(661) 281-4000

Cybersecurity Awareness for Small Businesses

If you own or run a small business you know, better than anyone, that it’s not easy work. It takes a lot of time and energy to meet the demands expected of you every week. That’s why certain aspects of running a business, such as cybersecurity, often take a backseat to other, more urgent issues. Many small business owners look at cybersecurity as something they’ll get to when they have the time. Others rely on whoever in-house knows the most about computers.

Some employees might have the basic computer knowledge to get by, but a do-it-yourself (DIY) security approach isn’t the best choice. Let’s take a look at some reasons why outsourcing cybersecurity might be your best solution.

The Numbers Don’t Lie

In a recent survey, 87% of small business owners felt they were at low risk of ever being attacked. Even more alarming, 30% had absolutely no security solution at all. However, since 2016 at least 50% of small businesses have had at least one cyber-attack of some sort. That appears to mean that 37% of small businesses have already been attacked and still feel at low risk.

On average, a small business has a 60% chance of shutting down within a few months of a breach. Let that sink in. While many small businesses play fast and loose with security risks, the majority won’t live to tell the tale past a hack. A huge percentage of small businesses are happily swimming in the waters of commerce unaware of the school of piranhas forming underneath them because most of the previous victims have disappeared without a trace.

No One Is Too Small

Small businesses falsely assume that no one sees their company as attack-worthy. They think larger businesses are bigger targets due to their size and income.  Everyone is a target. In fact, it’s worse for small businesses because they not only have less ave less security, but their valuable information often lacks appropriate backup.

What’s Good for the Goose Isn’t Good for the Gander

When implementing cybersecurity prevention for a small business, many people turn to what they’re familiar with. This often takes the form of relying solely on basic virus protection. While programs like these are certainly better than nothing, there’s more to do than controlling the spread of viruses. Cybercriminals are more motivated than ever before, and some hackers even work in teams to attack your computers until they find a way in. Single-layer, consumer-level solutions are not the best defense.

The Rising Threat of Ransomware

Hackers are far from dumb criminals. They know exactly what they’re doing. If a hacker encrypts the information on a single computer in a small business, there’s a good chance they can infiltrate the rest of the business, holding it captive using a ransomware attack.

When a hacker takes over your information, they hold it hostage until you pay the ransom, just like in a physical ransom situation. Just how much ransom are we talking about? According to some experts, half of all ransomware payments made by businesses amount to more than $10,000. 20% are more than $40,000. If you’re a large corporation, that could be a drop in the bucket. But for a small business, the cost is far more damaging. The ransom payment could amount to months of payroll. It’s no wonder that many small businesses close up shop after being attacked just once!

The Bottom Line

Take heart. This is not a hopeless situation. Nothing could be further from the truth! A small business simply needs to prepare. One of the biggest hurdles to having a comprehensive security plan is the cost. Most small businesses dream of having one dedicated cybersecurity person, let alone supporting a division like many larger companies. What is a more reasonable option?

MSPs (Managed Service Providers) are a way of outsourcing this difficult but important aspect of your business. Find a company that deals with small businesses regularly, like we do. MSPs understand the best ways to implement a security solution appropriate for your unique situation at a reasonable price. After all, a solution will only work if it keeps pace with the cybercriminals who are after your assets.

When you think of a hacker frantically tapping away in a dark room, who do you think he’s targeting? Banks? The government? Try healthcare information. 2018 saw three times as many healthcare-related cyberattacks as the year prior, and 2019 is holding onto that momentum.

Healthcare breaches are much larger in scope than we imagine. While you might think this affects a few dozen people at most, these hacks end up gathering information on thousands — sometimes millions — of patients at a time. One of the largest beaches this year (AMCA), exposed over 20 million patients. While these numbers can be mind-boggling, they do bring some important questions to mind.

Why Do Hackers Target Healthcare Information?

