspect required of them if they are hacked, as far as the amount of money it will cost them in trying to communicate to customers that they’ve been hacked. I think it’s on their radar, they just aren’t thinking of the complete impact a hack could do.”
A portion of the forum was dedicated to ways small businesses can protect themselves. Smith said the most basic thing any company can do is come up with a plan for how to prevent attacks and how to respond when one happens. He said a lot of small businesses cannot afford to hire a dedicated cyber security person. But solutions don’t have to be expensive and they don’t have to be done all at once, he said.
Tech Squared founder Sean Peters and Sam Schneider, a security engineer for Imperva put together a presentation that listed some beginning steps that wouldn’t be very expensive: removing administrative controls from every user and limiting them to a few, training employees to not fall for scams, reviewing cyber security insurance plans, making sure security software is up-to-date, identifying and documenting the digital location of the company’s most sensitive information and who has access to it, and encouraging small conversations with staff about security.
Ayers, with AT&T, said one of the first things companies can do is make sure their information is backed up in the cloud. Businesses also will want to create a separate Wi-Fi for customers and employees, she said, something many places do not do, and install a firewall with multiple levels of protection.
“There is no 100 percent fail-safe thing to do,” Ayers said. “It’s better to do this from a layered approach.”