By Brice Wallace

Panelists discussing cybersecurity recently in Salt Lake City had a two-pronged message for small businesses: You are a target, but you can avoid a lot of potential troubles with inexpensive actions.

Small businesses are an “easy” target because their leaders often have other priorities ahead of cybersecurity or believe their company is too small for cyber criminals, according to speakers at the Salt Lake Chamber’s Cybersecurity Conference.{mprestriction ids="1,3"}

“Small businesses are, by far, the most vulnerable because of budgetary [reasons], because of lack of foresight and planning for it ahead of time, and there’s a treasure trove of money to be gained by the criminals, and small businesses are an easy target,” said Eric Montague, Executech founder, president and CEO. “Companies that are small usually put cybersecurity on the back burner.”

“I think it’s so counterintuitive for small-business leaders to think, ‘Well, I’m not a target.’ They think that the targets are larger people with a much larger bull’s-eye on their back, and the reverse is true.”

Jason Graun, sales engineering manager and member of the office of the chief technology officer at Fortinet, said that as more Utah companies are involved in global activities, it is common for them to get emails related to sending money overseas — a common cyber trouble spot. One company, now a Fortinet customer, had been relying only on built-in security in its cloud-based email product.

“They kind of said, ‘We’re just a small company. Who would ever attack us? We’re only 85 people. Why would someone want to attack us?’ You’re in a company that exists that does wire transfers,” Graun said. “Because you exist means you are a potential money pot for cyber criminals.”

That kind of naive thinking is widespread and puts small companies in the path of troubles. “It’s not just the largest of the large,” Graun said of vulnerable companies. “It’s all the way down to the 85-person company that has these issues.”

Ivy Estabrooke, executive director of the Utah Science, Technology and Research (USTAR) initiative, said young companies also are at risk. “Early-stage companies need help in thinking for the long term about how they protect themselves, how they build their systems to be resilient,” she said. “How are you resilient? How are you protecting the pieces that need to be protected to keep your business at the forefront?”

But the panelists said fighting cyber troubles need not be costly.

“A lot of people think cybersecurity is expensive and the simple answer is it’s not anymore,” Montague said. “There are so many products out there that are on a very economical cost level and you really can be secure. And a lot of people have in their mind this belief that’s it’s really expensive, and ‘we can’t do what IHC can do to protect our data. I’m a small business. How can I do that?’ The simple fact is, people can. It’s very affordable.”

Some common business software contains good security features or ways to assess security strength, he said. “You can take an hour today and make yourself five times more secure than you are,” he said. “It’s that simple.”

Company priorities often are an issue. Montague told a story about a 10-person CPA firm that did not want to pay for an $800 system firewall, opting instead to build a much-more-expensive thick glass door with swipe card access in front of its reception area. Another company was willing to pay $100,000 to have cyber criminals stop a denial-of-service attack — a network that shuts down after being flooded with traffic — before free software solved the problem.

The human element is usually the weakest link in the security chain, Graun said. It’s easy to fall for a phishing email in which, for example, the CEO demands all the employee W-2 forms, he said.

“It’s easy to trick somebody. I think that just because someone is not a front-line security person, they need to understand what does an phishing email look like, what does a spear phishing email look like, why they shouldn’t just click on things just because it came from somebody that you think you know,” he said.

“Maybe you’re not part of the [company’s] security group, but you access a computer every day as part of your job, which means you’re in the flight path, if you will, of security.”

Graun suggested that companies find a partner to help with cybersecurity issues. Many offer low-cost or free system assessments.

“The way to do it, in my mind, is prove you’re not as good as you think you are,” Montague said. His company once provided security training to a company, then tested its effectiveness with a fake cyber attempt, only to find that 32 percent of the employees fell for it despite the training. “Then they took it seriously,” he said of the company’s cybersecurity approach.

Another pitfall companies face is that C-suite executives often leave cybersecurity execution to IT officials, assuming that the right things are being done to ward off trouble, Montague said. “That’s the step that’s not happening. It has changed quite a bit. It needs to move on to where C-suite people are actually taking ownership and ensure that it happens.”

Asked about who ultimately is in charge of cybersecurity, panelists gave different answers. Graun said owners “have the most to lose” and should lead the charge to ensure that the proper protections are in place. Montague suggested a broader approach.

“Everybody in the company should own it,” he said of addressing cybersecurity. “Everybody should have the knowledge and have it ever-present on their minds.”

Cybersecurity was brought into focus for conference attendees, but Montague lamented the fact that while the conference room eventually filled with people, the panel discussion began with the room about half-full — reflecting a need for increased awareness of cyber issues.

“It’s interesting to me that the room isn’t full. It’s interesting to me that there may be people that really should be here that aren’t. And I think the No. 1 shared responsibility we all have in this room is making sure people are aware. So many people put it on the back burner,” he said.

“The challenge is, cyber criminals are profiting from what they’re doing, and they’re profiting from ignorance.”

{/mprestriction}