A record 1,093 data breaches affected U.S. companies and government agencies in 2016, a 40 percent increase from 2015.
While a pest management company owner might not think the company’s data is a target for cybercriminals because credit card or financial information on customers is not stored or because they are small businesses, the reality is that all businesses are at risk and should take steps to protect data and technology used by the business.
“Our data is either customer or business information such as pricing, service agreements and prep sheets that we have spent considerable effort or capital obtaining. Then we send it out with our field staff who may not be as concerned with data security as office staff,” says Todd Leyse, president of Adam’s Pest Control. When staff members opt not to use passwords to protect access to their smartphones, and then they lose the smartphones or leave them sitting in a public place, the smartphone becomes a window into the company information for a cybercriminal, he explains.
Even if you don’t store payment information in your system, or you use a third-party vendor to handle payment transactions, a company data system does contain personal information about employees or customers that can be used for identity theft or for phishing scams.
One of the fastest growing cybercrimes is ransomware—an attack by malware that blocks access to the computer system until a ransom is paid. In 2016, ransomware attacks increased threefold in the first three quarters of the year—with small and medium-size businesses hit the hardest. Although one in three victims paid the ransom, 20 percent of those that paid never got their files back.
When Varment Guard Environmental Services was attacked by ransomware, the company did not lose files or have to pay a ransom because the situation was addressed in the company’s disaster plan, explains Vice President Scott Steckel. “I heard from an employee who couldn’t get to the shared drive, and knew what had happened,” he explains. Because he has the information technology expertise on staff, they were able to find and block the IP address of the attacker, quarantine the bad files and restore business files. “We were without Internet for a short time while we handled the attack, but no data was lost and we were back in business quickly,” he adds.
Steckel believes the attacker gained access to Varment Guard’s system when an employee clicked on a link in an email, but cybercriminals also rely on social engineering to access systems, explains Leyse. People call the business to extract one or two pieces of information with innocuous questions such as, “Who do I talk to in IT about server equipment,” or “I forgot the URL for login, can you give it to me?” “With each call, they use names they acquired in previous calls to solicit help from front desk staff because it sounds like they are authorized to have the information,” Leyse says. To counteract social engineering tactics, require employees to direct those requests to the person who supposedly authorized the caller to have the information, he suggests.
There are three basic steps that can be taken to protect a business from cybercrime:
Develop policies addressing use of technology and protection of data
Be clear about how company devices such as smartphones, laptops or tablets can be used by the employee, recommends Byron Booth, IT director for McCloud Services. Prohibiting download of personal apps or programs and prohibiting family members or friends from using the company device should be clearly communicated, he says. “Also, make sure employees know not to share passwords. Every employee should have a unique username and password.”
Along with the policy, invest in a program that gives your IT department remote access to company-owned devices, suggests Booth. “Not only does this help with troubleshooting in the field, but in most cases, it gives access to logs that show what is going on with that device,” he says. “For example, it allows the IT staff to see if there are unapproved apps downloaded to the device or if there is data on the device that shouldn’t be there.” Remote access to delete company information, passwords and web-based logins is also important if the device is lost or stolen, he adds.
Don’t forget to address technology when employees are terminated, says Booth. “Have a plan in place and good communication between your IT and human resource departments when an employee is to be terminated, and have a policy in place to get equipment back—including computers, phones and tablets,” he says. “Be ready to turn off that terminated employee’s access to everything as fast as possible. A disgruntled former employee with access to your data could be catastrophic.”
By Sheryl Jackson