Home Posts tagged Small businesses
Cover Story

Beyond the Firewall

The recent spate of high-profile cyberattacks, many involving paid ransoms featuring six or seven zeroes, has brought an ongoing, and escalating, problem even more to the forefront. Businesses are being advised that the problem needs to be managed — before the worst happens. That means having a detailed plan involving many layers to keep things safe.

 

As he talks about cybersecurity, Charlie Christianson, owner of CMD Technology Group, equates that art and science (mostly science) to an onion.

By that, he means it has layers — many of them — with each one being important to the desired end in this matter: keeping one’s data, business, financial information, and perhaps life and livelihood safe.

“The goal isn’t to have one be-all, end-all product or solution that’s going to protect you — it’s a variety of things,” he explained. “It’s about trying to put as many layers between the threat on the outside and the asset, which is at the core.

“Most people understand the firewall discussion,” he went on. “But what they’re starting to understand is that it’s not just the stuff that protects you — it’s your staff, it’s your people, it’s the training, it’s the education, it’s the policies, and having all that in place.”

Christenson, like everyone else in this business, has been making this onion analogy — or whatever phraseology they use to get their points across — quite often these days. That’s because cybersecurity — mostly in the form of high-profile, as in very high-profile, attacks — has been in the news lately. Again. Or still, to be more accurate.

These attacks have come one after another: the Colonial Pipeline, the steamship service to the islands in Massachusetts, the meat company JBS, and many others.

Collectively, what these hacks have shown that businesses across all sectors are vulnerable, and this isn’t a problem for other people to worry about.

That has always been the case, said those we spoke with, but the recent spate of cyberattacks and the relentless coverage of them have served as a needed wakeup call for business owners of all sizes, most of which — the number varies depending on who you talk to, but it’s at least 50% — are simply not ready to handle or respond to the kind of attacks seen lately.

Charlie Christianson

Charlie Christianson likens cybersecurity to an onion; both have, or should have, many layers.

Which brings Christianson back to his onion, and Phil Bianco to diabetes, or type 2 diabetes, to be exact.

“It’s always easier to prevent diabetes than to treat it after the fact,” said Bianco, chief technical officer with Melillo Consulting, which has three offices in the Northeast, including one in Springfield. “It’s the same thing with security — it’s always easier to manage things prior to the incident and be prepared for that and act appropriately.”

Elaborating, he said there are many elements to the process of managing before something bad happens, everything from having your system assessed so that vulnerabilities can be identified to acting on the recommendations listed in that assessment; from training employees on how spot suspicious e-mails to knowing what to do and whom to call when your system is attacked.

And while Melillo and all other firms in this business sector will do remediation — coming in after the hack and putting things back as they were, to the extent possible — and “stop the bleeding,” as Bianco put it, businesses would find it much better, and cheaper, if they hired the same company to handle preparation and prevention and work to eliminate the cuts that cause the bleeding.

“The goal isn’t to have one be-all, end-all product or solution that’s going to protect you — it’s a variety of things. It’s about trying to put as many layers between the threat on the outside and the asset, which is at the core.”

The high-profile cyberattacks of the past few weeks are an indication of how widespread the problem is, but they are also misleading to some extent, said those we spoke with, because they have involved mostly larger businesses and entities with very deep pockets, as evidenced by the size of the ransoms they paid. The sobering reality is that small businesses are a more attractive target because they are likely to be less prepared for such an attack.

“Cyberattacks are really a numbers game, and small businesses are less likely to invest in the cybersecurity practices, so they’re seen as low-hanging fruit,” said Lauren Ostberg, an attorney with the Springfield-based firm Bulkley Richardson (and a member of BusinessWest’s 40 Under Forty class of 2021), who helped spearhead the launch of the firm’s cybersecurity practice.

Lauren Ostberg

Lauren Ostberg says small businesses, many without IT teams or sophisticated cybersecurity systems, are low-hanging fruit for hackers.

“And these attackers also sell each other pre-made malware, so less sophisticated attackers can just send out 100 different phishing e-mails, see what sticks, and then attack there,” she explained. “So nonprofits are at risk, small- to medium-sized businesses are at risk, and, in most cases, they don’t have the insurance to back them up to minimize that risk, and they don’t realize how vulnerable they are.”

Everyone should now understand just how vulnerable they are, said those we spoke with, adding quickly that some remain slow to take action and adjust to what is a troubling new world order. Those who don’t adjust do so at their peril, said these experts, adding that recent events show just how easy it is to be attacked, and how painful, costly, and time-consuming it is to repair the damage that’s been done.

