When the Waldo Canyon fire roared closer to Colorado Springs on June 26, Jeff Beauprez, president and CEO of Colorado Networks, started getting frantic phone calls from businesses along the Garden of the Gods Road corridor.
Business owners were being evacuated and wanted to know what to do about their computer networks. They had no disaster plan in place. They had no backup servers.
“Get your hardware, throw it in the car and leave,” Beauprez said he told business owners. “They were asking, ‘What do we do in a disaster?’ Well, it’s a little late to talk about it now.”
When it comes to computers, most small-business owners embrace them, know how to use them and enjoy the added marketing and exposure they get from online transactions. But when disaster strikes — physical or cyber — small businesses are caught in the headlights, Beauprez said. His business is an engineering firm that designs general information technology, including custom-built computer systems.
Disaster plans and cyber-security plans are typical of what small businesses push to the bottom of the to-do list, Beauprez said.
“The fire shed light on the fact that this really does happen,” he said, “and, you really need to be aware of it.”
Addressing the problem
Protecting computer hardware and software and every bit of information tied to the computer is the focus of a series of upcoming seminars hosted by Colorado Networks and Six & Geving Insurance. It’s also the topic of an upcoming meeting, Cybersecurity for Your Business, which will introduce the newly formed Western Cyber Exchange, a regional consortium of public and private organizations dedicated to fighting cyber crime.
“We found that if a business is vulnerable to security threats, it is just as likely to be unprepared for disasters,” Beauprez said.
Cyber criminals are after information, money and control of computer systems to help them commit crimes. They hack into computers and steal personal information about customers; they plant fake anti-viruses; and they make phony orders worth millions to be shipped to one firm but billed to another firm. In one case, an IT company planted a virus that would activate when files were transferred from their network to another network to ensure that clients would run back to them for the fix.
Cyber threats will exist forever, says Mike Semmens, president and founder of Imprimis, Inc., which provides technical services, modeling and simulation and training with missile defense to government agencies. He caught a cyber thief trying to break into his company and stopped the illegal transaction before his firm lost millions.
Since then, he’s been dedicated to stopping cyber criminals and helping other businesses learn to protect themselves. As one of the principals behind Western Cyber Exchange, his goal is for small businesses to outsmart the cyber crooks.
“In the case of the fire, our emergency crews responded marvelously,” Semmens said. “What we should do is use it as a learning experience … compare it with what we would do in response to a cyber attack.”
Semmens has noticed an alarming trend: cyber criminals using small businesses to sneak through the virtual backdoor of big businesses, particularly those that contract with the Department of Defense. Small businesses typically don’t have their own information technology team and are left vulnerable, he said.
“The important thing here is the bad guys know that big companies have more security than the small companies,” Semmens said. “So, they go through the small companies.”
Part of the problem has been a veil of secrecy when it comes to discussing the details of how a cyber bandit broke into a business. A company that has been ripped off is not going around town talking about it, he said.
Western Cyber Exchange, he hopes, will become a portal of information — a way for a business to share information about the type of hacker or the type of security breach without blabbing personal financial information. The information about the hack would be shared with other businesses, but not the name of the business that was hacked, Semmens said.
“It won’t be easy,” Semmens said. “We have been working to develop a resource, the Western Cyber Exchange, as a source of information, both real-time and education and workforce development, so that we can create a safe environment for business and government residents.”
Protecting customer info
There’s another reason to put a clamp down on cyber security: liability, said Dave Reitan, Six & Geving Insurance commercial insurance agent. The loss of customer information is a major issue, he said. Commercial insurance carriers view cyber liability as a major threat.
Any company that does business over the Internet has exposure, Reitan said.
“You have to look at it from a risk management structure and understand the threat,” he said.
Beginning this year, any company that provides technology supplies, services and systems with security requirements for the federal government must have a cyber security plan. That rule affects about 20 percent of the businesses in El Paso County that contract with the government.
But insurance companies likely will recommend cyber audits of all businesses to determine risk. An audit would find the cyber vulnerabilities and allow businesses to fix the problem.
“Just as a business puts in a burglar alarm, they need to look at cyber exposure to protect their business,”Reitan said.
The two major exposures that a business faces are cyber security and privacy liability. If a company is hacked and information compromised, the company by Colorado law must notify the clients whose information was stolen. Businesses are buying insurance to protect themselves against cyber criminals.
“It comes down to making sure you are mitigating the risk, getting assets out of harm,” Reitan said.
Disaster planning is likely the last thing on a small-business owner’s mind, especially in this economy, Beauprez said. The thought of buying a $3,000 backup server is viewed as an outrageous expense, he said. But the business owner should look at how much it costs every hour to run a business — even a $2 million company may be paying from $1,000 to $3,000 per hour to run their business.
“If your burn rate is $1,000 an hour, your return on investment (for a server) is three hours,” he said.
Business disaster plans have to include a plan for computer data, Beauprez said.
“And it must include physical backup — and this is where people really fall on their face — what do you do if all your hardware is underwater? Do you have spare hardware or offsite servers?”
The fire put business disaster plans to the test, he said. Mostly, it uncovered businesses’ vulnerable spots, especially for businesses that have not updated the company disaster plan, he said.
“They say, ‘what’s our plan?’ “ Beauprez said. “I don’t know. Whose filing cabinet is it in?”
Cybersecurity for Your Business
11:30 – 1:30 p.m. Aug. 28, Antlers Hilton.
Register at coloradospringschamber.org