By Sharon Elaine Thompson
Multi-million dollar cyberattacks on large companies are leading news stories. However, like 66 percent of small business owners and managers, you may think your business is too small to attract the attention of major-league cybercriminals.
In reality, 47 percent of cyberattacks are aimed at small businesses. In 2018, more than half of small businesses had some kind of breach. Forty percent of those were hit multiple times. Yet a staggering 85 percent of small businesses are unprepared to defend themselves.
“Most jewelry businesses are not tech savvy and are either unaware or unprepared to avoid cyber-enabled crime,” Jewelers’ Security Alliance President John Kennedy told JCK in 2018, and things have not changed substantially.
Small businesses may be attractive because they lack controls: Their anti-malware software is often out of date or turned off. They don’t think about or train for cyberattacks, so someone on staff may be more open to clicking on a phishing e-mail or text. Their staff is sharing too much information on social media, or the business is posting too much revealing information on its website.
“The human component is huge,” says Nicholas Pottebaum, vice president of reinsurance and programs at Tokio Marine HCC, which partners with Jewelers Mutual Group in Neenah, Wisconsin, to provide cybersecurity insurance to the jewelry industry. “Clicking malicious links, having weak passwords, and carelessly responding to phony e-mails are common entry paths for hackers to move from one compromised system to another.”
But sheer numbers can also be a factor, he adds. “There are thousands of small businesses for every large business. A hacker can use the same phishing scheme to cast a broader net to small businesses.”
Up until now, jewelry retailers, manufacturers, and wholesalers have been slow to move online. “The jewelry industry is lagging behind [other industries] by many years,” says Matt Perosi, co-founder of Jeweler Websites Inc. in Totowa, New Jersey. “Other retail verticals are already entrenched in e-commerce, but jewelers are not.”
This lack of internet presence has largely protected the jewelry industry from a variety of cybercrime. However, COVID-19 has crushed business as usual. With prospects of a vaccine and a return to normalcy possibly 18 months away, all segments of the jewelry industry will have to find ways to go online—and rapidly—in order to survive.
Whether some of your staff works remotely or your business moves into e-commerce, your cybersecurity awareness must come up to speed quickly and you must take it very seriously. Just one cyberattack can cripple or close your business. But in the jewelry industry “everyone seems to overlook that a breach in cybersecurity will likely put you out of business for good,” says Perosi. Just how critical is it? According to a 2018 article in Inc. magazine, 60 percent of small businesses hit by cybercrime close their doors within six months. Don’t want that to be you? Then it’s time to learn about a few types of cyberattacks that criminals are using and what you need to do to protect yourself from them.
Everyone with an e-mail account has been hit by phishing attempts. (Phishing by text message is sometimes called “smishing.”) A report by Infosecurity online magazine found that 75 percent of surveyed organizations were phished in 2017. These attempts are most common during peak retail season—Black Friday, Cyber Monday, and other holidays—when employees are busy, tired, and may let their guard down. These e-mails may seem to come from a friend, colleague, or family member, but they may also appear to come from your bank, lender, or a government agency. The e-mails are often spoofed—the sender’s address appears to be legitimate, at first glance, but closer examination shows misspellings. A frequently given example is an e-mail that comes with a return address that looks like bankofamerica, but actually reads bankofarnerica—the “r” and “n” run together to look like an “m.”
The body of the e-mail often creates a sense of urgency to respond—your credit score has dropped, your bank account has been hacked, a supplier needs to confirm your password. COVID-19 scams are also proliferating, most preying on fears about personal safety during the pandemic or offering low-interest business loans or information about the stimulus package. “Because of the fear this arouses, and the news is on your mind, you lower your guard and may respond,” says Perosi.
Ransomware can shut down your business entirely until you pay the ransom to regain access to your system.
But clicking on those links can give cybercriminals access to your computer system, including your personal and financial data and passwords. Once they’ve gotten into your business computer, they can access your e-mail lists of clients and vendors and phish those contacts as well, possibly accessing their financial and password information. Sooner or later, they may score big.