 

What the Hack?

As they talked about those behind all the cyberattacks going on in the world right now, those we spoke with used a wide array of descriptive adjectives to let people know just whom they’re dealing with.

Words like sophisticated, diabolical, persistent, and relentless were used early and quite often, as was another that should get the hair up on every business owner: automated.

“It is only a matter of time before any organization falls victim to one of these attacks,” said Joel Mollison, president of Westfield-based Northeast IT, who said this inevitability shouldn’t prompt paralysis, but instead well-thought-out action to prevent (to the extent possible) such an attack, and then recover as quickly and painlessly as possible if an attack does occur.

“It’s always easier to prevent diabetes than to treat it after the fact. It’s the same thing with security — it’s always easier to manage things prior to the incident and be prepared for that and act appropriately.”

Mollison puts it in clear perspective, if anyone wasn’t already sure.

“Typically, we find that most organizations have basic security measures in place, but rarely understand their level of potential exposure or impact on operations during such an event,” he said. “The ability to recover from one of these events varies widely based on size of the organization, data volume, and locations of data and services. Even in the best-case scenarios, this process can take many days or weeks.

“Business operations are almost always crippled to a marginal capacity while systems are recovered,” he went on. “The financial impact, even without having to pay a ransom, is often devastating, and most cyber liability policies are underfunded, which compounds the problem. There are also compliance, reporting, and legal factors that are part of the recovery process that are often overlooked.”

Stan Bates, director of Business Development for Melillo, agreed. Relating some recent and current cases his firm is handling, he said they effectively communicate how widespread the problem is, what issues and problems are confronting business owners, the costs involved (and there are many of them), and the direction this matter is taking.

Joel Mollison

Given the sophistication and persistence of today’s cybercriminals, Joel Mollison says it’s only a matter of time before any organization falls victim to an attack.

One involves a large nonprofit in the healthcare sector, he said, adding that this client found out the hard way all that can be involved with returning things to the way they were before the attack.

“It got hit really hard, and they called us to help fix the situation,” Bates recalled. “They were hacked, they put their system down, they were out of e-mail, they were out of just about everything you can think of. The sad part was they weren’t prepared to know what to do, and to top it off, their insurance company forced them to use their security group, which had a limited knowledge of their network, and pay for those services, while also paying us to come in and help those guys understand what they had and fix it.

“They’re up and running,” he went on. “But it took about two weeks.”

Another case involves a small machine shop in the Hartford area, he said, adding that this small business has been informed that, if it wants to keep getting contracts from the federal government, it must meet a series of guidelines regarding cyberattacks and being fully prepared for them. “It’s going to run about $4,000 to $5,000 a month for us to monitor and secure his system and hit the score the federal government is telling him to hit.”

 

Something’s Phishy

These anecdotes are just some of many that help tell the story of how cybersecurity is becoming a huge issue for business owners and managers, one they can no longer ignore — not that they could really ignore it before.

Indeed, such sobering messages have been delivered with increasing frequency over the past several weeks as the high-profile attacks — and the ransom payments that include six and sometimes seven zeroes — come with increasing regularity. And they have certainly stimulated some interest within the business community, and also government offices and nonprofits, to be ready, or at least more ready.

“The conversations have changed. In the past, there were certain people you could talk to until you were blue in the face, and it was purely a dollars-and-cents discussion: ‘you want me to spend how much in a firewall, or this piece of software?’ Now, it’s ‘what can we do?’”

“The conversations have changed,” Christianson said. “In the past, there were certain people you could talk to until you were blue in the face, and it was purely a dollars-and-cents discussion: ‘you want me to spend how much in a firewall, or this piece of software?’ Now, it’s ‘what can we do?’”

Ostberg agreed. “People are taking the matter more seriously, and they’re taking me more seriously when I tell them they have to plan for cybersecurity incidents,” she said. “I’ve noticed an increase in concern, especially about ransomware, which can really cripple a business.

“The Massachusetts regulations and the advice I give my clients provide a lot of good ideas about ways to prevent or mitigate some of the risk that would be caused by some of the hacks we’re seeing,” she went on. “And it’s focused on building layers of prevention.”

At or near the top of any list of prevention measures is training, specifically involving the detection of phishing e-mails, which comprise the entry point for most of the hacks that occur today, according to those we spoke with.

