Good job! You’re a very security conscious business owner. With a few minor tweaks, you can sleep soundly with confidence that if a hacker were to break into your network, your losses would be minimal and normal business operations would resume quickly.
If You Get Attacked, It Will Make You “WannaCry”
As a small business owner who wears dozens of hats throughout each day, you don’t have time to worry about all the steps necessary to keep your computers safeguarded from hackers who want to steal your customers’ and employees’ information stored on the hard drives of your PCs.
If you experience a breach, though, Christian, all your other responsibilities – along with your business operations – will screech to a halt, as you’re forced to deal with a very bad and extremely stressful situation.
The Cost of a Data Breach Is Higher Than You Think
Not too concerned about inconveniencing your customers or even having to operate without your computers for a few days?
Consider the financial impact of a virus/malware/ransomware infection and the theft of PII (personally identifiable information) of your customers and employees.
According to credit card processor First Data, 90% of breaches affect small businesses and the average cost of a data breach is $36,000+.
Stop and think about what you may endure after a data breach:
If your business is unfortunate enough to have this happen, you can expect to incur significant expenses. For example, the cost of a data breach for a small business merchant …can reach or exceed $50,000. Your actual out-of-pocket cost will depend on the following factors:
- A mandatory forensic examination – The regulations of the Payment Card Industry Data Security Standard (PCI DSS) require that a merchant that is even suspected of having a data breach undergo a forensic examination to determine if a breach has actually occurred and, if so, to what extent. You will need to hire an outside examiner to conduct the investigation, which may last from days to weeks. This examination may require the shutdown of your point-of-sale system during that time in order to preserve evidence. According to Verizon Business, a small business examination may run in the range of $20,000 to $50,000.
- Notification of customers – Most states require that customers, and in many cases the state attorney general, be notified if financial information is suspected of being compromised in a data breach. Depending on the number of customers and their locations, the process of sending notifications may cost thousands of dollars. What’s more, you may have to send written letters to each customer multiple times to ensure adequate communication with them. Though not a retail breach, the University of North Carolina at Chapel Hill said a 2013 data breach of just 6,000 records has cost the school nearly $80,000 in working with affected parties. The external costs calculated to date include $32,000 for notification letters; $22,069 for credit monitoring; and $25,000 for operating a call center.
- Credit monitoring for affected customers – You may be required to provide up to a year’s worth of credit monitoring and/or counseling services to customers affected by your breach.
- PCI compliance fines – In 2011, 96% of the merchants experiencing a data breach had not complied with the PCI DSS. If the forensic investigation shows that your business was not in compliance with the industry regulation at the time of your breach, the payment card associations and/or your acquiring bank may levy fines against your business, especially if the cards have been used in actual fraud cases. Such fines for small merchants can range from $5,000 to $50,000 or more.
- Liability for fraud charges – Many merchants assume they have no liability for the fraudulent use of payment cards after a data breach. This is not necessarily the case; lawsuits may claim liability on merchants for security breaches.
- Card replacement costs – Card issuers may require that you pay the cost of reissuing debit and credit cards of those customers whose data has been compromised. These fees can range from $3 to $10 per card.
- Upgrade or replacement of POS system – Depending on what is uncovered to be the source of the breach, you may have to invest in upgrading or replacing your POS system, including servers, software and/or card swipe devices.
- Reassessment for PCI compliance – Once you have repaired or replaced your POS system, in order to qualify to accept payment cards again, you must undergo a complete PCI assessment by an external Qualified Security Assessor (QSA).
And these are just the direct costs of experiencing a data breach! There are indirect non-monetary consequences that can be just as or even more damaging to your business.
Overwhelmed yet? This stuff can make your head spin. No wonder most small business owners (even you?) avoid dealing with it.
Little Things You Do, Christian, But Don’t Realize That Leave The Door Wide Open For Hackers And Cybercriminals
Let’s revisit the quiz you took on pages 1 and 2.
I’d like to briefly explain why each of those items poses a major security risk for you and your business.
Your Antivirus Security Blanket Is Full of Holes
Blame us IT professionals for this.
