Cybercrime is the greatest threat to every company in the world, and is now more profitable than the global illegal drug trade, according to the 2019 Annual Cybercrime Report from Cybersecurity Ventures.

Cyber attack is also the fastest growing crime in the U.S. and, according to Rodney Gullatte Jr., small businesses are a prime target because they’re “not serious about their cybersecurity.

“You have the information that hackers want,” Gullatte told small business leaders at the Cybersecurity on a Shoestring Budget event May 7. “Even if you’re thinking you’re too small for somebody to want what you have — trust me, they want what you have.

“Another reason you’re a target is because you’re content with doing what you’re doing and you hope it doesn’t happen to you,” he added. “And my friends, hope is the worst cybersecurity strategy in the world. It will fail you every time. Don’t use hope. Hope is bad.”

Cyber attacks are growing in size, sophistication and cost, according to the Cybercrime Report, “creating unprecedented damage … and driving up information and cybersecurity budgets at small businesses, mid-sized to F500 and G2000 corporations, governments, educational institutions, and organizations of all types globally.”

But not every cyber solution needs to be expensive. The Pikes Peak Small Business Development Center hosted Cybersecurity on a Shoestring Budget as part of Small Business Week, to raise awareness about cybersecurity threats and to help business leaders understand “absolute necessities” of cyber protection that can be tackled at little or no cost.

- Advertisement -

Gullatte, a certified ethical hacker, SBDC cybersecurity consultant and founder of Firma IT Solutions, led the event with Samuel Thomas Elliott, business technology advisor at Amnet.

“We’re going to be talking about all kinds of hacking and cracking and coding — and trying to help business people in this community stop making poor decisions with your personal information,” Gullatte said before the event, describing it as a jargon-free “first step” for anyone daunted by cybersecurity.

FIX YOUR PASSWORDS

Most people have terrible password habits — at home and at work. Gullatte and Elliott both recommend, and use, password managers to secure and simplify their passwords.

They also recommend visiting haveibeenpwned.com to see if any of your accounts and passwords have been compromised in a data breach.

Last, do not use a business email address to sign up for anything that is not specifically a business account. That misstep leaves the door open for hackers to jump from your personal world to your professional world — and wreak havoc there too.

“Do not mix your business email with your personal emails,” Gullatte said, “because when it gets out there, you don’t want them getting into your business.”

NON-COMPLIANCE IS COSTLY

Fines for non-compliance with breach laws and data privacy laws can be the death blow to a small business, Gullatte said.

“It’s not just a cyber attack that makes them go out of business. If you are a medical company, you are under HIPAA regulation, and [the fine] is $50,000 per record when you get breached. Do you have that money in your pocket? Nope.”

Colorado’s data privacy laws mean a business is held liable if it fails to report a breach or if it has been negligent in securing data.

“They call it ‘reasonable protection,’” Gullatte said. “Free antivirus is not reasonable protection. Having the password ‘gobroncos’ for all your accounts online is not reasonable protection. Not encrypting your data is not reasonable protection. And you will be held liable for all of that.”

ENCRYPT YOUR DATA

“There’s a local company that just got on [the ‘HIPAA Wall of Shame’, where breaches must be reported] because they had an unencrypted laptop get lost,” Elliott said. “You don’t want to be on that wall.”

Encrypting your data can protect you from similar disasters, Gullatte said.

“There’s no reason why in 2019, having a laptop stolen should mean you’ve been breached,” he said. “You can completely avoid that, at very, very low cost.”

Mobile device management to ensure you can remotely delete data on a lost laptop is about $10 per device, for example, and Windows 10 Pro comes with an encryption feature called Bitlocker already built in.

“And if you are not using Windows 10 Pro and you’re Windows environment for your business, you are wrong,” he said. “Home edition is not for business, it lacks the security.”

RUN FIRMWARE UPDATES

Cell phones and gaming consoles will prompt you to run firmware updates, but for other devices you’ll have to do it yourself.

“Google the make and model of your router, your network printer, your smart TV and they’ll tell you how to update,” Gullatte said.

“Some devices get updates pushed automatically, like Google Chrome …” Elliott added. “But your firewalls, your routers, your TVs, they’re not always as sophisticated to force you to get those updates. And that’s when your TV might be used in a hack against the Pentagon. Don’t let that happen.”

BEWARE INSIDER ATTACKS

“Your people are the No. 1 threat,” Gullatte said. “Here’s the best practice: Before you fire somebody, take their access away. I repeat: Take away their access before you fire them, because they may destroy your systems or snatch all your information before they leave.”

MOBILE THREATS

Don’t trust free Wi-Fi, Gullatte said. Using the mobile hotspot on your smart phone is the safest option when you’re out and about.

“Those free wireless networks — I have a device in my bag where I can display the same wireless network as this place. So you have a 50/50 chance to log in to Catalyst Campus or to me. If you connect to me, I’ll be able to track all the information that’s on your machines. I can copy a bunch of people’s favorite websites … and I’ll put a link on there that has one of those little downloadable encrypted files, that you’ll end up taking back to your office … and now I’ve got access to your corporate network.”

BACK UP OFF SITE

“Ransomware is the biggest headache you don’t want,” Gullatte said. “… It will attack everything that’s on the network. It will attach itself to every connected hard drive device on all the computers. So if you’re one of those people who say ‘Oh, I’ve got a backup, I’ve got an external hard drive connected and it backs up every night’ — ransomware is going to get it.

“The best way to protect yourself from ransomware is backups off site.”

Gullatte and Elliott recommended Carbonite for off-site backups for small businesses.

IT’S PROBABLY A SCAM

“Phishing is one of the biggest things for all of us to be aware of …,” Elliott said, “because this is oftentimes how these malicious scripts, software, malware is getting installed, and it’s also how you [become a victim of] fraud.”

Phishing is a form of fraud in which an attacker masquerades as a reputable person or business via email or phone, and distributes malicious links or attachments that can extract login credentials or account information from victims.

Phishing attacks can also be used to persuade victims to send large sums of money to a person or organization they trust — when it’s actually going to the hackers.

“If it looks fishy, give the person a call … so you know you’re actually talking to who you believe that you’re talking to,” Elliott said.

Gullatte added that an unsolicited call from anyone claiming to be tech support “is 100 percent going to be a scam.

“If anybody asks you to send them money, don’t do it,” he added. “Make a phone call to whoever is authorizing that or requesting it to make sure. I know a company here in town whose owner was on his way to Jamaica and apparently sent an email to accounts payable to wire $25,000 for some equipment for the business, which isn’t an odd request — but it wasn’t from him. When he got back and 25 grand’s missing he’s like, ‘Where’d my 25 grand go?’ … They were only able to recover $19,500.”

Other Cybersecurity on a Shoestring takeaways included:

• Never use free email (like Gmail or Yahoo) for your business.

• Use two-factor authentication.

• Back up all computers regularly.

• Invest in a business-class firewall and a business-class router.

• Seek advice from SBDC cybersecurity consultants.

“Let me set the expectation right now: Nothing is 100 percent secure,” Gullatte said. “But you don’t have to be low-hanging fruit. You can be hard to get with the things we’re teaching you today. We’re going to get you off the floor.”

Editor’s note: Amnet is a vendor to the Colorado Springs Business Journal.