“They’re looking for Social Security numbers, credit card information, dates of birth, identification of buying habits—anything they can get their hands on that they can monetize,” says Matt Sherman, senior vice president of reinsurance and programs at Tokio Marine HCC. They can also infect your computer system with malware, such as viruses or ransomware.
The damage done by these attacks can cost a lot of time and money to clear out of your computer system. If the attack targets your customers’ systems in turn, that can affect your business reputation. Ransomware can shut down your business entirely until you pay the ransom to regain access to your system. According to Perosi, ransomware currently accounts for about 7 percent of attacks on small businesses.
“Ransomware is something that really has no bounds,” says Sherman. “The threat can often escalate into hundreds of thousands of dollars, though they’re often [for] a relatively small amount.”
A ransomware attack cost one retail jewelry business tens of thousands of dollars to regain access to its system, says Kennedy. That was followed by the time and expense to upgrade and restructure its system to prevent such an attack in the future.
If you aren’t engaged in e-commerce through your website, and visitors have no way to interact with your business there, attack bots will likely not pay your site any attention, says Perosi. However, if you collect customer contact information via a form—a sign-up for e-mails or newsletter, or a form to request information—or you have an e-commerce site, “you’re going to be more of a target,” he says.
Once in your system, cybercriminals want to hide there and access your data for as long as possible. “They want to keep collecting more usernames, passwords, and financial information,” says Perosi. “That information can then be used for online fraudulent purchases or phishing scams.” While they might also take control of your computer for ransom, by continuing to collect and exploit data, “a cybercriminal can make more money than simply holding your information for ransom.”
If you’re using a third-party website provider or point-of-sale platform such as WordPress or Shopify, you probably don’t have to worry about this, says Perosi. These platforms “have very strong core programming. They’re going to do their best to make it very, very secure. If security holes come in, it’s usually because someone did custom programming.”
In an overflow attack, cybercriminals bombard a web server until it crashes, allowing them to capture data stored on the server.
Custom programming is any change made to the software system that wasn’t included there originally, such as if you have a website designer tweak your WordPress site to suit your design requirements. But custom programming also happens when you choose a plug-in, or add-on, to the system. WordPress, for example, has more than 50,000 plug-ins you can add to your website to perform a variety of functions, says Perosi. But there may be security holes in these programs or they may create security issues when you connect them to your system, he warns. The weakness may not become apparent until a criminal attacks.
“I have found that the free plug-ins are less secure,” says Perosi. “These developers, giving their work away for free, may spend less time than necessary to be sure their code is protected against hacking. If you’re not storing customer accounts online and you’re not using e-commerce, then you don’t have an exposure risk that could put you out of business. If you are storing anything online, then you should ask your developer to recommend a third-party company that will simulate known cyberattacks on your website to reveal any risks.”
Even without plug-ins or custom programing, it’s almost certain that any third-party platform you use for your website will not indemnify you against loss, even if they are hacked and your site is compromised as a result. It is ultimately up to the website owner to secure the site.
Often phishing attacks are not directed at a specific business or even a specific industry, explains Perosi. “Cybercriminals want our personal information.” They usually use it to make a large purchase online somewhere. “The more information they can gather about a person, the more likely they will be able to pass themselves off as you.” They really don’t care who the victim is.
One way they gather as much information as they can is by forcing a web server “overflow.” A web server is a computer that usually hosts many websites, and just like your personal computer, it can crash. When it does, it usually displays an error message before freezing. The web hosting company must then reboot the server.
Cybercriminals want to force the server to crash. They “network many attacking computers together to simulate the usage of thousands of people at one time,” says Perosi. This causes an overflow. “The overflow attack pushes the server to its limit, and causes everything in [the server’s] memory to explode into the open.” That might be databases of usernames, passwords, or credit card numbers stored on a few or many of the websites attached to that server. “Then one of those attacking computers will be able to capture that information.”
Attacks against a server, however, do not absolve you of responsibility if your customer’s credit card data is lost, even if you’re using a third-party website platform. “Ultimately it’s the website owner’s responsibility to secure their website,” says Perosi. It is the site’s owner who will be “slapped with heavy fines and lawsuits if they allow customer data to get out into the wild.” Lawsuits could come from customers. The fines come from the credit card industry, and they can be substantial.
