By Michelle Dupler

Whether its ransomware, viruses, data theft or some other cybersecurity risk, a network breach can be one of a business owner’s worst nightmares — costing time, money and reputation.

[blockquote quote="At least one employee will click on anything." source="Byron Martin, owner of Teknologize" align="right" max_width="300px"]

A 2016 report by the Better Business Bureau on the “state of cybersecurity” estimated that American businesses lose more than $400 billion per year to cyberattacks, with one in four small businesses affected by this issue.

But experts say that many businesses can better protect themselves simply by being aware of threats and covering some basics.

“We see even in large organizations there’s still a lot of companies not doing the basics,” said Byron Martin, owner of Teknologize in Kennewick.

Updates and Backups

Teknologize provides a range of IT services to Tri-City businesses, including setting up networks and evaluating network security. Martin said one of the first things his company typically does for a business is what he described as a basic hygiene assessment: is the business running patches and updates to its operating systems, does it have antivirus software, is the business backing up its data? Surprisingly in 2017, many don’t have these bases covered.

“We come across this all the time where people have a false sense of security,” Martin said. “They think their updates or backups are being done and they just don’t know. … You can have a network of hundreds of computers and servers. All you have to do is have one that’s not up to date and — bam — there’s the back door.”

Dustin Stordahl, the owner of Richland-based IT company Innovative Enterprise Systems, also recommends to clients that they make sure to have the basics covered, including daily backups both on-site and to the cloud.

“If the office burns down, they don’t lose all of their files (with a cloud backup). It protects them from ransomware They can get their files back regardless,” Stordahl said.

Stordahl said regular software and operating system updates are key because the updates usually address the latest security threats and include patches to neutralize them. For example, the “WannaCry” ransomware attack that made headlines in May wasn’t an issue for people whose Windows operating system was updated. But those without updates were subject to excruciating data loss as the ransomware encrypted their data and demanded payment to release it.

Remote work vulnerabilities

Both firms said that many businesses unwittingly open themselves up to intrusion by hackers or identity thieves because of how they’re set up for remote work.

Stordahl said when businesses allow an owner or employee to access their workplace desktop remotely through an open port on a router, that open port can be seen when someone searching for vulnerabilities scans the network.

“It’s how you open yourself to brute force attacks,” he said.

In a brute force attack, an automated script or bot will try to log in by guessing passwords over and over until it gets the right one. Once the person behind the brute force attack has the password and can access the remote desktop, they can gain access to everything.

“Then they’re logged in, scanning for files,” Stordahl said.

Dan Morgan, senior engineer and project lead for Teknologize, said his company recommends businesses use a VPN, or virtual private network, connection when they need remote access, or require two-factor authentication to log in. Two-factor authentication typically requires that a user receive a code by text message, and the user must input that code in addition to a username and password.

Watch out for freebies

It might seem obvious, but Morgan said if companies don’t want to compromise their computers, don’t use a flash drive found on the street.

Martin and Morgan said another tactic they’ve seen cyber criminals use is to load malware or viruses onto USB flash drives and drop them in parking lots or pass them out at trade shows. Then people pick them up and stick them in their hard drives and get infected.

“USB flash drives are a huge vulnerability right now,” Martin said.

Morgan said the flash drives, known as “USB rubber duckies,” deliver code to your computer that acts as a keystroke logger. So when you’re on Amazon or some other site typing in your credit card number, it reads it and then the cyber criminals have it.

Training is key

In addition to the basics like backups and updates and not using random flash drives, experts agreed that training employees in network security is critical to avoiding damaging breaches.

Trios Health in Kennewick experienced a data breach affecting 1,603 patient medical records when a single employee accessed records outside of normal job functions and without authorization over about a three-year period. The hospital performed an investigation and audit of the breach and has implemented more rigorous training and education protocols since learning what happened — in addition to terminating the employee.

Elizabeth Rice, Trios Health’s director of Health Information Management, said that from the day an employee is hired, they’re trained on privacy and compliance hospital policies and federal health privacy laws. They get additional annual training, as well as a biweekly newsletter updating employees about privacy and security issues.

Staff are encouraged to remind each other — and to call each other out — when they observe a potential violation of patient privacy or network security, she said.

“One of the key components is just heightened awareness,” Rice said. “Our work force is very engaged.”

Kirstin Davis, Eastern Washington marketplace director for the Better Business Bureau in Spokane, said her organization emphasizes education and training in its cybersecurity tips for small businesses.

“The big thing they really want to do is educate themselves about the technology and the different programs that are out there,” Davis said. “It can be daunting, because as a small business owner you have to wear so many hats — to be an expert in all of those is a lot to take on. But as we know, a data breach can undermine so quickly everything you have taken on.”

Davis said retail business owners want to be familiar with point of sale technology and who are reputable vendors. Businesses with ATMs or other types of terminals that might be vulnerable to skimmers — devices that can be installed on the terminal to read a user’s credit or debit card information — want to be know what to look for and make sure employees also know what to look for. If credit card information is written on paper, they should have a policy for when that gets shredded and make sure the policy is followed.

Stordahl said business owners should train employees in computer basics like having strong passwords, changing their passwords regularly, using two-factor authentication, not giving out their passwords, and not leaving their password taped to their monitor or under their keyboard.

“And don’t use the word ‘password’ as your password,” Stordahl added.

Martin and Morgan said another important component of employee training is teaching people not to click on links in personal emails or private messages on social media. Often, those can lead to viruses or ransomware.

“At least one employee will click on anything, and then all the security you have doesn’t matter,” Martin said.