Eric Montague on Protecting Small Businesses Against Cyberattacks
From Utah Business Insider Podcast: From the earliest days of the internet, there have been scams designed to bilk innocent users out of money and information. As security has gotten more advanced, so have the hackers, and the results of getting hacked can be devastating for small businesses. In this episode of UB Insider, Eric Montague, CEO of Executech, talks about how small businesses can be prepared for these attacks and avoid getting sidelined.
Hello and welcome to UB insider. I’m Lisa Christensen, online editor at Utah business magazine. From the earliest days of the internet, there have been scams designed to bilk innocent users out of money and information. As security has gotten more advanced, so have the hackers, and the results of getting hacked can be devastating for small businesses. Eric Montague, CEO of Executech, is here to talk about how small businesses can be prepared for these attacks and avoid getting sidelined.
Montague: Glad to be here.
UBM: So besides not falling for emails from any Nigerian Princes, what should small business owners do to keep from falling victim to phishing or ransomware?
Montague: The biggest thing that small business owners should do first is prevent and protect themselves. So I always say, that backup is the holy grail of computing and that’s the fact. I mean all of the scams that come out all of the malware, the ransomware, viruses, any of it, they’re all essentially 100% mitigated with good backup. An example is we had a client, a new client, come into the office last month. They’d been hit with ransomware. And they said, “you know we have backup so we should be fine”. They were hit on a Monday. Came in on a Thursday. It was a city in Idaho and their backup was a very poor backup. It only ran nightly, so it overrode itself every night. So they brought it to us on Wednesday and they lost everything! They had no idea what any citizen in the entire city owed them for utilities or anything. it was a mess. So you have to be really careful with backup. Some of the key points are having revision history. That’s one of the most important parts of backup, so that you can go back to multiple points in time. Only having one revision point to go back to is very, very dangerous. So people get a virus. Things like that they don’t realize it for a few days and they have a lot of problems. So make sure you have an off-site backup, some type of cloud backup that has multiple revisions. There’s a lot of really cheap ones that don’t have revisions. Beyond that, you can also protect yourself from those scams. So most of those scams come from regions of the world that we know scam activity comes from. So most spam filters you can put regional qualifiers on your spam filters saying, “don’t allow things from Africa” or “don’t allow things from the Eastern Bloc countries”. And even though it may look legitimate, it probably originated from somewhere in an odd region of the world. And when that occurs, your spam filter would block it all together. So there’s more sophisticated spam filters out there that can block certain regions. Obviously, if you need to do business with Africa you couldn’t block that, but it really helps a lot. So that’s a really important thing to do.
UBM: So what are the effects if you do become a victim? You mentioned a city in Idaho that didn’t know how much their customers owed them for utilities. How exactly is this detrimental for businesses and for customers?
Montague: It’s amazing how detrimental it is! The example in Idaho is a good example. A Municipal organization thought they were backed up and they were hit with ransomware. And when it occurs it encrypts everything on the hard drive. And the person has to pay to get a decryption key, and they chose not to pay. And so what happened in that instance, is they didn’t know if you were three months late on your water bill and I was two months overpaid on my water bill. So they literally had to reset every person’s account in the whole city limits at zero and just start from scratch. Not to mention probably a little bit of a PR nightmare.
The others though that are more common are monetary. So oftentimes these scams, people will fall for a wire fraud. Happens all the time. We saw six of them last year where people fell for a wire fraud. We’ve seen them as much as over a half a million dollars down to twenty or thirty thousand dollars. So you have to be really careful. And once it’s wired, it’s gone. If you contact the FBI unless it’s over five hundred thousand dollars, then they won’t even look at it. And the one we saw last year that close was to that was four hundred ninety-six. And so they knew exactly what the limit was and it wouldn’t get tracked down. So you have to be careful.
The other big one that’s going around, that went around a couple months ago now that we’re out of tax season. But the one that goes around every year is a W-2 phishing scam. Where people are trying to get, they’re saying that they’re your boss or you’re HR manager or something like. That maybe they’re talking supposedly with a CEO via email and it’s a scam. And they’ll ask for copies of W-2’s and then you and I all of a sudden because someone in your company distributed W-2’s, now you have a problem because you have had a fraudulent tax return file. And when you go to file your tax return, let’s say they took a bunch of deductions and had a $10,000 tax rebate or refund given to them. When you go to file your taxes and you say, “Okay, lovely IRS I owe you $2,000”. They’ll come back and say, “Oh, we already paid you ten so now you owe us twelve”. So they don’t take any responsibility for it. You have to. You have to be very, very careful on what can happen by these attacks.
