Blog

This article originally appeared in Cheryl’s Forbes column of September 14, 2013 

“Give a man a fish and you feed him for a day. Teach a man to phish and he’ll use your credit card to buy dinner.”

The report came to my attention via Vikas Bhatia, a New York-based security expert who heads Kalki Consulting, a company that helps organizations to identify and prevent security related risks. His team supports organizations of all sizes, but he reports that the level of unpreparedness and naivety in small businesses, in particular, is an epidemic.

Bhatia works extensively with New York Small BusinessServices and the Mayor’s office. To address this chronic issue (particularly in the aftermath of Hurricane Sandy, which his team has also played a role in addressing through the NJ Small Business Development Center), his company recently published a How To Guide on Cyber Security for the NYC program that is available to all.

As to the growing and chronic issue of cyber security and small businesses, we had an interesting chat about where entrepreneurial companies are getting tripped up, and the surprisingly simple things they can do that would alleviate or even eliminate the lion’s share of their risks.

Vikas Bhatia is founder and CEO of Kalki Consulting

As we visited, Bhatia shared some interesting stories. A three-person company being incubated from a shared space in downtown Manhattan recently fell victim to the theft of its three Mac Air computers, when a petty thief managed to walk the three machines out the door. Where was their business data? You guessed it. On the company laptops. No backup. In an instant, the business lost a year and a half of research and development by each of the three.

Other cases emerge where entrepreneurs think their data is safe because it’s been stored “in the cloud”. “Where is the cloud?” Bhatia asks me. “Do they know? Are they paying attention?” He points to a number of recent cases where cloud services for sensitive data such as electronic medical records have been breached.

Another recent incident Bhatia reports: An employee in a small business had taken data she shouldn’t have had access to from the company’s owner. When Bhatia’s team investigated, however, they found something even more alarming: over a three month period there had also been three and a half thousand scurrilous attempts to enter the company’s website from locations all over the world.

As Bhatia asks these questions of customers, he says he’s increasingly accustomed to the response he gets in most cases: a blank stare.

“We used to think the primary cybersecurity threats were coming from adult websites,” he said. “But not anymore. Legitimate sites you visit – such as Dr. Smith’s dental practice, to check for opening hours—can be affected with malware that looks for your credit card numbers, social media passwords, Excel files, QuickBooks files—if I’m a bad guy who’s financially motivated (as 70% of cyber criminals are) I’m honed in on how to obtain enough details to open up a credit card in a person or a company’s name.”

Bhatia mentioned another risk most small businesses are entirely naïve to: What do you advertise about the clients you work with?

“It’s common practice for a small business to advertise their client list,” Bhatia tells me. “But what they don’t realize is that cyber criminals are viewing you as a stepping stone into your client’s organization as well. If they find out your company works with ‘Global Investment Bank’, for example, you become a potential target, because the criminal knows you have at least email communication with the people in that organization, and potentially even more.”

In the course of conducting your business do you store client information or intellectual property of any kind? Product designs? Customer lists for campaign fulfillment? All of this information presents a cyber security risk.

I spoke to a young entrepreneur this weekend who was hacked within the last several months. What happened? In his case, the attack began innocuously enough when his Facebook FB -4.03% password was compromised. Fortunately for him, he was watchful enough to realize that within minutes his Instagram and Twitter accounts were also being targeted and that the effort was being orchestrated in an effort to affect his business.

“I realized I was making my business vulnerable by having similar passwords on my various social media accounts,” the executive said. He quickly addressed the issue by buying a software program called LastPass that allowed him to create and manage more secure passwords on all of his bank accounts and business services as well as his social media accounts. “It was just $12 a year and packed with features,” he said. “This was a quick and simple step I’d recommend to anyone.”

As to Bhatia, he recommends five easy steps for small businesses that can make a substantial difference in their protection from cyber attacks, as follows:

1. Use different passwords for every account and be sure they are strong. “If your password can be found in a dictionary it can be hacked in 30 seconds,” he says. Use different passwords for email, social media and business accounts. Consider using password managers such as LastPass to help you manage and store password information securely.
2. Conduct regular backup of business data, and be sure the backed up data is located off site and that you periodically test the data restore. “I speak to so many small business owners, including those who were affected by Hurricane Sandy, and ask ‘Did you make a backup? And where is it?’ And we discover the backup drive or computer is in the same room and was affected by the disaster as well.” (“I’m getting pretty accustomed to the blank stares as I’m asking these questions,” he jokes.)
3. Keep your antivirus software up to date, and stay abreast of all software patches and updates. “Any antivirus or malware software provider expects your software to be downloaded and installed, if you don’t update the program, you may as well not have it,” he says. He also debunks the myth that Macs can’t be attacked or affected by Malware. They can. There’s a video of Bhatia talking about Mac security here.
4. Be conscious of the personal information you share. “How much information do you share willingly?” All it takes is enough pieces to allow the criminal to create a collective picture and they have access not only to you, Bhatia says, but potentially to everybody you are connected to in your business or social networks as well.
5. Know where your cloud-based data is stored. “What do you have and where is it? Within the city, the state, within the U.S. or offshore? How is it being secured? What is the provider’s liability for protecting your data? If you are using low cost or free outsourced providers, as many small businesses are, these are important questions to ask.”

In Bhatia’s own organization he has amassed 25 security expert participants so far. As the head of an organization that is young itself (Kalki Consulting is a year old) he’s also in the process of creating a nonprofit organization with the mission to provide cyber security protection for other nonprofits, who tend to be the groups who can least afford and can be most impacted by cyber security risks. You can reach Bhatia and Kalki Consulting directly at @kalkiconsulting or via the comment section below. And I recommend you check out the How To Guide for Cyber Security. It’s free.