We’ve given our clients the illusion that antivirus software is the magical security blanket that will completely protect their computers and personal information from viruses and malware. Like Linus holds tightly to his security blanket even though it won’t prevent life’s disappointments, many people cling to the false sense of safety of inadequate antivirus software.
Some “experts” even recommend their business clients use the free programs (despite the fact it’s illegal to use the free versions on business machines).
Free and many popular paid antivirus programs (think AVG, Avast, Norton, TrendMicro, McAfee) fail to block the newest threats attacking computers.
Most rely on ancient and inadequate 25-year-old definition-based technology. The way it basically works is that if a file isn’t on a “bad” list, the antivirus software assumes it’s “good” and allows it on to your computer.
Hackers know this, so they’ve changed the way they write their infections to bypass the old antivirus technology.
Only a very small handful of antivirus software is designed to detect and stop the latest behavior-based threats, as seen in these most recent ransomware outbreaks. None of the free and most of the popular paid antivirus programs are among these.
Home Routers Lack Necessary Business Features To Keep You Compliant
A router’s a router, right? Its basic function is to direct Internet and network traffic from point A to point B. It doesn’t matter what brand it is or where it comes from.
Running your business network on an off-the-shelf Linksys, Netgear, Asus, or Belkin router – or even the one provided by Spectrum (Time Warner) or Frontier – fails to provide security features necessary to provide an outer wall to safeguard your computers and stored information.
Do you process credit cards over your Internet connection? Using a consumer-grade router could put you out of PCI compliance, which requires all credit card processing devices be separated from other general computers.
We Don’t Discriminate – One Wireless Network For All
Allowing employees and customers to connect their laptops and mobile devices to your one and only wireless network poses extreme security risks to your business computers. It also makes you no longer PCI compliant.
If you’re using a home router, as I discussed above, most times your hardwired computers are on the same network as the wireless devices.
If someone brings in an infected device and connects it to your wireless network, it can potentially spread the infection to all of YOUR equipment too.
Free Email Providers Don’t Care About Your Inbox
Most virus infections enter your computer through email.
The two most common ways users accidentally infect their PC are by clicking on a link in a message that takes you to a compromised website or by opening a virus-laden attachment.
Many small businesses use the free email address offered by Spectrum or Frontier. Others sign up for a free Gmail, Yahoo, or Hotmail address.
All of these providers lack effective spam filtering mechanisms designed to keep suspicious and malicious messages out of your inbox. You’re not paying for it, so they have no incentive to worry about the purity of the messages you receive.
While not related to security, something else to consider about using a free email address: Most fly-by-night companies use free, disposable email addresses. Do you want potential customers to think your business is one of those simply because you use a free email service, such as Hotmail, Gmail, or Yahoo?
I’ll Eventually Get Those Updates Installed
You and your employees are busy. It’s much easier to click “remind me later” when prompted to install updates for Windows, Adobe Reader, or Java.
But later never comes.
Failing to install these updates exposes your computers to vulnerabilities that hackers look for to infect them.
Did you realize the WannaCry attack wouldn’t have been as widespread if the affected businesses had patched their computers back in March when Microsoft released the security update fixing the hole in its operating system?
Millions of dollars lost, people’s lives and information put at jeopardy because too many business were either too lazy or too cheap to keep their computers updated.
Another reason most small business owners don’t install critical updates is because they’re unsure of what they need to update.
Is the pop-up prompting you to update Adobe Flash legitimate or is it a fake one just waiting to infect your computer as soon as you click ok?
It’s a real dilemma, but updates need to be regularly installed to keep your PCs protected.
One website imposes no restrictions on your choice of password. But another forces you to use 13 characters, at least one capital letter, and one symbol.
Why does it have to be so difficult? It’s a royal pain keeping track of multiple passwords for every website!
I’d bet you use the same password for nearly everything. Sometimes you make a slight variation, but it’s essentially the same.
Of course, they’re written down on a sticky note affixed to your monitor or under your keyboard for safe keeping.
When a hacker compromises your PC and steals the password from it, he now can easily access every website you’ve used that password on.
We Won’t Be Duped.
