Minnesota small businesses must prepare for cyberthreats

It is no small irony that Eileen Manning's Event Group was hacked a few years ago not long before the annual Cyber Security conference she stages every fall.

"I got a call on a Sunday night and one of our staff said, 'Eileen, something is really strange. The system is really slow.' ''

"I told her to call our IT support company, which we pay for 24-by-7 support. A virus had come in through a computer and somebody clicked on an e-mail and it spread from one computer to another, shutting them down," Manning recalled. "If we had waited until Monday morning, it probably would have shut me down. Right before a big event, such as the Cyber Security Summit, and with people coming from all over the world, that would have been horrible."

The perpetrator had sent an e-mail, including her password, albeit an old one because she wisely changes it regularly. And demanded $5,000 in "ransom."

She ignored the demand.

"We had a plan with our IT firm," Manning said. "It worked. And [the IT support] costs a lot less annually than $5,000.

The big hacks draw most of the media attention. Such as last year's disclosure by Marriott International that the database of its Starwood reservation system had been hacked and that the personal details of up to 500 million guests going as far back as 2014 had been compromised.

Or the big breach of Target customer data several years ago that led to the resignation of its CEO.

No surprise that last month's Cyber Security conference spent an afternoon focusing on "Cyber Security Plan Basics to Protect Small to Midsize Business."

"Most small businesses are there to do what they do," said Eric Ebner, a founder of St. Paul-based Protocol 46, a data-security firm. "But it's 2019. Doctors don't make house calls with black bags anymore either. You also have to be something of a tech company to do business."

The former Minnesota National Guard intelligence analyst, an Iraq war veteran who later focused on cyberthreats against Minnesota government and critical infrastructure, said the cost of an effective security program doesn't have to break the bank.

"We provide an enterprise-grade solution for small businesses for a price that's less than $2.35 a day," he asserted.

Security for less than a cup of coffee daily.

Ebner, Manning and Nancy Libersky, district director of the U.S. Small Business Administration in Minnesota, also stressed that employers need to engage employees in preventive defense.

Libersky advised conferees that her agency offers a free audit to small businesses at www.sba.gov/cybersecurity.

The SBA helps owners assess business risk, explains common threats, cybersecurity best practices and also lists related trainings and events.

"The SBA sends out a 'phishing' e-mail check on employees on a regular basis as a test," Libersky said, adding that awareness has been uneven but improving. "The training is mandatory. Small business can spend a boatload or not too much for good cybersecurity."

The stakes are high in terms of business disruption and financial losses. An SBA survey recently found that 88% of small businesses "feel vulnerable." The FBI reports that cybercrime costs U.S. businesses at least $2.7 billion in 2018. Verizon reported that there were 42,000 data breaches worldwide last year. And 43% targeted small businesses.

Manning has become something of an evangelist.

"We were vulnerable because we didn't have [double ID authentication] to get into company phones and computers," she said. "I've got clients who I talk until I'm blue in the face about this. You have to take security measures to protect yourself and your business."

The Federal Communications Commission has 10 Cyber Security Tips for Small Business at www.fcc.gov/general/cybersecurity-small-business

They include training employees in security principles, including how to handle and protect customer information and other vital data; keeping "clean machines" with the latest security software, web browser and operating system — the best defenses against viruses, malware and other online threats. Also, firewall security that prevents outsiders from accessing data on a private network.

Controlling physical access to computers and creating user accounts for each employee also is important.

And require employees to use unique passwords and change passwords every three months. Consider implementing multifactor authentication that requires additional information beyond a password to gain entry.

Phil Schenkenberg, a partner at Briggs and Morgan, said there is a financial incentive for business owners, beyond preventing delays and operating losses caused by security breaches and other security threats.

He has seen situations where buyers of companies have negotiated lower-than-demanded prices for good companies, after it was learned their data was compromised or stolen by a cyber breach.

In some cases, buyers will require a cybersecurity audit or hire a hacker as part of the deal to attack the target organization to explore vulnerabilities.

Buyers increasingly want proof that any vulnerabilities are long fixed or they will demand a significantly lower price.

Neal St. Anthony has been a Star Tribune business columnist and reporter since 1984. He can be contacted at nstanthony@startribune.com.