Data Lock Down

Early this fall, members of CompTIA, the trade association for information technology, began dropping USB plugs around the country. Unbranded flash drives were quietly tossed around at airports, restaurants, train stations and other public places in Chicago, Cleveland, San Francisco and Washington, D.C.

Why the stunt? Researchers wanted to see who might pick them up and plug them in. Amazingly many people did. In fact, some 17% of those who found them picked up the drives, plugged them into a laptop and clicked on a link that took them to a random Web page. “Things you should know not to do, people did,” says Steven Ostrowski, director of corporate communications for CompTIA, based in Downers Grove, IL. “You could imagine if there was something nefarious on the flash drive, and you took that back to work…what it could mean for your office.”

In hindsight, picking up a random flash drive and plugging it into your laptop seems dumb – if not downright dangerous. But what the experiment proves, say Ostrowski and others, is how vulnerable companies – and particularly small businesses – are today when it comes to cyber security. That a company’s own employees would jeopardize their firm, even unwittingly, is scary enough. But these days experts say small businesses are an increasingly attractive target for hackers. Simply telling staff not to plug in found flash drives or click on unknown links may not be enough. And, unfortunately, for many of today’s small businesses, basic cyber safety is all they’re practicing – if that.

Unwitting Targets

Unfortunately, many small-business owners – including promotional product insiders we talked to – believe they’re too small to be a target. That’s a huge mistake, says Ted Devine, CEO of Insureon, an insurer based in Chicago that provides cyber liability insurance to small businesses.

“Small businesses that store any personally identifiable information may actually be targeted more often than major corporations simply because they are low-hanging fruit,” says Devine. The most common mistake small-business owners make is thinking, “it can’t happen to me,” says Neill Feather, president of SiteLock, a website security firm based in Scottsdale, AZ. Often they think, “why would anyone want to attack me?” Feather adds. “The simplest answer is, it’s not about you.”

Michael Kaiser, executive director of the National Cyber Security Alliance agrees. Hackers are rarely interested in hacking a specific small company. Instead, they’re trolling the Web for sites with weaknesses and poor security. Ultimately, Kaiser says, they want access to a small business to steal emails, personal identities, contacts to larger firms and other information that can take them up the Internet food chain, so to speak, and allow them to launch increasingly larger and more lucrative phishing attacks.

Though corporate giants like Target and Home Depot offer hackers richer rewards should a breach succeed, small businesses lack significant security protection, so they’re more likely to be the focus of would-be hackers. “You can spend one hundred hours trying to attack a company to get $50,000 or you can spend three hours to attack a company to get $5,000,” says Clay Calvert, director of cyber security at MetroStar Systems, an IT services company based in Reston, VA.

Smaller payouts are the more frequent route hackers take. It’s often viewed as a volume business, like any other retailer that charges low prices but depends on large numbers of orders to make up business.

Vulnerable Systems

Not that criminals themselves are doing much work. Rather than waste man hours, money and resources hacking away at one company’s website trying to guess passwords, criminals often employ bots, automated programs that continuously surf the Web for unprotected computers and websites, infecting systems when possible.

The whole goal, says SiteLock’s Feather, is to grab as much data as possible from weak websites – it’s a quantity, not quality game with hackers. And bots help them do that. “They’re not targeting an individual small business,” Feather says. “They’re randomly going out to find weaknesses in any website and take down 10,000 other websites at the same time.”

That factor makes promotional product companies particularly vulnerable. “There are very few players in the industry that are properly investing in cyber security,” says Dale Denham, the Tampa, FL-based chief information officer of Geiger (asi/202900).

Denham may be right. Industry players often contend that they don’t have data that hackers want, so they’re not an attractive target for cybercrime. But that line of thinking fails to understand the purpose of many of today’s breaches. Often, hackers leverage smaller companies as a gateway into larger vendors. That was the case with Target, says Jorge Rey, director of information security and compliance at Kaufman Rossin. While targeting the national retailer, hackers “took time to find out who Target was talking to,” Rey says.

By doing so they were able to infect the vendor’s system and ultimately get to Target’s network. Vendors that are easy to exploit are often companies that don’t update software, are unaware that social media is used as a ploy to gain entry, and often fail to train employees on cyber security issues.

In one common ruse used frequently these days, hackers create a fake Linked- In page and email, asking a company employee to be friends, often by posing as a recruiter or industry peer. Should an individual accept, suddenly he has malware on his computer – and likely throughout the company’s systems as well.

While distributors and suppliers don’t have data from millions of credit cards stored on their servers, they do have customer emails and other sensitive information that could be folded into a collection of emails needed for phishing attacks on a mass scale. And, if they happen to run across a few hundred credit cards along the way, hackers will be sure to pick them up too. The fact that distributors and suppliers maintain any credit card data, regardless of how small, means they are exposed if they haven’t properly secured that information, experts insist.