UBM: Now, you mentioned those wire transfers. What kinds of ruses do they use to get you to pay up in those instances?
Montague: So let’s say my name was Bob. And I owned Bob’s Burger Barn, right? And you were my CFO and your name was Nancy, right? So what happens is somebody makes what’s called a spoof email address. So Bob at Bob’s Burger Barn looks right. Oftentimes, it’s spelled exactly right. You can spoof an email address very easily, as if it was coming from Bob. I send it to you and maybe I have a chain of email in the body. And like the thread that makes it look like I’m talking back and forth with a vendor. And then maybe I send it to you as the CFO saying, “Hey Nancy. I’m meeting with these guys in the morning and they have to be paid before I meet with them. See the chain of communication. The wire instructions are attached. Please send them $84,000 in the morning for fries.” Right? Because I’m meeting with them and they have to have the money to get us the fries. Nancy, being the studious, you know, employee. Bob needs money wired. She gets up 7:00 a.m., wires the money and then Bob comes to work and “Nancy, like why are you here? I thought your meeting with, you know, Joanie’s fry shop or some like that”. “No. what are you talking about?” And it looked real, came through. It’s very easy to spoof if you hit reply. Oftentimes, the email address in the reply isn’t what it said it was. So if it said Bob at Burger Barn, now it’s going to, you know, [email protected] or something like that. Sometimes there’s one letter off. So people don’t catch that. So in Bob’s Burger Barn maybe they have two “a”’s. Or you know “b”, “a”, something else and like “b”, “a”, “n”, “n” or something like that at the end. So it’s spelled differently, so it doesn’t look off. But it happens a lot. It’s surprising how often that happens. Because how they do it, how they determine Bob and Nancy is they’ll go to LinkedIn or social media. And they’ll find that I’m the CEO and you’re the CFO. And then they’ll literally send thousands of emails to Bob’s Burger Barn. Just the domain [email protected]’sburgerbarn.com, determine what the naming convention is for people’s email. They’ll find well it’s, you know, [email protected]’sburgerbarn.com. Because they’ll send thousands. And what happens is they’ll notice the ones that don’t give a bounce back. And then okay, we figure it out. That’s what it is then they just keep hitting tons of people at the company. And maybe they’ll send an email to somebody from the CEO saying, “Hey, what are we doing tonight?” And maybe it’s you know some guy in the mailroom. He’s like “Why is the CEO emailing me?” Well he replies back, Hey, what’s up?”, you know, and as soon as he replies some key information has been gathered. They figured out probably a logo on an email signature, the fonts the company uses, their legal disclaimer, all of that so now the perpetrator has all of that. So when he sends that email to Nancy, the CFO, it has everything that makes it look real. So it’s a pretty well-orchestrated attack that people do.
UBM: Yeah, this is really elaborate.
Montague: It’s really elaborated and it’s all automated. You would think that some guy is hiding behind his computer in a dark room pounding away at the keyboard to do it. It’s not. It’s all automated by servers. So it’s, you know, a human only gets involved once all of that first stuff has been gathered.
UBM: Wow! So it’s just a crazy good algorithm?
Montague: Yeah, exactly.
UBM: Wow! And so, given this and given all the different ways that they can attack. How can companies protect themselves? You mentioned a backup and such. But, when we were talking earlier you mentioned four key steps that companies can take. What are those?
Montague: So it’s important to remember that everybody is going to get hit. I mean there’s, your company is going to get one of these emails or they already have, right? We got a call yesterday from a mortgage company where they got one of these emails. They clicked on it, and it was a reset your password with Zions Bank or something like that. They went in, walked through the procedure and gave whoever it was the entire mortgage company’s accounting information, banking account information. That’s a big problem when they’re doing mortgages. So giving employees and empowering them with knowledge is really important. So, oftentimes in businesses now, like you see kind of in the, you know, ten years ago it was a joke. Where you’d see consultants come in and give like awareness training or you know diversity training or stuff like that. It’s very common right now that there’s social engineering training. Where people will come in and meet with you, for example, if you were the head of a company. And put together a plan to train your employees. And then they’ll say, “Okay people, this is what could happen”. And maybe they’ll go through the W2 scam, the wire scam or any of the others. And then they will perform a test unbeknownst to the employees. They will use the same algorithms that the bad guys use and they’ll perform a test against people and see how they react against it. Then they’ll go back and meet with the owner, or CEO, or president, HR manager or whoever’s conducting the test. They’ll say, “Okay, 22% of your employees fell for this”. So oftentimes what happens is they’ll do the test, then training and then test again. Sometimes they’ll train, test, test – just things like that. So teaching your employees is really, really important.
