LEWISBURG — Ransomware attacks, once considered a problem for large institutions, have made their way to small businesses and individuals.
Steve Stumbris, director of the Small Business Development Center (SBDC) Bucknell University, said hackers have been able to invade big systems for years, shutting them down and threatening to disclose personal information unless the victim pays.
The difference today is that scammers have found smaller victims because the tools have become easier to use.
“It is not a big undertaking by a highly organized set of malicious people or an organization,” Stumbris said. “These ransomware attacks can be enacted pretty cheaply using software which can be found on various ‘dark corners’ of the web, but readily found.”
Much as new technology has enhanced the productivity of small business, hackers have also become more productive with newer and easier to use tools.
“They are turning not just to the big most lucrative targets, but targeting small business,” Stumbris said. “That is a worry and a rising threat.”
“Phishing” email to employers and employees, seeking passwords or other sensitive data, is also on the rise. But Stumbris said basic training of employees may be more effective than major computer upgrades or a new software system at a business.
“The basic piece of awareness is to train their employees to be skeptical,” Stumbris said. “Be on the lookout and not fall for those phishing attack email.”
Stumbris said it has always been easier for hackers to get behind the “people side” of security rather the technical side of security.
“Most often a breech starts somewhere with a person making a bad choice or a person not having the information they need,” Stumbris said. “They essentially open the door to the bad guys, not that the bad guys are hackers who have some super technical skills to breech a computer system.”
It has been reported that the victim of a ransomware attack would be better off simply paying the hacker off. But Stumbris said each victim will present a unique set of circumstances.
Brandon Hassenplug, Computition sales manager, said he has known a couple of local businesses which have encountered the work of hackers. Their computers were encrypted and they were threatened with having to pay, but they fortunately had a backup.
“As long as you have things that can back up your data, you are able to get out of it,” Hassenplug said. “We do Acronis, a mirror back up to an external hard drive. If anything happens, even if a hard drive dies, that would take care of it.”
He noted that Acronis and an external drive for a computer may cost less than $150.
Hassenplug concurred that email was an open invitation for trouble including “worms.” Like a real worm, the invader of the same name starts slowly.
“It is not like an instant kind of thing,” he added. “It takes time to root itself, get in there and encrypt everything. At the very end you get an ‘800’ number to call and pay.”
Once an attack against a computer without a backup has taken hold, it may be too late to get out of it. Victims may have little choice but to pay.
Hassenplug said a small-time hack may cost as little as $500 to get out of, though he admitted some local amounts have been significantly higher.
Hassenplug was similarly skeptical of telephone calls and emails who ask for money or gift cards. Residents should not return a call to an unknown toll free number.
Meantime, Stumbris recommended contacting a reputable tech firm or appropriate authorities if a system is hacked. But in some cases, the action may not be quick enough and a small business owner may have to pay off “the outrageous demand” of a hacker.
There is little that can be done after the fact, Stumbris said. Thus preparation with a contingency plan, training and education is a key. He noted insurance in the form of additional riders for cyber liability is also relatively new for small companies.
“You many not be able to do all the preventative measures to be ‘bullet proof,’” he said. “But that is a contingency plan you can put in place, to have insurance coverage to help with the costs of recovering or mitigating the downtime you may have in your business.”
