Globe and Mail article written by Avery Swartz

Small businesses can be easy targets for hackers

by Avery Swartz,
Published in The Globe and Mail, April 14, 2017
Click to read on The Globe and Mail's website

As more organizations make the shift to digital, the threat of contracting viruses or suffering a data breach increases. Arguably the most vulnerable organizations are small businesses and non-profits, who often do not have dedicated IT teams in-house to shield and protect against threats or guide employees toward digital best practices.

An IT issue can lead to downtime, data loss, damage to your organization's reputation and significant expense. Ransomware (a virus that renders your computer and files inaccessible until you pay up) is infecting computers worldwide, and is already costing small and medium-sized businesses billions of dollars.

A common misunderstanding among smaller organizations is that they are of no interest to hackers because they're not large enough to be worthwhile. Yevginy Vahlis, head of the Security First team at Georgian Partners, explains, "You don't need to be personally targeted to be a victim of cyber-crime. A lot of cyber-crime is automated and scaled up."

"Ransomware is a particularly good example," Vahlis continues, "because it is automated today. Typically it is deployed through a phishing e-mail and this happens at scale. This mentality of 'I'm not important enough' is one of the main reasons for compromise."

Vahlis encourages people to take a holistic approach to security, and think about it often. When you get in a car, you put on your seat belt. When you leave your house, you lock the door. Good security becomes a habit, and shouldn't be limited to those in technical positions or executive capacities – everyone should be thinking about digital security.

Adherence to cyber-security basics doesn't call for deep technical know-how, but it does require diligence. Experts have been recommending the use of strong passwords for years, but many people still use weak passwords and have the same one for multiple log-ins. Even Facebook CEO Mark Zuckerberg, someone who should know better, was found guilty using the same password on different platforms. Until more services move to password-less log-ins, using a strong and different password for each one is the best defence. Password manager services like 1Password or LastPass can help you remember multiple passwords. If a service offers it, opt for two-factor authentication, which combines your password log-in with a code delivered separately (usually sent in a text message).

Always use the latest version of software, operating systems and Web browsers. Updates are often released to fix security vulnerabilities, and when your computer or smartphone prompts you to update, don't ignore it. The recently updated Microsoft Windows 10 operating system is much more secure than previous versions of Windows. Upgrade as soon as your organization can. Using a Mac? Don't assume it can't get a virus. While Apple has an excellent track record with security, Macs are not immune from attack.

To avoid ransomware, "there are three main things you can do to be in pretty good shape," says Vahlis. "Keep your software up to date, enable two-factor authentication on any account that supports it, and try to avoid clicking on links in e-mails. Check if the actual URL of the link makes sense to you – most of the time the links will point to a URL that you just don't recognize."

Security and IT best practices are constantly evolving. Georgian Partners produces a Security First Guide and The Impact podcast for business owners, and Decent Security has high-level guides that are accessible for non-experts. Ultimately, if backing up data, practising proper cyber-security and technical maintenance is still falling to the bottom of your to-do list, it may be time to bring in the pros.

Thyagi DeLanerolle and Judy Escobar are co-founders of BizXPro, a website dedicated to connecting businesses with vetted IT solutions providers. The pair says that managed IT service, including security, is one of the most popular categories on their website. Escobar explains, "I believe people are searching for managed services because they're looking for consulting as well as execution. Most smaller businesses are not familiar with security and IT issues, and they don't know what they don't know."

Professional IT needn't be expensive. DeLanerolle explains that managed IT services "can cost $6,000 to $7,000 a month for a company to come in and take care of everything. But many IT service companies are now offering a break/fix model, where someone is on-call. We're seeing a shift in the industry where companies are doing monthly retainers with nominal flat fees per month that small-business owners can access."

DeLanerolle and Escobar understand that for many business owners, IT can be a bother. Escobar jokes, "It's so unsexy. But really, we call IT 'glue.'" DeLanerolle continues, "It's the glue behind the scenes. IT professionals are the unsung heroes of many businesses."