Do your employees know how to identify a phishing email? Do they know the first action they must take when a pop-up appears on their screen telling them their PC is infected and they need to call some 800 number?
If you don’t provide ongoing cybersecurity training to them, you’re letting their lack of knowledge expose your computer systems and information.
Just today as I was writing this letter, Jeff Rossen on NBC’s Today Show tested his producers’ ability to detect a fake email that asked them for personal information.
Despite all three of them having produced multiple news stories on this topic, they all failed the test and divulged the name, address, and social security number to the “hacker.”
Unless your employees are regularly trained and tested, they will fall victim to these scams. Which ends up compromising your systems and costing your business.
The One Thing That Can Save Your Business, But Most Refuse To Do It
Data backups are the fastest and easiest way to recover from a malware or ransomware attack.
Yet most small businesses haven’t put this insurance policy in place.
The few who do back up their computers do so only occasionally and with risky measures. Some use an external hard drive, which fail most of the time, or USB drive, which get corrupted most of the time, constantly connected to their computer. If a virus infection attacks the computer, it will also infect any connected devices, including the backup drive.
The best backup is an automated off-site backup. It eliminates the human element of forgetting and keeps the data files safely stored away from the physical machine. Not only does this offer protection from infections, but also fires, floods, tornados, and other natural disasters.
I don’t have space here, but I can share numerous stories where our data backup service saved the day for several of our clients. We saved a local customer from a total disaster just last a few weeks ago.
Will This Be Your Wake-Up Call?
Microsoft President Brad Smith writes, “the WannaCrypt attack is a wake-up call for all of us.”
But Philip Reitinger, head of the nonprofit Global Cyber Alliance, observes, “In general, it’s ‘Gosh, now people will understand …. how serious it is – and do something. When history has shown, no, they won’t.” And don’t! What they do is ignore it and think “it’s not going to happen to me.”
Let me ask you a question, Christian.
Are you a person who believes an ounce of prevention is worth a pound of cure?
Or do you have to learn through the school of hard knocks?
You have these options, Christian:
- Put this letter aside and forget about the obvious weaknesses you identified in your computer systems and network.
- Or immediately call me so we can work together to fortify your business computer and network security. This will minimize the potential financial and operational damage to your business.
My Mission Is To Protect As Many Small Businesses As I Can
The WannaCry outbreak made me realize once again how unprepared most companies are when it comes to safeguarding their computers. Nor do most small businesses truly understand the liabilities they assume by failing to take even the most basic steps to protect their customer and employee private information.
I don’t want to see you or any other fellow small business owners suffer when it can be easily avoided.
It’s my responsibility to at least help you know where the gaps are in your network security. Then if you choose, I can solve those problems for you.
It’s as simple as inviting me to conduct a comprehensive 33-point security analysis.
During this analysis, I’ll examine:
- The effectiveness of your antivirus program protecting your PCs
- Settings on your router to determine if it’s providing a solid exterior defense to keep hackers from infiltrating your network
- Your computers to see if they’re fully patched with the latest software updates for critical programs
- Your wireless network settings to see if your business computers are vulnerable to infection from laptops and mobile devices
- Your written security policy to make sure it’s up-to-date
- And more.
I normally charge $797 for this in-depth comprehensive security analysis. But if you call me by 4 p.m. on June 8 to schedule your evaluation, I’ll give it to you for only $197. We will refund this if we become your IT company.
I’m mailing this letter to 39 local business owners. I predict my schedule will fill up quickly to conduct these analyses. I will perform them on a first-come, first-scheduled basis.
So if you’re concerned and want to address these issues ASAP before WannaCry 2.0 or its variant is released, I urge you to call me NOW – (765) 529-1308.
To your computer safety,
P.S. Call me (765) 529-1308) before 4 p.m. June 30 to schedule your comprehensive 33-point security analysis.
P.P.S. Do you use a popular antivirus program? Read above to learn why it most likely won’t prevent the latest type of virus/malware attacks.
P.P.P.S. The fastest and easiest way to recover from a virus infection or other digital disaster is often not implemented by most small businesses.