What possible reason could hackers have to want to know about that time you got ringworm at the gym or that you occasionally get heartburn? Healthcare records aren’t targeted for that information, but are actually prized for  “full information”. Full information includes names, addresses, birthdates, and Social Security numbers. If someone steals your credit card information, you can have the card canceled and useless within a few minutes. Full information, on the other hand, includes personal information that rarely or never changes.

While we think about credit card information sold on the Dark Web, medical information is even more valuable. Just how valuable? According to current estimates, your medical record can fetch 10 to 60 times that of your credit card information! Once it’s in the wrong hands, that information can be devastating to your credit into the foreseeable future.

How Is Healthcare Information So Easily Breached?

Unfortunately, most healthcare organizations and those that work with them don’t take the hacking threat seriously. Here are some of the biggest factors contributing to this epidemic.

Older Systems

The healthcare industry is notorious for being slow to upgrade their computer systems. One reason is that many healthcare offices are small and have an “if it ain’t broke, don’t fix it” mentality. Also, HIPAA requirements are quite strict so finding new software can be a daunting task. There’s even a debate about whether or not newer operating systems are HIPAA compliant. Older, out-of-date software and systems are low hanging fruit for cybercriminals.

No Security Department

Think of your primary care physician’s office. You may be familiar with your doctor, the nurses, and the billing people, but when was the last time you saw an IT department? Many smaller offices don’t have the resources or the wherewithal to have something like this formally set up. They depend on the general staff —who are often overworked as it is — to take care of the day-to-day technical issues. Even if the entire staff is competent in this area, this would be a major undertaking.

Massive Interconnectivity

You might remember having to wait while people faxed/mailed your medical records from one place to another if you changed doctors or had to have treatment at a different location. Now, it takes a few minutes while things electronically transfer. We expect convenience, but it comes at a cost. Many medical facilities and hospitals constantly send information back and forth throughout the day. The more points of transfer in a system, the more opportunities there are for someone to find an entry point.

Various Devices

Along with being interconnected, healthcare is more and more dependant on technology. In many areas, modern healthcare facilities look more like a futuristic spaceship than a hospital! Remember that every piece of technology that uses medical information is a potential target for hackers. While the main servers might be heavily protected, who makes sure that the third desktop at the nurse’s station on the second floor has its security updated? What about the rolling computer used for billing or the tablet used by one of the surgeons? Any of these devices open the door for someone to gain access to all of the patients in the system.

Out of sight, out of mind

Unfortunately, this is most likely the main cause of hacks in the healthcare system. Medical professionals are well aware of the idea of “an ounce of prevention is worth a pound of cure”. Unfortunately, they tend to ignore this when it comes to their IT, waiting until a disaster to force necessary changes.

If you are in the healthcare industry or work with healthcare information (i.e. lawyers, billing departments, accountants), don’t wait before it’s too late to turn a new leaf. If you frequent doctor’s offices, make sure they know the importance of cybersecurity. The last thing you want is to be on the news as the latest victim.

Clarinets have a beautiful sound and range, but when you listen to a clarinet play by itself for three hours, you realize that there’s a reason why they’re usually just one part of an entire orchestra. Your business may find itself in a similar situation with your IT provider. Unless you have the most basic of IT needs, using a one-person operation won’t give you the harmony your company needs. Today, we’ll discuss what to look out for and why you may want to explore other options altogether.

The “Tech Wiz”

If you need help with electronics, the rule a lot of people use is to find the youngest person in the room to help you. That may work well with personal cellphones or laptops, but when it comes to your business, you need to be more judicious.

This is especially true because most people who have graduated from high school within the past twenty years will have computer skills. But having learned a few tricks in 10th-grade computer lab does not an IT professional make. Using or hiring someone based on being young also has another drawback: business IT needs are different from “pop tech.” Even someone qualified enough to work as an Apple Genius may not know their way around networking, servers or cybersecurity.