The credit card industry established the Payment Card Industry Data Security Standards (PCI DSS) to prevent card misuse and fraud. Every merchant who accepts payment cards has contractually agreed to meet these standards to protect customer information. If your business has a security breach because your system’s security is not up to scratch, your bank could levy fines that can range into the thousands to tens of thousands per month until all the security issues are resolved. If the issues are not resolved, the bank can revoke the business’s ability to accept credit cards.
One of the best ways to avoid an overflow attack is not to “use an inexpensive hosting service,” says Perosi. “The amount you pay for hosting usually indicates a stronger and faster web server that can withstand the typical overflow attack method.
“Because it’s the website owner’s responsibility to maintain security,” he continues, your website should have an SSL(Secure Sockets Layer) certificate. This provides an encrypted connection between the browser or user’s computer and the server or website. You can get a free SSL or you can pay for one.
According to Perosi, an inexpensive SSL will verify that the owner of the domain name has the same e-mail address as the person buying the SSL. The more expensive SSL certificates will require document verification to make sure the business is legitimate. Savvy website users know how to view the credentials of the SSL, and it makes them feel more secure knowing that the website was validated. These secure certificates are valid for only one or two years, which forces business owners to get reverified. Less legitimate businesses, and even cybercriminals themselves, will use free SSL certificates in order to hide their identity.
But protection doesn’t end with an SSL certificate. “If your website has any type of login or customer account feature, then you should also be hiring a website security service to do routine testing of your website,” says Perosi. They test as often as you choose, from once a day to once a quarter and “will notify you when security problems are found.”
The security company tests your website against the known compliance set of rules that the credit card companies put in place. They also test for well-known security holes. If your site is secure, they issue a PCI-compliant report that you can submit to the bank.
You may need to provide a copy of the PCI-compliant report to your insurer as well. While an insurer may provide base cybersecurity insurance to all of its customers, says Pottebaum, “higher limits can be underwritten and offered. Documentation of compliance may be part of the underwriting process.”
If you are not PCI compliant, your insurance may not cover the cost of lawsuits or fines in the event of a hack. It will depend on the requirements of your policy.
“Remember that the security testing companies only know how to test for known hacking attempts,” says Perosi. “If someone figured out a new cyberattack, you might not be held accountable for the loss of data because you have the report to prove you took reasonable steps to protect that data.”
As part of PCI compliance, you’re required to limit the number of people who have access to customers’ financial information and ensure that each person is readily identifiable by use of a unique ID. In addition, all tech support people must have a background check.
Ideally, you should not store any customer credit card information on your server or in your database. Instead, Perosi recommends using a payment processor, such as PayPal.
“PayPal manages the transaction and all the payment information so the jeweler does not have to worry about it,” he says. If the payment processing site, such as PayPal, or website platform, such as Shopify, is hacked, it takes the liability. “This is one of the reasons the rates from those two companies are higher than your merchant account. They take the risks and they employ an army of programmers to keep their software safe.”
However, he adds, “PCI DSS website compliance is only worried about security for payment cards. Some cybercriminals want lists of usernames and passwords to access online banking, Google accounts, Apple accounts, or even a personal PayPal account. This is where identity theft comes into play.” You should do as much to protect customer identities as you do to protect their credit card information.
While a jewelry business may simply be caught up in a larger cyberattack, the same product that attracts smash-and-grab thieves attracts sophisticated cybercriminals. They target specific businesses and impersonate customers, vendors, employees at a sister store in the same chain, and even people within your business.
This kind of cybercrime takes planning, research, and time, and it always involves social engineering. Their goal is to con you into believing the criminal is a real person and to manipulate you into giving them cash, products, or sensitive financial information. In fact, more than 95 percent of cybercrime is the result of some kind of social engineering.
Cybercriminals can use information you post online to impersonate your vendors or customers to con you into giving them products or financial information.