Melillo Consulting

Members of the team at Melillo Consulting, from left, Phil Bianco, Doug Morrison, and Stan Bates.

As they talked about these e-mails, they summoned some of those same adjectives as they tried to convey just how sophisticated they have become.

“The phishing is getting more elaborate, and the social engineering that goes behind it is far more advanced than what we’ve seen in the past,” said Doug Morrison, practice director for the Development Operations team at Melillo. “It used to be that the e-mails were intentionally easy to sleuth out, because that way they could weed out the people they didn’t want; they wanted the people who were easily fooled to click on the link. But now, it’s getting very elaborate and very difficult to tell real e-mails from the fake e-mails.”

With this level of sophistication, Bianco said, it really is only a matter of time before someone makes a mistake and opens the door for a cyberattacker. But training and knowing to be on alert and skeptical of everything remotely suspicious are still critical to help minimize such incidents.

“Know who you’re doing business with,” he said. “Trust an e-mail if it’s someone you’ve done business with in the past. And if it isn’t someone you’ve done business with in the past, be skeptical of that; if you’re in question, send it over to your IT team, and let them take a look at it. If they see a bad e-mail, they can tell you immediately, ‘hey, we’ve seen this before, this is not something you should work with — please delete this or quarantine this,’ or, if they haven’t seen it, they can send it on to an anti-spam or anti-virus protection service that they’ve engaged with, and that individual or group can look at it across multiple things that they’ve seen.”

In dealing with suspicious e-mails, Bates cited his own firm as an example of the kind of rigorous training that can and should go on.

“We do quarterly training — each employee has to take a test and pass it,” he explained. “It’s terribly difficult, but it instills in your mind some of the things that are going on out there. Just the other day, we got hit, but everyone in the organization was smart enough, because of their training, to delete before they opened.”

 

Backup Plan

Because of the seeming inevitability that these sophisticated phishing attacks will succeed, businesses of all sizes need to have all the other layers of that onion to fully protect themselves from attacks — the training and the policies, in addition to the hardware and software.

“You have to have all the other layers in place because you simply cannot rely on humans not to click on e-mails at the pace that they’re required to do,” said Morrison, noting, as others did, that subsequent layers include a firewall, backing up all information, and encryption of information.

As noted, there are layers to backing up information, said the experts we spoke with, noting that the best solution is to isolate the backups as much as possible from the main network.

“Most companies do back up, but these malwares that do ransomware are pretty sophisticated,” Bianco explained. “The average time that that individual has compromised your network is typically a month or more. And in that month or more, they can go through and encrypt your backups as well as your production-installed system, your code bases, and things like that.

“Know who you’re doing business with. Trust an e-mail if it’s someone you’ve done business with in the past. And if it isn’t someone you’ve done business with in the past, be skeptical of that.”

“And they have a pretty sophisticated map of what your environment looks like, so we’ve been working with customers to do what’s called air-gabbing backups,” he went on. “Once that infrastructure is backed up, it’s completely separated from your network, so it can’t be encrypted.”

Christianson agreed, and noted that such independent, often off-site backup systems need to not only be in place, but be monitored as well.

“We’ve all heard the stories … people think they’re backing up for a long period of time, only to find out that, when they need it, the backups are not working,” he said. “That’s why people are starting to realize that it’s really important to have these systems monitored in some fashion, and that there are multiple layers.”

As for whether to pay that ransom … most consultants, and lawyers like Ostberg, certainly recommend against that practice, although that hasn’t stopped many of those who have been attacked from paying out millions in Bitcoin.

“One of the things that’s just awful is seeing people pay the ransom,” Christianson said, “because that’s not the answer. You’re just encouraging them to come back — and they will come back, not to mention the fact that they give you the key and you get your data, but you have no idea what they dropped in there and left for a back door.

“Honestly, in some cases, the only way to know is to reformat it, reinstall it all, scan the heck out of the data, and bring it back from the ground up,” he went on. “Or, manage a good disaster-recovery backup plan.”

Which brings him all the way back to that onion he referenced at the top. It should have many, many layers, he said, with more added as they become available and necessary, because what worked and what was enough a few years ago probably isn’t enough now, and certainly won’t be enough a few years and maybe even a few months from now.

That’s how quickly and profoundly the scene is changing when it comes to cybersecurity and protecting a business, nonprofit, school system, government agency, or household from those who would do it harm.

Managing the problem is all-important, said those who spoke with, but what’s most important is managing it before the worst happens — because doing so can often prevent the worst from happening.

