UB Insider #54: Protecting Small Businesses Against Cyberattacks
About this episode:
From the earliest days of the internet, there have been scams designed to bilk innocent users out of money and information. As security has gotten more advanced, so have the hackers, and the results of getting hacked can be devastating for small businesses. In this episode of UB Insider, Eric Montague, CEO of Executech, talks about how small businesses can be prepared for these attacks and avoid getting sidelined. Subscribe to our podcast or download this episode on Apple Podcasts, Stitcher or Google Play.
Lisa Christensen: Hello and welcome to UB Insider. I’m Lisa Christensen, Online Editor at Utah Business magazine. From the earliest days of the internet there have been scams designed to bilk innocent users of out of money and information. As security has gotten more advanced, so have the hackers. The results from getting hacked can be devastating to people and business alike.
Eric Montague, CEO of Executech is here to talk about how small businesses can be prepared for these attacks and protect themselves from being sidelined. Welcome.
Eric Montague: Glad to be here.
Lisa Christensen: So besides not falling for emails from any Nigerian princes, what should small business owners do to keep from falling victim to phishing or ransomware?
Eric Montague: The biggest thing that small business owners should do first is prevent and protect themselves. So I always say that backup is the holy grail of computing, and that’s the fact. I mean, all of the scams that come out, all of the malware, the ransomware, viruses, any of it, they’re all essentially 100% mitigated with good backup.
An example is we had a client, a new client come into the office last month. They’d been hit with ransomware and they said, you know, we have backup so we should be fine. They were hit on a Monday and came in on a Thursday. It was a city in Idaho and their backup was a very poor backup. It only ran nightly, so it overwrote itself every night. So they brought it to us on Wednesday and they lost everything. So they had no idea what any citizen in the entire city owed them for utilities or anything. So it was a mess.
You have to be really careful with backups. Some of the key points are having revision history. That’s one of the most important parts of backups so that you can go back to multiple points in time. Only having one revision point to go back to is very, very dangerous. So people get a virus, things like that, they don’t realize it for a few days and they have a lot of problems. So make sure you have an offsite backup, some type of cloud backup that has multiple revisions. There’s a lot of really cheap ones that don’t have revisions.
Beyond that, you can also protect yourself from those scams. So most of those scams come from regions of the world that we know scamming activity comes from. So most spam filters, you can put regional qualifiers on your spam filters saying don’t allow things from Africa or don’t allow things from the Eastern block countries. And even though it may look legitimate, it probably originated from somewhere in an odd region of the world and when that occurs, your spam filter would block it all together. So there’s more sophisticated spam filters out there that can block certain regions. Obviously if you need to do business with Africa you couldn’t block that, but it really helps a lot. So that’s a really important thing to do.
Lisa Christensen: So what are the effects if you do become a victim? You mentioned a city in Idaho that didn’t know how much their customers owed them for utilities. How exactly is this detrimental for businesses and for customers?
Eric Montague: It’s amazing how detrimental it is. The example in Idaho is a good example. A municipal organization thought they were backed up and they were hit with ransomware. When it occurs, it encrypts everything on the hard drive and the person has to pay to get a decryption key. And they chose not to pay. And so what happened is in that instance they didn’t know if you were three months late on your water bill and I was two months overpaid on my water bill. So they literally had to reset every person’s account in the city limits at zero and start from scratch, not to mention probably a little bit of a PR nightmare.
The others though, that are more common are monetary. So oftentimes these scams, people will fall for a wire fraud. It happens all the time. We saw six of them last year where people fell for a wire fraud. We’ve seen them as much as over a half a million dollars down to twenty or thirty thousand dollars. So you have to be really careful. And once it’s wired, it’s gone. If you contact the FBI, unless it’s over $500,000 then they won’t even look at it. The one we saw last year that was close was $496k and so they knew exactly what the limit was so that they wouldn’t get tracked down. So you have to be careful.
The other big one that’s going around, that went around a couple months ago now that we’re out of tax season, but the one that goes around every year is a W2 phishing scam where people are saying that they’re your boss or your HR manager or something like that and maybe they’re talking supposedly with your CEO via email and it’s a scam and they’re asking for copies of your W2’s. And then you and I, all of a sudden because someone in your company distributed W2’s, now you have a problem because you have had a fraudulent tax return filed. And when you go to file your tax return, let’s say they took a bunch of deductions and had a $10,000 tax rebate or refund given to them. When you go to file your taxes and you say, lovely IRS, I owe you $2,000, they’ll come back to you and say we already paid you $10k, so now you owe us $12k. They don’t take any responsibility for it, so you have to. So you have to be very, very careful on what can happen by these attacks.