“As a supplier, we get a lot of credit cards and other forms of payment that are sent to us, often via email,” says Mike Little, president of Team Mates Inc. (asi/90674), based in Eagan, MN. “We advise customers not to send any information that way and it still happens.” Too often industry firms rely on the credit card company to be their security safeguard, Little says.

More Vigilance Needed

Experts say that approach is far from enough. At a minimum, companies need to keep software up to date to protect against random site attacks. According to Verizon’s 2015 Data Breach Investigation Report, 99.9% of the weaknesses found in business websites were more than a year old. “Translation: If victims had updated their security software, they might not have been breached,” Devine says. At the same time, promotional product firms should be backing up data daily and storing a copy of that data offsite as well.

Even with secure sites, though, companies are still vulnerable, experts say. Increasingly, hackers are using a company’s information against itself. Something as innocuous as an “about” page on a firm’s website has dangerous information, says MetroStar’s Calvert Using Google, “which will lovingly index” the names of company executives and their titles. Hackers collect names of CEOs and CFOs, and then create fake emails from a top executive asking his CFO to wire thousands of dollars to a specific account, Calvert says.

The ruse may seem as obvious as a Nigerian prince letter, but the tactic works, Calvert adds. Busy employees see a familiar name and often don’t stop to make sense of a request they think is coming from their boss, regardless of how unusual. Similar phishing attacks leverage social media. Hackers might pick up on a company hiring and send out a resume (often with a female name to seem less threatening) from what looks like a LinkedIn account. When a staff member clicks on the link, it infects his computer.

“If you open up a resume and it doesn’t make sense and you can suddenly hear the fan on your computer speed up, call somebody,” says Calvert.

Resume phishing attacks are increasingly common today, says Andrew Conway, research analyst for Cloudmark, a cyber security services firm based in San Francisco – and no more so than within small businesses. “We’ve received reports of this type of spam from 14 countries in five continents,” Conway says, “but the bulk of it appears to be directed at small businesses based in the U.S.” When Cloudmark examined a malware attack via resume samples in June, for example, 84% of computers spammed in the attack were in the U.S.

Sophisticated Attacks

Aside from their seeming innocence at some of the scams hackers run today, many companies are largely unaware of how serious an attack can be. And the frequency of attacks is growing exponentially. Last year, crypto-ransomware attacks, for example, in which viruses infect a computer, encrypt its hard drive and hold files hostage until a ransom is paid, grew by 4,000%, according to the Internet Security Threat Report, released in April 2015, by security solutions firm Symantec, based in Mountain View, CA.

Companies whose files are frozen by malware then must pay a fee ($500 is typical) to release their computer, says Kaufman Rossin’s Rey. Prosecuting cyber criminals who create these ransom threats seems obvious, but many of the IP addresses associated with such crimes originate from overseas, making prosecution nearly impossible Rey says.

For that reason, some distributors are taking added precautions to protect their data. Not long ago, Top 40 distributor Brown & Bigelow (asi/148500), based in St. Paul, MN, improved their cyber security via data encryption and decreased the amount of time credit card numbers are stored on company servers, says Bill Smith, the company’s president. In addition, the company blocked “access to our servers from IP addresses in countries known for protecting hackers,” Smith says.

Knowing hackers are out there working in mass numbers doesn’t mean a distributor has to spend a fortune increasing cyber security. Even steps as simple as maintaining updates on software already in use can go a long way in defending against attacks, Conway says. Setting up firewalls between departments (so that accounts payable is inaccessible even internally) as well as beefing up encryption and backing up data are all also crucial.

But one of the biggest weaknesses in a company’s cyber security is also its employees, say experts. One of the most vulnerable aspects of a firm’s data is its mobile workforce. For suppliers and distributors with teams who travel frequently, devices on the road can prove to be an unending corporate threat. Companies need to account not only for malware that can make its way onto a laptop or smartphone via the Web or employee error – such as plugging in a random flash drive – but take steps to safeguard devices when lost or stolen.

When one executive of Top 40 firm Kaeser & Blair (asi/238600) left his laptop in a cab, the company’s IT team locked it down remotely, says Gregg Emmer, chief marketing officer. The device was eventually found, Emmer says, but remained useless as a gateway to Kaeser & Blair’s files while it was locked. That kind of agility represents a new level of security for the Batavia, OH-based company.

“We haven’t had an issue,” Emmer says, then acknowledges, “we’ve also been lucky.”


Jorge Rey, CISA, CISM, is a Cybersecurity & Compliance Principal at Kaufman Rossin, one of the Top 100 CPA and advisory firms in the U.S.