I Know a Guy”

In a similar vein to the last section, it seems like everyone knows someone who knows everything about technology. When taking recommendations from a trusted friend or colleague for your company’s IT needs, make sure the person has actual qualifications. Remember that everyone’s mother is impressed when the WIFI is miraculously fixed, even though they just unplugged it and plugged it back in again. Also, the reason for an enthusiastic recommendation might have ulterior motives — such as getting an unemployed brother-in-law off his back.

IT Department

This is perhaps the most obvious solution to having something better than a one-person operation, and for good reason. For starters, you’re working with a team that is dedicated to your company’s IT needs and are available if any problems come up (and they will). Unfortunately, this option comes with its own downsides.

For instance, now you have to worry about new personnel and management responsibilities. In addition, there’s very little flexibility if you’re trying to keep your costs at a minimum. For instance, what If your needs are heavy at times and then slow at others? You can’t keep hiring then laying off employees — you have to keep a fully-staffed department at all times, whether or not that makes financial sense.

Online Experts

Some people will try anything when their computer isn’t working, and searching for help online is usually a desperate act. The problem is that anyone can say they can repair a computer, install WIFI, or connect your network. But the truth is that you won’t know for sure until you hire them. By then it may be too late!

I’m not saying that there are no well-trained computer experts who advertise their services online. I’m just saying that you need to be careful when you’re hiring someone who can make or break your business IT on the same day you need help. Do your research. Use your best judgment. And, most of all, when you find a good person who does a great job, make sure to keep their contact info!

The Online Computer Repair School Grad

This may be your most dangerous choice. Not only will a recent grad have a head full of non-relevant information, but they will be super eager to show you everything they’ve just learned. Everyone has to start somewhere, but it takes time to get to know the endless issues, set-ups, and complications that small businesses face every day. Give a new grad a chance to learn if you can pair them with a mentor, but be careful not to let them loose too early.

MSPs

Managed Service Providers give you an option that ends up being the best of both worlds: the professionalism of a dedicated IT department with the freedom that comes from hiring a single contractor. You hire the company, not individuals, so there are no HR issues to worry about.

MSPs typically offer comprehensive Service Agreements where, once everything is set up, you pay a monthly fee, (usually less than the cost of one full-time IT person), and they’ll come in on an as-needed basis to resolve any issues that may arise. Plus, they’ll often monitor your site around the clock. That’s something most small to medium businesses cannot afford.

Yet another benefit is understanding that MSPs are business technology experts and focus on educating themselves on the latest, ever-changing technology landscape. When you have an MSP in place, you can take IT off your plate and focus on your area of expertise, and they can focus on theirs. In that way, you create a partnership where everyone is focused on your company’s success.

A one-man band may be fine for a coffeeshop concert, but it won’t sell out stadiums. If you truly want your business to grow, using an MSP can take you from the local underground to an international superstar!

As a business owner, you need to decide what level of IT support is right for you. Small businesses frequently operate under the “break-fix” model. Break-fix is exactly what it sounds like: you run your business normally until something breaks, then you pay an IT support company to fix it. Large corporations usually have an in-house IT department to take care of their computers, servers, networks and phones. Then’s there’s the middle ground. Managed Services offers a monthly service agreement to handle all of your IT support, but not all managed services is created equal – don’t get nickel and dimed.

Break-Fix Model

While the break-fix model appears the simplest out of the gate, it ends up costing more than you think. The ‘breaks’ cost you more because you’re stuck with unexpected hardware and software costs, and the ‘fixes’ cost you a lot more due to downtime, outages, and lost potential revenue. At some point, you’ll get tired of your CFO running into your office with a stack of bills from all of last month’s fixes.

In-House IT

You’ll then probably ask yourself, why don’t I hire a full-time IT person to take care of my needs? Well, that is certainly an option, but when you take a deep look into the ROI you’ll notice a huge gap between hiring one person vs. contracting with a fully staffed company. Let’s break down the costs.

