Randell Heath isn't sure how hackers got into his company's website — all he knows is a supplier called, saying the site had become an online store selling Viagra and Cialis.
The problem might have been at the company that hosts the site. It might have been that Heath's passwords weren't strong enough. But the invasion taught Heath a lesson that computer experts say many small business owners still need: Keeping your company's computers and online sites safe isn't a one-time operation, but requires continual vigilance as new kinds of attacks emerge.
"I'm planning on attending a 'Cybersecurity for Small Business' briefing," says Heath, president of Coldsweep, a Mountain Green, Utah-based company that uses dry ice to clean surfaces.
The chances of a small business being invaded, of having computers, smartphones, tablets and even bank accounts hacked because of poor cybersecurity, are rapidly growing. And some of the very things small businesses are encouraged to do to make themselves more visible, like having blogs, can also make them more vulnerable.
Symantec, a maker of computer security software, analyzed threats and cyberattacks that its network encountered and found that 43 percent of all cyberattacks in 2015 targeted small businesses.
Just from 2014 to 2015, Symantec saw a 36 percent increase in new malware, and a nearly 80 percent increase in new variations of the malware targeting Android users. The company also counted one instance of malware in every 220 emails, a bigger risk than one in 244 in 2014. And even after all the warnings, a primary culprit was attachments or links that employees click on, allowing hackers to damage or delete files, track a user's actions or steal data like passwords.
Invasions that render a computer's files unusable unless the user pays a ransom have also surged. Cybercriminals who use this method are aggressive — one variation of ransomware attacked an estimated 100,000 computers a day within weeks of its release last year, according to the FBI.
The costs of an invasion can be steep. Heath estimates he lost $10,000 in business because the site was down. He didn't have to pay to have the website rebuilt, because his business was part of an incubator where tech help was available for free. But recreating a website could run a business well into the thousands of dollars.
Many owners believe they don't have the resources — human or financial — to keep their companies safe, which takes keeping up with frequent security updates for software and equipment.
"The CEO is also the marketing person and also the (information technology) person. They simply don't have the wherewithal to manage computing platforms day to day," says Tom Desot, chief information officer at Digital Defense Inc., which helps companies protect against cyberattacks.
Desot estimates that a company with 30 to 50 employees might have to spend upward of $50,000 initially to give all its equipment the best possible protection, which includes sophisticated software and firewalls to keep intruders out, and then thousands each year to keep their security up to date. Smaller companies would have a much lower expense, but many owners still shy away from a cost that can seem prohibitive.
But there's a bigger problem: owners' willful ignorance, says Diana Burley, a professor at George Washington University whose expertise includes cybersecurity.
"You don't necessarily understand how vulnerable you are, because you think, why would someone target me? I don't have that much in assets, I'm not lucrative, why would I be a target," she says. "We operate in an environment of complacency."
Some owners don't pay attention to notices about patches or updates from computer or software makers, Burley says. Those downloads often contain security improvements because tech companies have discovered problems that make their products more vulnerable to attack.
One solution many small businesses use is to hire a company that monitors computer systems and/or websites and makes sure they stay up to date. The cost for many small enterprises can be several hundred dollars a month.
But computers can still be vulnerable. Owners often don't take the simplest precautions such as making sure passwords they and their employees use are hard to find or guess for thieves using computers called bots that search for vulnerabilities, says Rick Hogan, CEO of Bleevit Interactive, a website design company based in Reston, Virginia.
A weak password and a lackadaisical approach to website maintenance allowed hackers to break into the site of one of Hogan's clients, a family-owned restaurant business. The criminals created additional pages of pornography that showed up in search results, and the intrusion went on for months because the owners didn't check their site. Hogan's company cleaned up the site, but the damage to the restaurant's reputation persisted — its website address was flagged as pornography.
"We couldn't put a link for them on Facebook for six months," Hogan says.
Many owners don't consider when they download software or apps for their phones and tablets that those could contain malware. Even on a legitimate website, thieves sometimes attach invasive programs to ads. And using public Wi-Fi — convenient but usually lax on security — makes it easy for hackers using scanners to steal information if people log into email or bank accounts.
But many problems have solutions. Owners can start by looking for the same kind of briefing Heath sought out. Setting up a virtual private network, or VPN, can make it safe to conduct your business over public Wi-Fi, suggests Aaron Hanson, a product marketing executive with Symantec. A VPN allows information to be sent so it can't be read by cybercriminals that might intercept it. Owners should also investigate an app or plugin before they download it, and emphasize — again — that employees shouldn't click on unfamiliar links or attachments.
Businesses can also back up their data with a security company that could restore most if not all of their files in the event of ransomware or other attack.
David Cingari reaped the benefits of backing up a year ago, when an employee at his catering company came in around 7:30 a.m. to find her computer was taken hostage by ransomware. When she logged in, she got a notification that her files had been encrypted, or locked up so they couldn't be read, and that it would take paying a ransom to get them unlocked.
"I just freaked out," recalls Cingari, owner of David's Soundview Catering in Stamford, Connecticut. But he quickly called the company that maintains his systems. Technicians replaced his files with safe ones that had been backed up offsite. Instead of losing $30,000 in sales and the cost of being robbed of all its information, the company was back in business around 10 a.m.
"That made it so effortless," he says.