 

George O’Brien can be reached at [email protected]

Coronavirus Cover Story

Pandemic Tests the Mettle of the Region’s Small Businesses

Over the course of this long, trying year, BusinessWest has offered a number of what we call ‘COVID stories.’ These are the stories of small-business owners coping with a changed world and challenges they could not possibly have foreseen a year ago. As this year draws to a close, we offer more of these sagas. Like those we documented before, they put on full display the perseverance, imagination, and entrepreneurial will that has defined the business community’s response to the pandemic.

Things Are Heating Up

Hot Oven Cookies Seizes Growth Opportunities During Pandemic


COVID Tails

Pandemic Has Forced This ‘Pet Resort’ to Consolidate and Pivot


Words to Live By

Greenfield Recorder Stays Locally Focused on Pandemic — and Everything Else


The Latest Word

At Hadley Printing, the Presses Have Started Rolling Again


Root Causes

For This Dental Practice, COVID Has Brought Myriad Challenges

 

Opinion

Editorial

 

While the arrival of vaccines is fostering some optimism across this country and we’re hearing phrases like ‘beginning of the end’ (for the pandemic) and ‘light at the end of the tunnel,’ the sad fact is that relief won’t come soon enough for some businesses in this region.

The latest victim of the COVID-19 crisis is Gateway City Arts in Holyoke. Owners Lori Divine and Vitek Kruta announced they can longer continue operating their cultural-arts center, which had become such a critical part of Holyoke’s resurgence, and will now attempt to sell the complex.

Their message to the community sums up the plight of so many businesses in this region and the frustration that has accompanied the restrictions, shutdowns, and general lack of support from state and federal officials.

“We have reached the point where we just don’t have the resources and energy to try to survive,” they wrote, echoing the sentiments of many who have been trying, unsuccessfully, to hang on. “It took us 10 years to start feeling that we could make it, and then COVID took it all away.”

The two went on to talk about life just before they were forced to close their doors. There was a sold-out concert with more than 500 people in the Hub (and an impressive upcoming slate of big-name artists), a theater production with more than 100 people, and a full house in Judd’s restaurant. And in the veritable blink of an eye, it was all gone.

Like most small businesses in this region, Gateway City Arts received a PPP loan last spring. It was intended to provide eight to 10 weeks of support and keep people paid — and that’s exactly what it did. The problem, as everyone knows, is that the pandemic has lasted far longer than a few months. No further relief, other than a GoFundMe campaign, was forthcoming, and with no end to this crisis in sight, Divine and Kruta had to let their dream die.

As we all prepare to turn the calendar to 2021, many businesses are some state of peril — and many more dreams may have to die. If there is a lockdown or further restrictions, as many fear is possible, if not imminent — or even if the status quo continues — many more small businesses will be forced to close their doors.

Yes, the vaccines are coming, and yes, there just might be some light at the end of this incredibly long, exceedingly dark tunnel. But for many, it won’t come soon enough. As this issue was going to press, Congress was making some progress toward a new stimulus package, one we have to hope will include some relief to embattled small businesses.

But these companies need more than that. As we’ve written on many occasions, they need the support of the community, in any way it can come, to get through this.

We were encouraged to see that a number of businesses were stepping up during the holidays to help. Indeed, instead of sending the traditional gift basket or tray of cookies to an office where few if any people are working anyway, some businesses have sent gift certificates or even small, pre-paid credit cards, with instructions to use them to support local businesses.

Likewise, instead of having that holiday party at a local venue, some businesses are instead giving employees gift certificates for local restaurants, a step that shows appreciation not only for valued workers, but for the local eateries that have been devastated by this pandemic.

It’s unlikely that such steps would have saved Gateway City Arts, a intriguing, potential-laden business that was just hitting its stride when the rug was pulled out from under it. Unless the region rallies around the still-surviving small businesses, other dreams may die as well.

Opinion

Opinion

The recent news that two small businesses located in the Shops at Marketplace in downtown Springfield — Serendipity and Alchemy Nail Bar — will be closing permanently due to a sharp decline in business from the pandemic provides more direct evidence of the damage being done to the business community from this crisis.

A number of small businesses have already closed over the past four and a half months, and those numbers will surely rise as the pandemic continues to keep people in their homes. Many of these closings are seemingly unavoidable — they involve businesses, such as event venues, bars, and restaurants, where people gather in large numbers indoors, something the pandemic has made all but impossible if people want to stay safe.

