Cybersecurity Isn’t Just the IT Department’s Job

Michigan SBDC - 2014 LogoIt’s an astounding — and perhaps disheartening — statistic: 60 percent of small companies are unable to sustain their business within six months of a cybercrime attack, according to the U.S. National Cyber Security Alliance.

To help avoid joining their ranks, John Hey and other information technology experts advise small business managers to foster a culture of cybersecurity that permeates their entire operation, not just the IT department.

“I hate to promote apprehension or cynicism, but you have to be almost by default extremely suspicious or skeptical,” said Hey, chief operating officer of Grandville-based Trivalent Group, one of Michigan’s largest IT solutions providers. “Basically, awareness and suspicion really are the best policy.”

“Today,” said Zara Smith, strategic programs manager at the Michigan Small Business Development Center (SBDC), “protecting against online threats such as phishing (tricking consumers or businesses into disclosing financial information while posing as a legitimate company) or ransomware (encrypting a company’s files, making them unusable, and demanding a ransom to unlock the data) is everybody’s job.”

“This is the new world we live in,” she said. “Years ago we had to teach everyone to lock the door. Now we’re teaching that cybersecurity is something everyone needs to be aware of. Not everybody has to be an expert, but if we are truly to protect ourselves, we must all take responsibility.”

Indeed, the issue of staying safe and secure online is so mainstream that the National Cyber Security Alliance has designated October as National Cyber Security Awareness Month, a campaign that aims to reach consumers, small and medium-sized businesses, corporations, educational institutions and young people across the nation.

For small businesses, making cybersecurity part of every employee’s routine is especially important because they are unlikely to have distinct IT departments staffed with workers whose sole mission is to keep the company’s technology systems operating smoothly. Often, Hey said, small companies might have one person who’s in charge of technology but also has responsibility for other, unrelated duties.

Small businesses also can’t hope to simply fly under hackers’ radar, Smith said. Their sheer numbers make them a favorite target of cybercriminals. Plus, big businesses, which have the financial resources to upgrade their security, are tougher for hackers to crack. So rather than seek a single big score, increasingly hackers are opting for volume and setting their sights on multiple, more vulnerable smaller companies.

Former FBI Director Robert Mueller, somewhat famously within cybersecurity circles, summed up the threat this way: “There are only two types of companies: those that have been hacked, and those that will be.”

While that might seem to paint a hopeless scenario, the answer is to put up a vigorous defense that might prompt hackers to seek other, easier prey, Smith said.

“It’s all about risk mediation,” she said. “Don’t be the lowest-hanging fruit.”

To be sure, measures such as installing anti-virus and email scrubbing software and keeping it up to date remain fundamental, first lines of defense against falling victim to cybercrime. But a truly robust security system is based on vigilance among all employees, Hey said.

“An uncareful user can undermine all of your security measures,” he said.

For example, all employees should know to follow safe and proper protocol regarding opening attachments and links in emails, potential avenues for hackers to introduce malware or viruses into a computer network, Hey said.

Such emails are becoming more sophisticated, having evolved beyond the iconic Nigerian-based scams. Today’s emails are better written (foreign fraudsters hire translation services when composing them) and often are sent in the names of companies or people known to the recipients, Hey said.

“If there’s any shred of doubt, just delete the entire email,” he said. “If it’s a legitimate email, the other person will resend it.”

Care in sharing or protecting information such as passwords is also part of a culture of cybersecurity, Hey said. Whenever he speaks on the topic, there’s always someone in the audience who keeps an important password written on a sticky note, an extremely low-tech and dangerous storage method. In contrast, Hey stores all his passwords in a smartphone app that requires a 16-character password to open.

“I say a bad word every time I have to enter it, but it’s ultimately worth the effort,” Hey said. “Security is not convenient.”

Hey advises against sending password information in email files, saying that texting is safer. Also, having systems set up so that passwords periodically expire adds another level of safety.

Common-sense measures related to physical security, such as logging off your computer or not leaving a cell phone sitting on a table when you go to the restroom, are also keys to staying digitally safe, Hey said.

Beyond trying to access financial information such as credit card or bank account numbers, hackers who target small businesses also aim to profit by disrupting companies’ operations. Ransomware allows them to hold data hostage until a business pays to have its systems unlocked.

The cybercriminals typically don’t ask for exorbitant sums — $300 on average, Hey said — to make the ransom less traceable. They also operate with a certain level of honor, rarely reneging on their promise to unlock systems once payment is made, so as to help ensure victims recognize the benefit of paying and money keeps flowing.

But the real cost to a business comes from the disruption to its operations — as well as the blow to its reputation, Smith said. “There’s the perception that if you get hacked, you’ve done something wrong,” she said.

Hey has seen ransomwear’s devastating effects up close. He worked with a 25-employee West Michigan business that had security software and other protections in place but became infected after an employee opened an email attachment. The company had its data backed up, but it took several days to restore.

“They wound up with three or four days of lost productivity,” Hey said. “They had a six-figure impact because an email was opened. They had taken reasonable security measures but didn’t have best user practices.”

To help companies assess their vulnerability to similar crimes, the SBDC launched its “Small Business, Big Threat” initiative. The foundation of the initiative is a website,, that allows individuals to take a free assessment and receive a report.

From there, participants can choose from a variety of resources to engage with, including in-depth trainings, webinars, best practices, or industry articles on small business cybersecurity.