Cyberattacks are hitting operators weekly: why we almost never hear about them
A single cyberattack on a business can paralyze operations, cost thousands in ransom payments and rack up even more in recovery expenses. Yet despite the growing risk, many small and mid-sized businesses still underestimate the danger. The good news: there are steps any company can take to reduce its exposure.
How big a risk is this for convenience services operators? Too big to ignore, says John Hickey of Tech 2 Success. And he should know: his company provides managed IT and cybersecurity services, helping protect vending, micro market and office coffee service businesses from ransomware, phishing and network vulnerabilities.
How often does his company encounter cyberattacks in the convenience services industry? “About once a week,” Hickey said.
At first, that number sounded hard to believe. After all, you rarely hear about small and mid-sized companies getting hacked. But Andrew Valdivia, area president for insurance giant Gallagher, said Hickey is probably being conservative with his number.
Everybody’s getting hacked
“Some industries are more vulnerable than others because they don’t have the right controls in place,” Valdivia said. “But everybody is being attacked. It’s not a question of if — it’s a question of when for most businesses, large and small.”
“We all hear about the headline-making hacks,” he added, “but smaller businesses are just as susceptible and don’t have the resources to recover from a major cyber incident, whether it’s ransomware or a loss of client or employee data. It’s a very significant issue.”
Nobody wants to talk about it
“The hack can be as simple as someone clicking a link in an email — or as severe as having their entire infrastructure held hostage,” Hickey said. He added that many operators prefer to keep these incidents quiet.
“Unfortunately, it’s not something anyone wants to speak openly about. Operators may be generally aware of cyber risks, but if they haven’t personally experienced an attack, they tend to think it won’t happen to them.”
An unsettling experience
“People feel embarrassed when their business gets hacked,” Valdivia said. “It’s unsettling. They don’t want vendors, customers or competitors to find out about it.”
Public companies are required to disclose cyber incidents, but privately owned businesses are not. “So, when small business owners never hear about their peers having cybersecurity problems, they sometimes let their guard down,” Valdivia explained.
What hackers do
Hickey shared several real-world hacking examples Tech 2 Success has encountered.
In one case, a business owner received a call from someone claiming to be from his bank. “When you send a check, your routing number and account number is right there,” Hickey said. “This was a social engineering attack. The hacker knew the bank, the account number, and personal details about the owner.”
The caller used an official-sounding script to lull the business owner into letting his guard down. It began something like, “This is Joe from Chase Bank. There’s a problem with your account. We need you to log in and run a test transaction.”
The owner nearly transferred $40,000 to the hacker. Fortunately, he stopped short of sending the money, but the attacker still managed to gain control of his bank account. “The bank required a full audit of every computer and device in the company, plus a certified letter confirming the cleanup, before restoring access,” Hickey said.
Other attacks are more sophisticated. An employee clicks a malicious email link, giving hackers back-end access. The attackers quietly embed themselves on a server. Then, 30 to 60 days later, they lock down the entire system and demand ransom — often one Bitcoin, roughly $75,000.
“When operators say they can’t afford that, the hackers may reduce the ransom to $10,000 or $20,000,” Hickey said. “In many cases, companies discover their backups don’t work as expected. They have to rebuild their entire infrastructure from scratch. We’ve seen numerous companies wiped out. It happens far more often than people realize.”
Basic mitigation strategies
Hickey recommends three basic steps to reduce cyber risk:
- Change passwords regularly.
- Use multi-factor authentication.
- Have an IT professional such as Tech 2 Success evaluate your internal cybersecurity procedures.
Valdivia noted that cyber insurance is readily available for businesses of all sizes. “There are multiple carriers, and pricing is reasonable,” he said. “One major benefit is access to the carrier’s negotiators and attorneys, who can determine whether a threat is credible and help deal directly with hackers.”
He added that insurers won’t underwrite policies unless companies take appropriate security measures. “As part of the process, carriers provide guidance on strengthening your cybersecurity program. That alone can be extremely valuable.”
About the Author
Bob Tullio
Bob Tullio is a content specialist, speaker, sales trainer, consultant and contributing editor of Automatic Merchandiser and VendingMarketWatch.com. He advises entrepreneurs on how to build a successful business from the ground up. He specializes in helping suppliers connect with operators in the convenience services industry — coffee service, vending, micro markets and pantry service specifically. He can be reached at 818-261-1758 and [email protected]. Tullio welcomes your feedback.
Subscribe to Automatic Merchandiser’s new podcast, Vending & OCS Nation, which Tullio hosts. Each episode is designed to make your business more profitable.