Lisa Christensen: Yeah, you mentioned those wire transfers. What kinds of ruses do they use to get you to pay up in those instances?
Eric Montague: So let’s say my name is Bob and I own Bob’s Burger Barn. Right? And you were my CFO and your name was Nancy, right? So what happens is somebody makes what’s called a spoof email address, so Bob at Bob’s Burger Barn. It looks right and oftentimes it’s spelled exactly right. You can spoof an email address very easily as if it was coming from Bob. I send it to you and maybe I have a chain of email in the body in the thread that makes it look like I’m talking back and forth with a vendor.
And then maybe I send it to you as the CFO saying hey, Nancy, I’m meeting with these guys in the morning and they have to be paid before I meet with them. See the chain of communication and the wire instructions are attached. Please send them $84,000 in the morning for fries because I’m meeting with them and they have to have the money to get us the fries. Nancy, being a studious employee is like, oh, Bob needs money wired. She gets up at 7:00 AM, wires the money and then Bob comes to work. Nancy is like, why are you here? I thought you were meeting with Joanie’s Fry Shop or something like that. It looked real, came through, it’s very easy to spoof.
If you hit reply, oftentimes the email address in the reply isn’t what it said it was. So if it said Bob at Burger Barn, now it’s going to Africa1234@gmail.com or something like that. Sometimes there’s one letter off so people don’t catch that. So in Bob’s Burger Barn, maybe they have two A’s or BA something else N, like BANN or something like that at the end so it’s spelled different so it doesn’t look off. But it happens a lot. It’s surprising how often it happens.
How they do it, how they determine Bob and Nancy is that they will go to LinkedIn or social media and they’ll find that I’m the CEO and you’re the CFO and then they’ll literally sound thousands of emails to Bob’s Burger Barn, just the domain at @bobsburgerbarn.com, determine what the naming convention is for people’s email and they’ll find that it’s firstname.lastname@example.org. Because they’ll send thousands and what happens is they’ll notice the ones don’t give a bounce back and they’ll know ok, we’ve figured out what it is. And they just keep hitting tons of people at the company.
Maybe they’ll send an email to somebody from the CEO saying hey, what are we doing tonight? And maybe it’s some guy in the mail room who’s like, why is the CEO emailing me? So he replies back, hey, what’s up? And as soon as he replies some key information has been gathered. They’ve figured out probably a logo, an email signature, the fonts the company uses, their legal disclaimer, all of that. So now the perpetrator has all of that, so when he sends that email to Nancy, the CFO, it has everything that makes it look real. So it’s a pretty well orchestrated attack that people do.
Lisa Christensen: Yeah, that seems really elaborate.
Eric Montague: It’s really elaborate, and it’s all automated. You would think that it’s some guy sitting behind his computer in a dark room, pounding around at the keyboard to do it, but it’s not. It’s all automated by server. A human only gets involved once all of that first stuff has been gathered.
Lisa Christensen: Wow. So it’s just a cray-good algorithm.
Eric Montague: Yeah. Exactly.
Lisa Christensen: Wow. So given this and given all of the different ways that they can attack, how can companies protect themselves? You mentioned backup and such, but when we were talking earlier you mentioned four key steps that companies can take. What are those?
Eric Montague: So it’s important to remember that everybody is going to get hit. I mean, your company is going to get one of these emails or they already have, right? We got a call yesterday from a mortgage company where they got one of these emails, they clicked on it and it was a reset your password to Zions Bank or something like that. They went in and walked through the procedure and gave whoever it was the entire mortgage company’s banking account information. So that’s a big problem because they’re doing mortgages.