These criminals do a lot of research on your company online, says Kennedy. Through your social media or website, they learn the names of key staff members and managers, or even the names of clients, if you post testimonials. They troll those individuals searching for more information and may even establish an online relationship. Using what they learn, they then impersonate a customer, a vendor, or someone at another branch of the same chain, and target specific people in the business via e-mail or even seemingly innocent phone calls. But all these contacts seek confidential information: Who is in charge of this? What is the process for that? When does this normally happen? How long will so-and-so be out of the office?
Once they have what they need, they may pretend they’re a customer of yours and ask to have product sent to them. Then they say they’ve moved and give you a new address, or they ask to have it drop-shipped elsewhere. They also may call and ask for a package tracking number, saying they’ve lost it. Then they contact the shipper and have it rerouted in transit.
“The impersonations and the social engineering attacks in the jewelry industry have been significant,” says Kennedy.
In 2017, several luxury retailers were targeted by a well-organized gang who used social engineering to bilk them for millions. In one con, criminals impersonated a media company and arranged for a business to provide jewelry for a photo shoot. The criminal then contacted the business, asked for the tracking number, and had the shipping company reroute the package to another address. Another company sent $50,000 worth of diamonds to a fraudulent customer. The thefts cost these and other businesses an average of $1.2 million each.
These kinds of cyberattacks usually involve large companies and well-known brands. “We’ve seen them go after the luxury manufacturer and large retailers,” says Kennedy. However, he adds, “they also go after smaller retailers.”
It’s not only product these criminals target, but entry into your bank. For example, Pottebaum says that once a cybercriminal has phished his way into your system, he “actually sits [there] for an extended period of time, and monitors activity.” They watch someone of authority, such as the CEO, to see who she e-mails and learn to impersonate how she or others communicate through those e-mails. And they bide their time.
“They may wait until the CEO gets on that flight across country and is working on her phone,” says Pottebaum. “They send an e-mail asking for, as an example, ‘the wire instructions for the payment we talked about.’” Far too often, the CEO sends it.
A ransomware attack can happen the same way. For example, a criminal may imitate a vendor from overseas and send an e-mail that says something along the lines of, “Here’s the latest invoice. Thanks for your business.”
“If you click on that, your system is encrypted [by the criminals],” says Sherman. You will not get access to your system again until you pay the ransom.
Always be suspicious of e-mails and phone calls asking for any kind of confidential information, and train your staff to double-check these types of requests.
“Stores should be careful with posting to social media,” says Perosi. “They should never give out their personal addresses. Employees should never talk about when they are leaving the store, arriving, or in the store alone. I also dislike when a store announces that they are closing for a week to go to a trade show, and I especially dislike it when they make that announcement weeks in advance. Those early announcements give the criminals plenty of time to case the store and figure out how to get through their security while the staff is away.”
Across industries, for businesses whose revenue is less than $10 million, the average size of a cybercrime loss ranges generally from $30,000 to $40,000. But, as the social engineering cases of 2017 showed, they can be substantially higher.
Jewelers can insure their businesses witha number of specialty companies that offer cybersecurity policies. These policies cover the kinds of costs usually associated with a breach—hiring an attorney for advice on how best to advise customers about the breach or a PR firm to help protect your business’s reputation. There might also be fines and penalties levied against the business for failure to safeguard customers’ information, or lawsuits by customers who are harmed if their privacy is breached. These are covered to the limit outlined in your policy. In the case of ransomware, your policy may even cover the cost of a ransomware negotiator, who may be able to negotiate a lower ransom in exchange for unencrypting your system.
The cost of the policy depends on the size of your business and the potential size of your loss. However, “cyber premiums are at such a level that they make financial sense,” says Sherman. The cost is far less than opening your business up to the risk of cybercrime.
A great deal of cybercrime is preventable by putting as much effort into guarding against it as you dointo protecting your business against other types of crime, says Sherman. “Small jewelry businesses may spend many thousands fortifying their brick-and-mortar stores, yet they may not fortify their network to protect their information. While preventative measures are not foolproof, they can make quite a difference.”