We’ve already talked about backups. They’re critical. One of the other, the two things that are really important for some of the ransomware. One of the things that is very important with malware is having all of the correct patches on computers. And Microsoft or even Apple, it happens with Apple as well. Sometimes these computers have security loopholes into them. So they’ll have updates. And as an organization it’s really important to mandate those updates down to every computer. It’s very easy to do with what’s called a patch management system. It’s very cheap and an owner or an IT person can know where the patches are in every computer. But, one of the most important thing is having good protection. Because, like I said every company’s going to get hit with it.
There are a lot of good antivirus products on the market. Most of them don’t have great ransomware blocking abilities. The most popular one right now is a product called Sophos. And they have a product called Intercept X. And it’s currently the only product on the market that protects against ransomware. So when it comes in, when that email came in for example, the one from Bob to Nancy the CFO at Bob’s Burger Barn it would have caught that and said, “Wait, you’re not sending to the right person”. It stops the email transaction to where the person would have known. You can also have, a lot of higher-end email systems have, what’s called DLP or data loss prevention where it scans every email that goes out. And maybe if there’s social security numbers or credit card numbers it can scan attachments and things like that and determine what’s going out. And you can restrict certain people in your company from not doing it. Or there has to be like a 2-step approval process to send stuff out like that. So there’s a lot of good products out there that stop it once it happens.
Lastly, if you do get hit like this mortgage company yesterday, don’t try and fix it yourself. The problem with the city that I was speaking about earlier is they tried to fix it themselves. And they messed up the encryption of the files. To where even if they had paid for the code that decrypts the files they wouldn’t have been able to because they tried to fix it themselves. And so once you try it you break the encryption that’s in there. And you may never, and then the files are absolutely gone. So just be really careful. If you have been hit and you’re worried I’d call a professional to come help you.
UBM: Given how fast this field changes, given how quickly the bad guys are catching up with the good guys and trying to, you know, it’s kind of a cat-and-mouse game. How do you stay ahead of the curve with something like this?
Montague: That’s really, that’s a great question. So, it’s very difficult. In fact, I’d say it’s violently difficult. Staying ahead in the technology world is really hard. There are things changing every day. Yesterday, Europe was hit with a monster ransomware virus. And the simple thing, is really staying educated. So as IT professionals, like at my company Executech, we train every Friday. And every Friday we go over things that are coming out: security breaches, things like that. So that we’re aware of them and we know what’s going on. There’s a lot of really good bulletins. For example, I mentioned Sophos earlier. If someone is a client of Sophos, they can get on their bulletins for security. On top of normal other areas to stay educated with in IT. It’s a fast-moving field. What worked for a firewall [pause] we didn’t talk about firewalls. Firewalls are also very important in blocking a lot of this stuff, but you know we didn’t talk about firewalls. The firewalls of two years ago aren’t sufficient today. The firewalls of five years ago are a boat anchor today, you know. So you have to be really careful to know what’s on top of the market. And what is really important for business owners to realize is they can lose so much so fast. And some people don’t want to spend the money on it because it’s kind of like an insurance policy. But it’s such a risky thing in today’s world and there are economical ways to do it now. Two or three years ago it was cost prohibitive. Today it’s not. And so it’s really worth, you know, the ounce of prevention to stop things like this from happening. And it’s worth every IT professional’s time to spend probably an hour a week just updating themselves on what’s going on in the world and IT security to make sure each one of them know what’s being hit onto their network every day.
UBM: Okay, well thank you for coming in.
Montague: Thank you, very happy to be here.
UBM: Thanks also to Greg Shaw for production help. Let us know what you think at [email protected] Or reach out to us on social media at @UtahBusiness. You can also subscribe to our podcast or listen to past episodes on Apple podcasts, Stitcher, Google Play or wherever you find your podcasts. Thanks for listening.