This article was written for our sponsor, Technology Associates.

Every day, without a second thought, users enter mass amounts of personal and professional information onto the Internet. Passwords, credit card numbers, Social Security numbers — for most individuals, a portion of their private data is housed somewhere online.

For most businesses, their reputation and financial standing rely on keeping that data — and their own — safe from predatory threats.

While cyber-attacks may seem like a threat predominately reserved for major corporations and big businesses, hackers aren’t quite so discriminatory when choosing targets. In fact, according to a report from CPO Magazine, small businesses account for half of all cyberattacks.

Unfortunately, only 10 percent of all cybercrimes are reported in the United States each year, and on a global scale, damages caused by cyberattacks are expected to reach $6 trillion by 2021.

Anyone can become a victim of a cyberattack, but there are several specific industries that have larger targets on their backs than others.

“Some businesses and industries are more susceptible and enticing for attackers than others,” explained Eric Hobbs, CEO of Technology Associates, a full-service technology consulting firm based in Cary. “Hackers are usually interested in targeting businesses that don’t have strong security and compliance measures in place, because they’re easier to compromise.”

At Technology Associates, Hobbs and his colleagues have firsthand experience advising businesses of all kinds on how to best protect themselves against the multi-billion dollar hacking industry.

The first step? Completing a security assessment to determine where the breach originated.

In Hobbs’s experience, there are four prime suspects.

  1. Employees tricked into transferring funds to a hacker or improperly changing routing information — which, according to the FBI, was a $2.7 billion business in 2018.
  2. Employees who open suspicious email attachments that allow ransomware to be installed.
  3. Employees who are misled into offering up credentials, allowing hackers easy access into their company’s entire network.
  4. Practicing poor password hygiene — in other words, using the same password for every login, which leads to breaches on multiple platforms.

While understanding what the risks are is a major component of completing a security assessment, most businesses will also require an individualized evaluation, since each company is operating with different software, platforms and best practices. At Technology Associates, Hobbs and his colleagues cater security assessments to each individual business, whether it be law firms, medical group managers or real estate agents.

“We set up a phishing awareness campaign for clients, where they get random emails that look legitimate, which brings awareness training to everyone,” said Melanie Halloran, director of operations at Technology Associates. “That awareness is what will help protect a lot of businesses. We don’t want individuals to click on things that they’re not sure of.”

Once a company understands where the risks are coming from — and that most originate from employee error — they should be cultivating a strong security culture among their employees by promoting awareness of cybersecurity threats and encouraging habits that combat them. Chief among these habits is ensuring that passwords are not only strong, but also that they vary between platforms.

“I’d recommend using xkcd type passwords,” Hobbs said. “An example would be ‘short wagon history figure.’ It’s a phrase that you can see in your mind, and odds are, this will be easier to remember. It’s also a great password because it’s both long and complex.”

Once the risks have been identified and the employees have been advised, now all that’s left to do is develop a swift plan of action: an incident response plan. Since every business has its own unique ecosystem, it’s never a “one-size-fits-all” solution, so personalization will be required. Still, there are a few helpful places to start the process.

“I know it’s hard to sit down and start from scratch, so what we encourage people to do is start with ransomware,” Hobbs explained. “By developing a ransomware response plan and testing it, then implementing multi-factor authentication, they’re light years ahead of where most people are security-wise.”

Added Halloran, “It also depends on the business. We look at the company on an individual basis, and we look at their risk factors. We can do penetration testing, and our best practice audit that our proactive team goes through quarterly for every client is incredibly thorough. It all correlates with the specific businesses that we’re touching.”

In the case a breach or attack does somehow occur, it’s crucial companies are able to show proof they had an incident response plan in place. Another key component in both protection and recovery is cybersecurity insurance.

“Cybersecurity insurance is like the flood insurance of our time, in that everybody thinks they already have it, and nobody’s quite sure what it covers, but everybody assumes that it’s there — and it’s really not,” Hobbs said.

Since coverage and prices can be highly variable, it’s best to consult with an insurance agency for more information, but in the majority of instances, the pros far outweigh the cons.

“I knew someone who was attacked by ransomware through some area of vulnerability, like a camera system or something very strange, and the hackers were able to log in and encrypt everything. Not only that, but they were also able to delete all of their backups,” Halloran recalled. “But because this person had cyber insurance, they were able to get that taken care of as far as the financial aspect goes. Unfortunately, their backups were deleted, which is why prevention measures are so important from the get-go. But cybersecurity insurance, in this case, did help recover monetary damages.”

This article was written for our sponsor, Technology Associates.