Small businesses' weak cybersecurity abused by hackers

Posted: March 20, 2017 at 1:59 a.m.

Randell Heath, in Sandy, Utah, poses next to a laptop displaying his company’s website.

NEW YORK -- Randell Heath said he isn't sure how hackers got into his company's website -- all he knows that is a supplier called, saying the site had become an online store selling Viagra and Cialis.

The problem might have been at the company that hosts the site. It might have been that Heath's passwords weren't strong enough. But the invasion taught Heath a lesson that computer experts say many small business owners still need: Keeping the company's computers and online sites safe isn't a one-time operation but requires continual vigilance as new kinds of attacks emerge.

"I'm planning on attending a 'Cybersecurity for Small Business' briefing," says Heath, president of Coldsweep, a Mountain Green, Utah-based company that uses dry ice to clean surfaces.

The chances of a small business being invaded -- of having computers, smartphones, tablets and even bank accounts hacked because of poor cybersecurity -- are rapidly growing. And some of the very things small businesses are encouraged to do to make themselves more visible, like having blogs, can also make them more vulnerable.

Symantec, a maker of computer security software, analyzed threats and cyberattacks that its network encountered and found that 43 percent of all cyberattacks in 2015 targeted small businesses.

Just from 2014 to 2015, Symantec saw a 36 percent increase in new malware, and a nearly 80 percent increase in new variations of the malware targeting Android users. The company also counted one instance of malware in every 220 emails, a bigger risk than one in 244 in 2014. And even after all the warnings, a primary culprit was attachments or links that employees click on, allowing hackers to damage or delete files, track a user's actions or steal data like passwords.

Invasions that render a computer's files unusable unless the user pays a ransom have also surged. Cybercriminals who use this method are aggressive -- one variation of ransomware attacked an estimated 100,000 computers a day within weeks of its release last year, according to the FBI.

The costs of an invasion can be steep. Heath estimates he lost $10,000 in business because the site was down. He didn't have to pay to have the website rebuilt, because his business was part of an incubator where tech help was available for free. But recreating a website could run a business well into the thousands of dollars.

Many owners believe that they don't have the resources -- human or financial -- to keep their companies safe, which takes keeping up with frequent security updates for software and equipment.

"The CEO is also the marketing person and also the [information technology] person. They simply don't have the wherewithal to manage computing platforms day to day," says Tom DeSot, chief information officer at Digital Defense Inc., which helps companies protect against cyberattacks.

DeSot estimates that a company with 30 to 50 employees might have to spend upward of $50,000 initially to give all its equipment the best possible protection, which includes sophisticated software and firewalls to keep intruders out, and then thousands each year to keep their security up to date. Smaller companies would have a much lower expense, but many owners still shy away from a cost that can seem prohibitive.

But there's a bigger problem: owners' willful ignorance, says Diana Burley, a professor at George Washington University whose expertise includes cybersecurity.

"You don't necessarily understand how vulnerable you are, because you think, why would someone target me? I don't have that much in assets, I'm not lucrative, why would I be a target?" she says. "We operate in an environment of complacency."

Some owners don't pay attention to notices about patches or updates from computer or software makers, Burley says. Those downloads often contain security improvements because tech companies have discovered problems that make their products more vulnerable to attack.

Many small businesses opt to hire a company that monitors computer systems and/or websites and makes sure they stay up-to-date. The cost for many small enterprises can be several hundred dollars a month.

But computers can still be vulnerable. Owners often don't take the simplest precautions, including making sure the passwords that they and their employees use are hard to find or guess for thieves using computers called bots that search for vulnerabilities, says Rick Hogan, CEO of Bleevit Interactive, a website design company based in Reston, Va.

A weak password and a lackadaisical approach to website maintenance allowed hackers to break into the site of one of Hogan's clients, a family-owned restaurant business. The criminals created additional pages of pornography that showed up in search results, and the intrusion went on for months because the owners didn't check their site. Hogan's company cleaned up the site, but the damage to the restaurant's reputation persisted -- its website address was flagged as pornography.

"We couldn't put a link for them on Facebook for six months," Hogan says.

SundayMonday Business on 03/20/2017