You are about to leave Risk Strategies website and view the content of an external website.
You are leaving risk-strategies.com
By accessing this link, you will be leaving Risk Strategies website and entering a website hosted by another party. Please be advised that you will no longer be subject to, or under the protection of, the privacy and security policies of Risk Strategies website. We encourage you to read and evaluate the privacy and security policies of the site you are entering, which may be different than those of Risk Strategies.
Editor's Note: This cybersecurity article originally appeared in the Q3-2023 issue of Premier Flooring Retailer, a trade magazine published by the World Floor Covering Association. Reprinted with permission, this piece contains helpful tips for all small businesses, not just the flooring industry.
Most small businesses rely on technology, but you may not consider yourself a technology expert. You’ve read news headlines about cyberattacks and know cybersecurity is important. Beyond that, you may think, “We’re not a huge company. Why would cybercriminals be interested in us?” Unfortunately, threat actors are targeting small and midsize organizations — in part because they assume you aren’t focused on cybersecurity.
Here are five important cautions:
Many small businesses build their own websites — sometimes with the help of a contractor, friend, or family member. With user-friendly “drag-and-drop” platforms like Wix or WordPress, non-technical people can build an attractive web presence for a reasonable price. Once the site is live and functioning smoothly, business owners tend to move on to other activities and may not give the website much thought.
Unfortunately, ignoring a site can open the door for cybercrime. Take WordPress, for example, which powers over 40% of the world’s websites. Of this 40%, over a quarter (or 10% of websites globally) have not updated to the most current version of WordPress. Businesses running older versions do not have the latest security patches.
Further, WordPress relies on “plugins” to provide various functionality, such as e-commerce capabilities. A simple website may have 10, 20, or more plugins to facilitate email, contact forms, online payment, and so forth. Each of these plugins can serve as an entry point for a cybercriminal and requires regular updates.
The takeaway: Your website can become out-of-date and vulnerable quickly. Just as a car requires maintenance, so does your website. You need to “look under the hood” once a month or more often. In addition, you need a way to detect unexpected activity 24/7. If you’re not a techie, find an expert who can provide guidance.
Several studies show human error contributes to more than 80% of cyberattacks. The Computing Technology Industry Association (CompTIA) puts the number over 90%. Common mistakes include clicking on a malicious link in a phishing email or falling prey to a social engineering attack. In the latter, a cybercriminal builds trust with the victim then tricks them into sharing data or sending funds.
If “phishing” and “social engineering” aren’t familiar terms, that’s a sign your organization is particularly vulnerable to cybercrime. All employees need regular training on types of cyberattacks, warning signs to look for, and prevention protocols. Further, you want to establish rules for handling sensitive requests and large invoices.
For example, cybercriminals engage in invoice manipulation. You think you’re paying a legitimate invoice, and your funds instead go to a criminal’s bank account. Establishing procedures for verifying invoices can prevent this type of financial fraud.
Similarly, if an employee receives a request to change a supplier’s bank routing information, what is your procedure for confirming the request is authentic?
Imagine leaving your front door wide open at night so anyone could walk off with your products or equipment. Many small businesses are doing the equivalent with their cybersecurity. Practices that put you at risk include:
These are just a few examples of poor cyber hygiene, and criminals are waiting to walk through these “doors” you leave open. To protect your business and customers, learn and implement cybersecurity best practices. And stay current — the cyber landscape is ever-shifting.
Top line: Do not leave any electronics unattended in your place of business or other public settings. Second, do not use any public charging stations or peripherals of unknown origin (such as charging blocks, cables, or USB memory sticks).
In less than a minute, a cybercriminal can extract data from an unattended laptop in your office. Or, they might place a “Ninja cable” on your desk, where later, an innocent employee uses it and infects your network with malware.
At trade shows, avoid accepting (or giving out) flash drives, charging cables, and similar devices. If a memory stick arrives in the mail, treat it with extreme caution. If you’re not 100% sure you’re using a legitimate, known cable or memory stick, don’t risk it. If you feel a flash drive might contain essential information, have an expert test it to verify it’s safe.
Small businesses often outsource payroll or other administrative activities involving personal information such as names, addresses, taxpayer ID numbers, and so forth. Even when you outsource to a trusted vendor, your business remains responsible for your customers’ and employees’ data.
Consider this example: Let’s say you own a Georgia-based flooring company that does extensive business in California. Your credit card processing vendor experiences a data breach. In California, the law “requires a business to notify any California resident whose unencrypted personal information was acquired, or reasonably believed to have been acquired, by an unauthorized person.”
Even though the cyberattack happened to a vendor’s system and not yours, your Georgia business may have an obligation to communicate the data breach to your California customers. If you learn of a vendor data breach involving your customers’ information, consult your legal counsel and cyber insurer for guidance.
Criminals target non-tech businesses, because they assume you don’t have strong procedures in place to protect your data. They view you as an easy target who is looking the other way. Let’s work together to prove them wrong.
For more information and a complimentary external infrastructure vulnerability scan:
Connect with the Risk Strategies Cyber team at firstname.lastname@example.org.
About the authors
Stacy T. Eickhoff, a risk management and insurance expert, advises flooring and construction businesses on how to protect against cyber risks.
Allen Blount leads the Cyber Team at Risk Strategies, where he guides businesses on navigating cyber threats such as ransomware attacks. Before his insurance career, he practiced law.