But some could be avoided if the residents of this area find ways to provide needed support. Many are already doing that, but these numbers need to grow if the Western Mass. business community is to avoid losing more of its valued members.

And we say valued, because that’s exactly what they are. Businesses are not simply establishments that occupy space in buildings and provide goods and services. They are part of the community, and often a big part.

They employ people. They pay taxes. They support organizations like the United Way and the Chamber of Commerce. Their employees often serve on boards and commissions and lend their support to local causes.

When a business closes, we lose a lot more than a place to buy shoes. When a restaurant closes, we lose more than our favorite pizza joint. When a tourist attraction shuts its doors, we lose more than a place to take the kids on a Saturday.

Supporting local businesses has always been important, but it is even more so during this crisis because so many of them are imperiled. As we have chronicled over the past several months, ventures in every sector of the economy have been rocked by this pandemic.

Indeed, companies recording sales of 60% or 70% of last year’s totals are having a good year. And most are not in that category, with declines of 70%, 80%, or even 90% over last year. Many of these businesses have been helped by assistance from the federal government in the form of PPP loans, SBA loans, and small grants from individual cities and towns. But many have exhausted those funds, and the pandemic shows no signs of letting up.

It doesn’t take someone with a degree in accounting to understand that most businesses simply cannot sustain losses like this for much longer. And some have already concluded that they can’t sustain them any longer.

With each headline like the one about Serendipity and Alchemy closing, there is regret about what we’ve lost. And as mentioned earlier, we lose more than a shop that sells an item or makes good Italian food. We lose tax dollars, and we lose a piece of our community.

There are many ways to support a business even if you can’t visit it in person — from buying a gift certificate to getting takeout to buying online. And by exercising these options, we can perhaps avoid losing some of the businesses that still call Western Mass. home.

Technology

Air Apparent

By Sean Hogan

Small businesses have been drawn to VoIP technology because of the substantial cost savings they gain when making the switch. However, as VoIP has continued to evolve over the years and moved into the ‘cloud,’ small businesses have begun to leverage VoIP in new ways to gain competitive advantages in their respective industries.

The growth of virtual companies and remote workforces has brought everyone to the same playing field, and customers across every industry are looking to work with credible, prestigious, large companies. Here are some ways in which cloud voice can make your business look bigger than it is today.

Your office just got a receptionist you don’t have to pay for. Cloud-based phone systems today include features that completely eliminate the need for a receptionist. Systems can be configured in order to route calls directly to the intended employee via a unified auto-attendant. Also, if your office doesn’t have a receptionist, systems can distribute incoming calls among specific groups.

This goes beyond simply sending sales calls to salespeople and admin calls to support employees. For example, you can use caller ID to send specific accounts directly to the CEO’s cell phone. Or if none of the salespeople answer an incoming call, it goes to the sales manager’s cell phone.

Sean Hogan

“Small businesses have begun to leverage VoIP in new ways to gain competitive advantages in their respective industries.”

Unlimited locations, one office number. With the rampant growth of startups and virtual companies, many businesses need to have a communications system that supports both in-house and remote workers while maintaining a professional image across the board. With cloud voice, calls to the main office can be sent out anywhere simply by asking the customer to dial an extension, just like how large corporations are doing.

Seamless conference calls and lightning-fast voicemails. Conference calls or online meetings are often a source of frustration for most companies. Cloud voice solutions enable businesses to host conferences during meetings so you can be face to face, even when you can’t be in the same location.

Furthermore, all technology is hosted through a single solution, so when it’s time to host a meeting, businesses can rest assured that the technology will perform as promised. Another way in which cloud voice accelerates collaboration is through its ability to convert voicemails into MP3 files, which can be sent as e-mail attachments. Additionally, voice calls can be converted to text and vice versa for easier retrieval and communication.

Collaborate on the fly. Today’s employees need to be constantly connected. Collaboration can’t always be planned out in advance, and when a good idea strikes, everyone needs to be in the loop. Cloud technology has made it easy for employees to see from their desktop what their co-workers are doing and how to best access them (e.g. instant message, voice, or e-mail) so communication can happen immediately.

There are many advantages to moving a company to cloud voice. For small business, the rewards are plentiful because they can utilize the same technology as large enterprises for a fraction of the cost and make them look just as big.

Sean Hogan is president of Hogan Technology.

buy ivermectin for humans buy ivermectin online buy generic cialis buy cialis