We’ll keep the math simple and say that a full-time IT person will run around $50,000 a year, starting salary. That’s $24.50 an hour, Monday through Friday at 8 hours a day. The actual cost will be a whole lot more! Your new hire will need a desk, a computer, a laptop (for remote work), maybe a gas card or car if you have more than one office, a cellphone and high-speed internet access. And they’ll also cost you vacation time, sick time, holiday pay and probably a lot of overtime. At the end of the year, you’re probably close to paying out twice their base salary. And you’re still basically operating under the break-fix scenario because that individual is not available to do everything you need 24/7.

Managed Services

There are really two lists of services to consider when it comes to Managed Services.

Permission to Play Services

A good list includes the following permission to play services:

Real Managed Services Providers Also Include

Good Managed Services providers go above and beyond this list to include:

Managed Services Costs

If you’ve looked at hiring a Managed Services Provider before, you may have experienced sticker shock when they quoted you the price of their monthly service agreement, especially if it included all of the above at a flat rate. However, if you examine the benefits of a monthly agreement you’ll see that it will work well with your business plans and help take your company to the next level without unexpected costs of break-fix or the added costs of hiring a staff person.

There’s A Problem in the Industry Today

However, there’s a problem in the IT support industry today. When offering Managed Services, some people say they’ll cover everything with a ‘flat rate.’ Then, they end up sending you a bill at the end of the month for drive time, after-hours service, or parts. They may have promised you a clear-cut agreement, but then nickel and dimed you to death with a pile of invoices. Doesn’t sound much different than a break-fix arrangement at that point does it? With Managed Services you should be able to budget for a set monthly rate. As you look for a Managed Services provider make sure you ask about the things that are not included in this ‘flat-rate,’ so that you know if you’re about to be nickel and dimed or if you’re working with a quality Managed Services provider.

You can have every piece of security hardware in the books: firewall, backup disaster recovery device, anti-virus; but your employees will still be the biggest vulnerability in your organization when it comes to phishing attacks. How do you mitigate as much risk as possible?

  1. Create and Strictly Enforce a Password Policy: Passwords should be complex, randomly generated, and replaced regularly. In order to test the strength of your password go to this site. (This is a perfectly safe service sponsored by a password protection platform that tells you how long it would take a hacker to decode your password.) When creating a password policy, bear in mind that the most prevalent attacks are Dictionary attacks. Most people utilize real words for their passwords. Hackers will typically try all words before trying a brute force attack. Instead of words, use a combination of letters, numbers, and symbols. The longer the password, the stronger it is. While it’s difficult to remember passwords across different platforms, try not to repeat passwords. This will protect all other accounts in the event of a breach on one of your accounts.
  2. Train and Test Your Employees Regularly: Educate your employees on how they can spot a phishing attack. Then, utilize penetration testing (a safe phishing attack orchestrated by your IT company to see how employees respond) to see how well they do. If employees fall for phishing attempts, send them through training again. We recommend doing this on a quarterly basis to ensure that your employees stay on their toes, and you always provide education on the latest attacks.
  3. Create a Bring Your Own Device Policy and Protect all Mobile Phones: You can safeguard as much as humanly possible on your network, but your employees are all walking in with a cell phone. Are they allowed to get emails on these phones? What about gaining access to the network remotely? Cell phones create a big black hole in security without proper mobile device management and mobile security.
  4. Perform Software Updates Regularly: Make sure that your software is up-to-date with all the latest security patches. Holding off on updates means that you’re leaving yourself open to vulnerabilities that have been discovered and addressed.
  5. Invest in Security: Security is not something for cost savings. Home-based hardware is not sufficient, and you at the very least need a quality firewall and backup device. Invest in your employee’s training, ongoing security updates, and maintaining a full crisis/breach plan.

There are two things that aren’t going away in any business, employees and security threats. Make sure that you’ve taken care of everything you can to avoid falling victim.