So giving employees and empowering them with knowledge is really important. So oftentimes in businesses now, you see kind of in the ten years ago it was a joke where you’d see consultants come in and give awareness training or diversity training or stuff like that. It’s very common right now that there’s social engineering training where people will come in and meet with you, for example, if you were the head of a company and put together a plan to train your employees. And then they’ll say okay people, this is what could happen and maybe they’ll go through the W2 scam or the wire scam or any of the others. And then they will perform a test, unbeknownst to the employees. They will use the same algorithms that the bad guys use and they will perform a test against people and see how they react against it. Then they’ll go back and meet with the owner or CEO or President, HR Manager, whoever’s conducting the test and say okay, 22% of your employees fell for this. So oftentimes what happens is that they will do the test then training and then test again. Sometimes they’ll train, test, test. Just things like that. So teaching your employees is really, really important.
We’ve already talked about backups. They’re critical. One of the other, the two things that are really important for some of the ransomware. One of the things that is very important with malware is having all of the correct patches on computers. And Microsoft or even Apple, it happens with Apple as well. Sometimes some of these computers have security loopholes into them. So they’ll have updates.
As an organization it’s really important to mandate those updates down to every computer. It’s very easy to do with what’s called a patch management system. It’s very cheap. And an owner or an IT person can know where the patches are on every computer. But one of the most important things is having good protection. Because like I said, every company is going to get hit with it.
There are a lot of good antivirus products on the market. Most of them don’t have great ransomware blocking abilities. The most popular one right now is a product called Sophos. They have a product called Intercept X and it’s currently the only product on the market that protects against ransomware. So when it comes in, when that email came in, for example, the one from Bob to Nancy the CFO at Bob’s Burger Barn, it would have caught that and said wait, you’re not sending to the right person. It would have stopped the email transaction to the point where the person would have known.
You can also have… A lot of higher-end email systems have what’s called DLP or data loss prevention where it scans every email that goes out and maybe if there’s social security numbers or credit card numbers, it can scan attachments and things like that and determine what’s going out. You can restrict certain people in your company from not doing that. Or there can be a two-step approval process to send things out like that. So there are a lot of good products out there that stop it once it happens.
Lastly, if you do get hit like this mortgage company yesterday, don’t try to fix it yourself. The problem with the city that I was speaking about earlier, they tried to fix it themselves and they messed up the encryption of the files to where even if they had paid for the code to decrypt the files, they wouldn’t have been able to because they tried to fix it themselves. Once you try it, you break the encryption that’s in there and then the files are absolutely gone. So just be really careful. If you’ve been hit and you’re worried, I’d call a professional to come help you.
Lisa Christensen: Given how fast this field changes, given how quickly the bad guys are catching up with the good guys – it’s kind of a cat and mouse game – how do you stay ahead of the curve with something like this?
Eric Montague: That’s a great question. It’s very difficult, in fact, I’d say that it’s violently difficult. Staying ahead in the technology world is really hard. Things are changing every day. Yesterday Europe was hit with a monster ransomware virus and the simple thing is really staying educated. So as IT professionals like at my company, Executech, we train every Friday. And every Friday we go over things that are coming out, security breaches and things like that so that we’re aware of them and we know what’s going on.
There’s a lot of really good bulletins, for example, I mentioned Sophos earlier. If someone is a client of Sophos and they can get on their bulletins for security. On top of normal, other areas to stay educated within IT, it’s a fast moving field. What worked for a firewall, we didn’t talk about firewalls. Firewalls are also very important in blocking a lot of stuff. But we didn’t talk about firewalls. The firewalls of two years ago aren’t sufficient today. The firewalls of five years ago are a boat anchor today. You know, so you have to be really careful to know what’s on top of the market.
What’s really important for business owners to realize is they can lose so much, so fast. And some people don’t want to spend the money on it because it’s kind of like an insurance policy, but it’s such a risky thing in today’s world. And there are economical ways to do it now. Two or three years ago it was cost-prohibitive, today it’s not. So it’s really worth the ounce of prevention to stop things like this from happening. And it’s worth every IT professional’s time to spend probably an hour a week just updating themselves on what’s going on in the world and IT security to make sure each one of them know what’s being hit onto their network every day.
Lisa Christensen: Okay, well thank you for coming in.
Eric Montague: Thank you, very happy to be here.
Lisa Christensen: Thanks also to Greg Shaw for production help. Let us know what you think at email@example.com or reach out to us on social media at @utahbusiness. You can also subscribe to our podcast or listen to past episodes on Apple Podcasts, Stitcher, Google Play or wherever you find your podcasts. Thanks for listening.