Businesses urged to prepare for cyberattacks
Security experts warn Maui entrepreneurs to also watch for scams at two-day conference
KAHULUI — Small businesses are a favorite target of cyber criminals, and owners need to prepare for attacks as they would a flood, fire or other risk, experts said Wednesday at the Hawaii Small Business Conference.
“There is a misconception out there that if you’re in a small business, why would they come after me?” said Edward Arias, special agent with the FBI and member of the Honolulu Cyber Crime Squad.
“If I’m a bank robber, do I want to hit Bank of Hawaii’s main office two blocks away from a police station?” he asked. “No, what I want to do is look for a branch out of the way. . . . I may not get as much money but if I do it enough times, it’s a lot less risk versus trying to rob the main branch.”
With National Small Business Week in full swing across the country, the two-day conference at the Maui Arts & Cultural Center drew small businesses from all over Maui and the state looking to boost their business savvy. Nearly half were solo entrepreneurs with 10 or fewer employees. A quarter of businesses in attendance had 100 employees or more.
For many small businesses, cybersecurity is an oft-overlooked aspect. Few have the money to invest in top-notch protection.
“You barely have time to keep up with the day to day. How are you going to take care of cybersecurity?” acknowledged Matt Freeman, senior manager for IP and managed services at Hawaiian Telcom.
Cyberattacks are going up — all industries saw a 38 percent increase in security incidents in 2015, according to a 2016 Global State of Information Security Survey by professional services network PwC. It was the biggest jump in 12 years, software company SAP reported.
The most common schemes range from outright hacking to scams that try to get people to invest money in a program promising great returns. There’s phishing, which uses email and texts to trick people into giving up sensitive personal information; ransomware, in which hackers encrypt people’s files and try to extort money to get the files back; and vacation rental scams, where criminals advertise a person’s vacation rental or home and collect the cash, and many more scams.
Business email compromises “are a huge problem here,” Arias said. Once a person clicks on a compromised email, criminals can monitor the account. They’ll pose as clients or chief executive officers, telling employees to send payments to certain banks and making off with the checks.
“Typically, the wire transfer goes overseas, and we have no way of getting it back,” said Arias, who recommended calling clients to verify before making a payment.
Last year, one Maui business had an unpleasant encounter with a scam. An overseas “cybersquatter” snapped up MediSpa Maui’s domain name after it expired, posted explicit images on the site and tried to sell it back to the company for $9,700. Technically, it was all within legal bounds since the domain had expired.
Businesses don’t need “millions of dollars” to protect their information, Freeman said. They just need to start with the basics: taking an inventory of what they have and figuring out what’s most critical. Which workstations do the accountants use? Who has the most sensitive data?
Businesses also should back up all of their data at least once a month and familiarize themselves with common cyberattacks.
“It’s not if you get hacked, but when,” Freeman said. “So prepare in advance, know what you have to do, have an incident response plan and discuss it with your staff.”
If businesses have an information technology specialist, they should send him or her to training.
“Tools are expensive and hard to maintain. I prefer to invest in people,” Freeman said.
And things that seem as minor as choosing a password can make a difference. Verizon’s 2017 Data Breach Investigations Report found that 81 percent of hacking-related breaches leveraged either stolen and/or weak passwords.
“The first line of defense is that password, yet it is one of the things that people do the worst,” Arias said. “What’s the weakest link in any security system? The human being. How many times you tell people don’t use the password ‘password’ and they use it anyway.”
If someone is a victim of a scam, he or she should visit the Internet Crime Complaint Center at IC3.gov to file a complaint, Arias said. The complaints are put together and sent to field offices, which allows agents to pursue bigger cases “because guaranteed you weren’t the only one who was defrauded.”
Businesses also can sign up with the FBI’s InfraGard system at infragard.org for information and updates on cybercrime.
* Colleen Uechi can be reached at firstname.lastname@example.org.