Why cybersecurity is a big problem for small businesses

Cybersecurity attacks can cripple small businesses that aren't prepared. TechRepublic's Karen Roby talks with a security expert about ransomware, phishing attacks, and inadequate IT defense plans.

Why cybersecurity is a big problem for small businesses

TechRepublic's Karen Roby sat down with a security expert to talk about cybersecurity concerns within the small business sector. The following is an edited transcript of their interview.

Scott Logan: There's a lot of threat actors out there. It requires a great deal of expertise to protect an enterprise properly. Unfortunately, small businesses, they have a hard time finding or maybe even affording a security professional to be on staff to work with them to protect their infrastructure.

One of the things that we see all the time at NetGain is that somebody will be put in the position of managing an infrastructure that they're not professionally set to do that. We find a lot of problems from that. That's one of the things that we try to help out within providing services and solutions.

Karen Roby: Solid tech talent can be hard to find, and it can be really expensive to have someone on staff that is trained in security.

Scott Logan: Absolutely, they have to have a certain level of qualification and certification that, if they don't have that, they're really not positioned to manage it correctly or make the infrastructure as sound and secure as it could be.

Karen Roby: What are some of the things that you see happening when you guys go into, let's say it's a new business that you're working with or one that you've already been working with, what are some of the things, specific threats that they're seeing come through?

Scott Logan: In almost every single case, it's well known by a lot of security professionals that the user is the weakest point or the weakest link in the security chain. What we see constantly is that users are just not properly trained. They don't know what to anticipate; they don't know what to expect, what an attack looks like. When they see it, it's not recognized immediately, and that's unfortunate because if a user fails, regardless of how much infrastructure's in place, how much security controls are in place, the user has a way of bypassing all of that and introducing an infection or some malicious activity into the network. User training is probably the most common absence that we see in an enterprise.

Karen Roby: Does a small business face the same type of threat as a much larger company would encounter?

Scott Logan: Larger industries, they have the larger target on their back, so the attackers are going after those guys more consistent, but they usually have the security professionals, they can afford the budgets, they can afford the professionals, and so their infrastructures are usually a little bit more sound. The problem with larger industries is that there's more people, so there's more vectors of attack. The responsibility of getting those users trained, getting them tested so that they're aware of what these attacks look like is more paramount for them.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

Karen Roby: What are some of the small things that aren't as expensive that they can do or teach their employees? Just basic things to say safe?

Scott Logan: User training platforms are not very expensive. They're usually cost per user, and they're inexpensive. They're in dollars per user type of thing. To get a good a security, social awareness platform in place would be one of the first things I would recommend for a business. Before they start investing in a ton of security controls, make sure that you can recover from a threat. Make sure your backups are tested, and make sure that your disaster recovery policies and procedures are exercised so that you can recover. Once you can verify that I can recover from an attack, then start plugging in some of the protections that are necessary to keep your assets and your people safe.

Karen Roby: We've done several stories here with some of these smaller municipalities or small cities here in the United States that are being targeted that are not at all prepared. They've got maybe one person that's an IT professional, that's handling everything for these small governments and when they are attacked or ransomware, that's everything for them. It's huge implications.

Scott Logan: It can be crippling. We usually find out that the root cause came from an email; a user opened up something malicious and allowed it into the environment. It started; it's spread. What a lot of businesses don't realize is the impact that having their data stolen from them can cripple them. It can take them completely offline. What they're now dealing with is not only a loss of productivity but how it impacts their clients, and their vendors are now also on the table as well. A lot of businesses just do not have the proper incident response plan to run with when an incident happens, so they're scrambling and trying to put things back together after the attack. It just creates a lot of problems for the business.

Local city governments are very common with these attacks now. I think the city of Baltimore was one of the recent ones. When you lose, once again, when you lose your access to your data, there becomes a different change in your operations. Even if you have a disaster recovery plan, a lot of times getting that implementing, get it set up, getting to where you can operate through that plan or what they call the emergency mode operation, becomes a little bit more difficult than what they were expecting. A lot of the executives, what they see is they have an expectation of when they're going to be at back up and running. A lot of times the IT team, even though they have a good strategy behind how they're going to recover, it's not really what they expected. The recovery times are a lot longer than expected.

