If you think being big makes you a target, just try being small.
From Chipotle to Target to Home Depot and J.P. Morgan Chase, cyber thieves are constantly attacking corporate computers to steal financial information from the companies and their customers.
But cyber security experts say most attacks on servers and information actually target small businesses, often with devastating results.
According to the U.S. Securities Exchange Commission, about 60 percent of all targeted cyber attacks in the last two years were directed at small businesses. About 75 percent of phishing attacks, efforts to glean personal information from businesses via faux emails or fake websites, were aimed at small businesses.
Worse, the SEC estimates that half of the attacks led the small businesses to fold within six months — and cyber attacks are skyrocketing.
“There’s been an estimated 660 percent increase in cyber attacks in the last four years,” said Phil Jaderborg, of Albemarle County-based PJ Networks Computer Services. “We’re living in a world in which nothing is 100 percent secure. When you read about Target getting hacked and Microsoft getting hacked, you start wondering where you go to avoid hackers.”
Hackers and thieves seem to be everywhere. They place scanners on ATM machines and gas pumps. They steal information from points of sale, snitching debit and credit card numbers and personal identification numbers, or PINs.
In April, Chipotle announced that several of its stores, including its Charlottesville-area locations, had been hacked with malware that took information from customers’ debit and credit cards. Many customers later reported discovering unauthorized charges on their bank accounts.
“Fraud is everywhere, from the old-time check fraud to high-tech email phishing and hacking,” said Susan McGinnis, assistant vice president at First Citizens Bank in Albemarle County. “Everyone needs to be thinking about this, not just businesses.”
First Citizens Bank and Jaderborg’s business have teamed up with the Central Virginia Small Business Development Center to provide a series of free cyber security workshops for local businesses.
The workshops are scheduled for 1 to 3 p.m. July 21 and Aug. 18. The July workshop will focus on medical records and legal compliance and requirements. The August workshop will focus on financial transaction security. For more information on the workshops, call the Central Virginia Partnership for Economic Development at (434) 979-5610.
According to industry officials, hackers are especially fond of small businesses because they often connect to larger corporations but lack the security of a corporate system.
According to a 2014 investigation by the U.S. Senate Committee on Science, Commerce and Transportation, thieves hacked into a heating and air conditioning contractor’s computer system to access Target stores’ customer database in November 2013. That hack led to the theft of personal information for 70 million customers.
Much of that information was later sold on internet “card shops” to cyber thieves, the Senate report stated.
The SEC warns in a letter to small businesses posted on its website that “large organizations are, in effect, a sprawling network of interconnected business partners, any one of whom could serve as the vector for a cyber attack.”
“About 10 or 15 years ago, big businesses were the ones that were getting hit, but hackers have realized that suppliers are greater targets for stealing credit card information and personal information,” Jaderborg said.
According to Statista, a business advisory company that collects and interprets statistics for businesses around the world, more than one third of cyber attacks in the first three months of 2017 originated from internet addresses in the United States.
The U.S. was the largest target, with more than 221 million attacks during the first quarter of 2017. In 2016, disruption of businesses was considered the most costly consequence of a cyber attack.
The problem is not a rogue hacker locked in a dark corner of their parents’ basement, downing energy drinks at 3 a.m. The attacks are organized and computerized.
“There are basically hacking robots that are trolling the internet looking for weak spots wherever they can find them,” Jaderborg said. “These computers can check on thousands of sites and ports and, when they find a potential weakness, they bombard it with brute-force attacks trying to gain access. Once they get the access, they get the information.”
While small businesses face the same threats as huge corporations, they often lack the money or expertise to secure their systems. The SEC claims that companies with less than $100 million in annual revenue actually reduced spending on cyber security last year, despite increasing attacks.
Jaderborg said that jibes with what he’s seen.
“It’s important that a small business keep up to speed as if they were a large business,” he said. “Cyber security is never convenient. It’s keeping a long, complicated password. It’s having a different password for every site that you log onto. It’s keeping up virus protection on computer networks and firewalls and being careful with emails. It’s even about physical security of the building.”
Business owners can limit successful attacks by keeping software updated and properly configured. Using high-quality anti-virus and anti-malware software and updating Adobe Flash and Java are also important.
According to cyber security firm Avast, the U.S. escaped with limited damage from a recent malware attack by a program called WannaCry that froze computers, encrypted data and held it for ransom.
Avast believes the limited damage is because the U.S. has more computers and systems using licensed, up-to-date, patched versions of Microsoft software than harder-hit regions of the world.
“There are many insecurities in Java and Flash and they’re often exploited, so keeping those updated is extremely important,” Jaderborg said.
Less thought of, but just as important, is physical security of a system or computer.
“You wouldn’t leave home without locking your doors and windows, so don’t leave your computer without locking it,” he said. “And be extra careful of anyone unfamiliar who might need access to a room near a computer system.”
Jaderborg also recommends avoiding public Wi-Fi spots, which are more easily hacked. If using a public system, do not access your financial accounts. He also recommends installing security software on smartphones and using file encryption.
“People used to believe they were safe if they bought an Apple product, but Apple is no longer immune to viruses because more and more people are using Apple systems,” he said. “And statistics show that security breaches are often the result of ex-employees. You need to change all the passwords and disable user accounts when someone leaves.”
With computer robots generating thousands of passwords to hammer at an internet portal, a strong password is a must, Jaderborg said.
“The longer the password you have, the better. Passwords with 12 or 16 characters are preferred and as many as 25 characters will make it more difficult to break into a system,” he said. “The bottom line is that cyber security takes time and thought and attention to detail. Unfortunately, security is not convenient.”