A year-and-a-half ago, an employee of Church Plumbing & Heating, Inc., in Elkhart, Ind., received an email that appeared to come from a job seeker. When the recipient clicked on the attachment, however, it delivered malware rather than a resume. Within minutes, all the files on her desktop computer had become encrypted.
It was a classic case of ransomware—malicious software that restricts access to your own information and demands payment of a “ransom” to regain that access. In fact, Church Plumbing & Heating soon received a ransom request for $1,000. Fortunately, the firm didn’t need to pay up. “Only one computer was affected, and we have a good back-up strategy. We just wiped the computer clean and restored all the data we needed from our back-up software, which runs automatically and keeps 30 days of history,” says Michael Church, general manager.
Several years earlier, as part of disaster preparedness planning, Church Plumbing & Heating had segregated its data. “Our Quickbooks, customer financial data, and service scheduling are all on a separate server that is locked down. Anything else, like emails and Word documents, are on local computers, and everything is backed up on a cloud server,” Church explains. Should anything happen to the firm’s building or its computers, Church can still access all data and continue running the business from any other location.
Clearly, even small businesses such as some HVAC contractors are not immune from cyberattacks. Aside from collecting ransom, hackers may be in search of your customers’ credit card numbers, employees’ Social Security numbers or bank accounts, or even access to your server to launch other attacks. According to Symantec’s annual Internet Security Threat Report, more than one out of three cyberattacks (34%) target firms with fewer than 250 employees.
“It’s unlikely that the Chinese government or the Russian mob is trying to find small companies. But a ransomware attack goes to everybody and anybody—the hackers are trying to hit far and wide,” notes Ben Graybar, a vice president and commercial banker at Hancock Bank in Tallahassee, Fla. Graybar, a frequent speaker on cybersecurity threats affecting businesses, says ransomware threats are often passed along unwittingly, by people whose email address books have been hacked.
That’s one reason Frederick Air, Inc., has a policy restricting the use of business email addresses to business correspondence. “The employees are not using our domain as their personal email address, so they’re not getting jokes and memes forwarded from friends,” says Dave Schmidt, operations manager of the firm in Frederick, Md. “If they receive anything they don’t understand or are suspicious about, they ask me whether to open it. Their automatic assumption is that an unknown email is either spam or will put something bad on their computer.”
Frederick Air’s employees save all data and documents to the company’s server, which is kept in a locked room and frequently backed up to a cloud server. Schmidt adds, “Nothing is stored on laptops or desktops, which only run software for the server. If a computer gets hacked or stolen, we don’t lose any information, just the device itself.”
Here are other steps you can take to deter, detect, and defend against cyberattacks:
Call on the experts. If no one in your company wants to shoulder the responsibility for cybersecurity, retain an IT consultant to periodically conduct an assessment and make recommendations regarding anti-malware programs, technology policies, and best practices. A consultant, for example, might advise strengthening the passwords used for online access or enabling two-factor authentication to confirm a user’s identity.
Consult with your attorney about legal liabilities should a data breach occur. “In Florida, for example,” says Graybar, “you’ll have a fine up to $1,000 a day if you fail to report a breach where customer information is lost and 500 people or more experience the breach.” In addition, ask your insurance agent about the costs and coverages associated with cybersecurity protection. A basic policy might cover the costs of notifying customers of a data breach and providing credit monitoring but not cover financial losses stemming from the cyberattack.
Conduct preventive training. In its most recent Internet Security Threat Report, Symantec reported that ransomware is typically spread through “phishing”—sending fake emails disguised as routine correspondence, such as invoices, and delivery notifications, that require the recipient to open a file or click on a link. More sophisticated are “spear-phishing” emails—near-perfect spoofs of legitimate emails that are addressed to a specific recipient and elicit personal information such as a password.
“Probably the weakest point in cybersecurity is the human element, so we have trained everyone on how to spot a phishing attack,” says Michael Church. The email that launched ransomware at his company, for example, contained several red flags: an Italian domain (.it rather than .com), numerous grammatical errors, and a ZIP file attachment. To further reduce the likelihood of human error, review best practices such as not leaving a computer unattended, not forwarding emails from home to work, retyping web addresses rather than clicking provided links to ensure a site’s authenticity, and not replying to suspicious emails.
Limit access to data. Overlapping defense systems—such as a regularly updated firewall, intrusion detection software, and encryption of customer data—help deter hackers looking for easy entry. Not storing or running credit cards through your server gives them even less incentive.
Both Church Plumbing & Heating and Frederick Air outsource credit card processing to a third party to reduce the risk of a data breach. The former uses chip readers in the field, which transmit numbers to Intuit’s server through an app. The latter uses standalone Clover chip readers that connect directly with the merchant services provider.
“The card number doesn’t go through our iPads or our server, so I don’t need all sorts of processes to protect that information,” says Dave Schmidt of Frederick Air. “Admittedly, we had to spend $6,000 to get all the equipment set up for the crews and service techs, but we actually get a better rate than when we were running the card numbers internally.” For customers wishing to keep a credit card number on file, Schmidt asks for a signed authorization form that remains in the company safe—and only he has the key.
Keep up with the latest threats. Graybar recommends setting laptops, desktops, and mobile devices to update software automatically; having patches in place will ward off the biggest problems identified by software companies. Also ensure security software is installed on all devices, and encourage employees to download apps only from trusted sites.
For the latest news on cybersecurity issues, Graybar frequently checks NewsFusion (www.newsfusion.com/cyber-security), a free app. Trends, threats, and tips are also discussed in blogs, reports, and white papers available from major software companies. In its 2017 report, for example, Symantec (www.symantec.com) notes an increase in malicious activity related to mobile devices—such as malware that gathers information from apps including Gmail, Facebook, and Skype—and to cloud-based applications, which are susceptible to Denial of Service (DoS) attacks that shut down an entire system.
“A hacker’s job is to find a way to circumvent every security precaution we take,” observes Church. “Hackers spend all day, every day, figuring out how to get past whatever you’ve come up with, so you have to stay on top of the technology news.”
Heightened awareness is one reason Church and Schmidt both selected Apple devices for their companies’ field personnel. According to Nokia’s Threat Intelligence Report, 81 percent of malware infections are found on Android phones, compared to the 4 percent found on iPhones (the remaining 15 percent of malware affects Windows computers). Schmidt notes, “The Apple store is more of a walled garden for apps, while the Android environment is much more open so pernicious programs are easier to get.”
Share what you learn. At industry meetings and in mix groups, talk about IT strategies for improving data protection, strengthening your technology policy for employees, spotting scam emails, and responding to cyberattacks. If one HVAC contractor has been affected by a phishing scam, ransomware, or data breach, you could be next.