Karen Roby: When you talk about the executives, whether we're talking again about a large company or a smaller company with those that are in leadership, do you find that they, it's hard to say across the board, but do most take this seriously? Do you think? Or they're just starting to realize why they need to take security; it needs to be top of mind?

Scott Logan: It does, it's in their face all the time. You can't go to a news channel and not see something where somebody got attacked or some level of breach of some level of compromise that's occurred. A lot of the small business leaders sometimes think that they're not a target. They don't feel that their business is large enough or that their data is sensitive enough to have an enormous amount of security protection in place to protect them. I see that, but from the attacker's point of view, that's what they're hoping.

They're hoping you're not putting security in place and that you're not protecting your data so that we can do elements like institute a ransomware attack or steal your data in some form or fashion. It's unfortunate that the executives feel that way. A lot of times when NetGain is working with a client, we try to express the fact that it is important. I believe I saw a statistic that around 60% of companies that receive ransomware within six or seven months close their door because they just weren't able to recover.

Karen Roby: Talk about a little bit about phishing and how this affects a business.

Scott Logan: They can be very tricky. A lot of times when we're doing social awareness programs, we try to make it as tricky as possible to see how effective it can be in the environment. Nonetheless, let's talk about the users first. The users need to be smart. They need actually to pay attention to what's happening. If they receive an email from, and they don't know the sender, then don't open the email. If they receive an attachment that they're not ready to receive or they did not know that it was going to be delivered to them, don't open the attachment. You have to be smart about what you're doing and practice that on a day to day basis.

Now let's talk about the owners. It's their responsibility to improve their awareness. They have to provide training. They have to show them what the types of attacks look like, how they feel, and provide them a game plan for what they're supposed to do, should an attack appear to them. If they see something, they should have a series of steps that they're supposed to do to make sure that the enterprise hasn't come to compromise from that attack.

SEE: Feature comparison: Help desk ticket management solutions (TechRepublic Premium)

Karen Roby: When you guys go out, let's say to a small business for instance, is there anything that you guys do that's different or sets you apart in terms of how you get people off the ground with a plan of how to handle their security?

Scott Logan: One of the first things we do is try and understand where the risk is in the environment. Instituting a risk analysis program, a risk assessment with a vulnerability assessment to understand where the weaknesses are so that then we can provide them a plan for how to mature those weaknesses, how to get them out of the environment. We will always want to make sure that we express the importance of user training. It's very important. We will make sure we express the importance of protection of email platforms, and we want to make sure we express the importance of that their assets are not weak, that they've patched them and that their firmware are up to date.

Those are some of the three core elements that we always try to push in. Executing a risk assessment program is very important, and understanding where risk is and how we need to set up the mitigation process.

Karen Roby: There's just so many moving parts, so many things to consider and do you sometimes find that when you go in, and you talk to companies, they almost feel overwhelmed by the responsibility?

Scott Logan: They're lost. They know that they need some help. They know that they need security, but they don't know where to place it. They don't know where to start, where they need to put it. The risk assessment program helps them understand the priorities of what's missing and where they need to put those in place first. Then something that maybe can come on down the line, maybe budgeted for the next quarter or the next year.

Karen Roby: Any trends? Anything you're seeing coming up? I know we've talked a lot about getting rid of passwords altogether. What are your thoughts on that?

Scott Logan: You don't have to get rid of passwords as much as you need to strengthen your password requirements, number one. Number two, you should place a multifactor authentication principle behind it so that there's two levels of authentication required to get in. If you do compromise your credentials, you make a mistake in an email, and you go to a website, and it says enter your credentials, and you do, and now they have your credentials, they would need something else in order to get into your network. Multi-factor, adding onto a password principle is effective.

Also see