Your self-storage business is going great. It’s profitable and successful. Then, suddenly, burglars break in and steal a laptop. Or a well-meaning employee clicks on a malicious link that freezes your data, and someone demands $5,000 in bitcoin ransom to release it. Or an employee gets an e-mail that appears to be from the owner requesting a transfer of $2,500 to someone who appears to be a supplier, but it’s actually a cybercriminal.
Why does cybersecurity matter to your operation? Because cybercrime is profitable. As long as the bad guys are making money, they’ll keep doing it. And they’re getting better at it. Businesses are getting smarter, too; but it’s like an arms race, and cyber criminals are winning.
A Growing Problem
Cybersecurity isn’t just for large companies, though those are the ones we tend to hear about in the news. Small businesses can be also be attacked and may have fewer defenses. In fact, broad-based cyberattacks may target groups of small businesses. One of the largest breaches ever (Target) started through an attack on an HVAC contractor who had access to the retailer’s information systems.
It’s been wisely said that data security is about people. It starts and ends with you. You’re the best defense. The human factor is truly the sneak threat—and not just criminals, but your own loyal, long-term, devoted employees. Even when they have the best of intentions. People are helpful, predictable, busy, trusting, habitual and careless. Training and increased awareness have helped, but it hasn’t solved the problem completely. Let’s look at some of the biggest cyberthreats today and how you can mount a defense against them.
Spear phishing is a customized, e-mailed attack on a specific company, maybe even a specific employee. It’s targeted and has research behind it. These aren’t the old phishing e-mails from a fake Nigerian prince, with typos all over them. A spear phishing message looks legitimate at first glance.
Spear phishing uses a “spoofed” or falsified e-mail address from the name of an actual owner or high-level employee in your company. It typically begins with a generic question like, “Are you in the office?” If you respond, it’ll often lure you to a fake website to invade your information system. It may install malicious software on your computer or give hackers a portal to steal information.
Best defenses: Caution and verification. These e-mails often sound urgent and appear to come from a person of authority. Look closely at the e-mail address. Don’t respond directly. Verify it by some other method, like calling or starting a new e-mail to confirm.
Business E-mail Compromise
This cyber scam uses social engineering to get the recipient to do something, usually transferring money to a fraudulent bank account. It doesn’t use malware.
This con has several variants. In one of the most common, the e-mail account of a high-level director or manager becomes compromised. It may be spoofed or hacked. A request for a payment goes from the compromised account to a second employee who’s usually responsible for processing money transfers. This second employee sends the money to an account he doesn’t realize is fraudulent. The cyber criminal quickly transfers the funds elsewhere, often out of the country, and it’s gone.
This scam has increased 136 percent over the last two years. It’s aimed at businesses of all sizes, most of which are in the United States. Other variations include falsified requests from suppliers, fake invoices to vendors, and requests from hacked e-mail accounts to provide employee W-2 forms or Social Security numbers.
Best defenses: Procedures, scrutiny and verification. Establish procedures to verify or hold money transfers. Be suspicious of requests for secrecy or pressure to take action quickly. If funds are transferred to a fraudulent account, then act quickly by contacting your bank.
Ransomware is a real threat that’s been around for years and has been highly successful at extorting money. It most commonly starts when you click on a malicious link from a bad e-mail or unsecured website.
The software freezes your computer and encrypts your data files. A warning pops up and demands that you do something, usually pay money (often in bitcoin). The warning says you must pay within a certain number of hours to get the private key to decrypt your files. Ransoms typically range from $200 to $10,000. Once encrypted, there really is no technical way to fix your system other than wiping and restoring it from backup data.
An additional risk here is the uncertainty. It’s been anecdotally reported that after making the payment, you don’t always get your data back. There are several variations of ransomware (FBI Moneypack, CoinVault, CryptoLocker and CryptoWall), but they all work the same way.
Ransomware exploded into an epidemic in 2016. According to the FBI, there were about 4,000 attacks every day. For example, a large medical center was attacked, shutting down its systems for scans, lab work, pharmacy, radiation and oncology for more than a week. It ended after the center paid $17,000 to restore its systems. Years ago, law enforcement’s advice was to not pay. However, in 2015, the FBI stated it often encourages people to pay.
Best defenses: Don’t get infected in the first place. Get training and awareness on how to spot a suspicious link or e-mail. Next, have fully backed-up data. If you’re using a cloud-based service, check how far it backs up in time. It can also be good to save a local backup to a computer or external drive. You can then wipe your infected computer(s) and restore the data. The success of a restore, of course, depends on how recent and complete the backup is.
There are continually evolving cyber laws that may affect your self-storage operation, such as state data-breach notification laws and the incoming California Privacy Protection Act. You may also want to consider cyber-liability insurance for your business.
The cost of cybercrime to the global community is estimated at $500 billion every year. In preparing for cyberthreats, lead time is important to minimize costs, establish processes and avoid surprises. I hope these ideas will be helpful in protecting your business.
Kelly Wilkins has been a certified information-privacy professional in the U.S. private sector for five years and has been guiding legal clients since 1991. She advises on how to manage risks from data, data breaches, and the rapidly changing cyber and privacy regulations. She’s a partner at the law firm of Snell & Wilmer, operating out of Phoenix. For more information, e-mail firstname.lastname@example.org; follow @KellyLWilkins on Twitter; visit www.swlaw.com.