Regardless of the computer hardware and software you use, follow these guidelines to beef up your cyber protection:
• Be sure firewalls are in place and secure. Install and keep your antivirus and anti-malware software current. These programs are constantly updated to scan for the latest threats. “Any small business really needs to ingrain this into their daily operation,” says Sherman. “It’s a way of doing business that is outside the experience of most small businesses. But it’s really critical [for] their digital security.”
• To avoid being a victim of ransomware, back up your data every day in the cloud or on at least one outside server. “If you have it backed up, you’ve reduced its value to the thieves,” says Pottebaum. And if you are hacked, you can retrieve your system without paying the ransom.
• Never work from public Wi-Fi, such as that at a coffee shop or on an aircraft. These networks are unsecured and your risk is high. “Even checking innocent e-mails on public Wi-Fi increases the chances of malware or hacking,” says Kennedy. “Once you are logged in, your system is more vulnerable no matter what you are doing.”
• Secure the Wi-Fi at your own business. “Network security can be breached through a Wi-Fi hotspot in a store,” says Perosi. “Every jeweler I know still has a visible Wi-Fi for their store. You can see these hotspots while sitting in your car outside. Most local networks of computers are set up to trust any shared files with any other computer on the network. Therefore, someone who hacks into a hotspot could easily get access into old Windows computers.” Part of PCI DSS compliance is to turn off the broadcasting of your hotspot.
• Think before you click. To avoid phishing attacks that can infect your system with malware or ransomware, no one at your business should click on hyperlinks in any suspect e-mail without being very sure the communication is from a person or company they trust. “So many of our claims would have been prevented if someone had just taken a moment to think, ‘Is this someone I know?’” says Sherman.
Even if an e-mail seems legitimate at first glance, be very sure it has not been spoofed by looking for unfamiliar or foreign domain names, misspellings, or any other anomaly. If your customer or vendor has not sent you this kind of link or confirmation before, or if your bank or loan company doesn’t usually contact you this way, be suspicious. If a vendor or customer is asking for information they should have, such as tracking or bank information, or if they want to change the destination of a package or payment, confirm the veracity of the e-mail before going any further. Contact the customer or vendor directly, either by calling or by sending an e-mail to a known e-mail address. Do not reply to the address in the suspicious e-mail.
You probably can’t question every e-mail, but pause briefly before you respond, especially if your first thought is, “Hmm. They’ve never asked for this before.”
“If you have the slightest doubt, don’t respond,” warns Kennedy. “Just delete it.”
• Don’t permit employees to use company internet-connected devices at work for personal use, to download software without permission, or to introduce personal memory sticks into a company system.
“Training, training, training,” says Sherman. “Your employees’ habits and behavior are key.” To hammer home the risk of phishing attacks, some small businesses send fake phishing e-mails to their employees with a message such as “Here is your annual performance review. Click here to see it.”
“It’s an opportunity to have a coaching moment and explain that this is actually a scam,” says Sherman. “See how a malicious actor can break into the system.”
• Think carefully about the information you post online about your staff and your customers, or the pictures or video of your store. (Thieves can take a virtual tour of your premises and learn the layout without having to risk entering your store.) Be thoughtful about the images you post of special events and the names you attach to those images. Google can match those faces to names and other information by scanning online sources, such as Facebook and other websites.
Remind employees that they work for the jewelry industry 24/7, and to be extremely careful about the information they post to their social media accounts.
• Pay attention to potential threats in your social media streams, on your website, and in your e-mails. This may mean hiring a dedicated employee or using a third-party security service. “Someone has to be the physical administrator of the hardware, and you need a programmer if there are update glitches,” says Perosi. “They need to pay attention day to day, noticing if there are some strange submissions that might hint at a potential attempt at hacking.” They’ll also look at tests run by the security company testing your website.
“If small businesses can afford to take the time to do it themselves, they should,” says Perosi. But avoid handing the job to just anyone. “The person doing this maintenance should be tech savvy and willing to do it.” If you don’t have someone on staff who can handle this, “outsource it to someone who has better technical experience.”
• Do not store any customer credit card information on your system. If you use a third-party point-of-sale platform, choose one that has very strong security protocols.
“If your website has enough sales, you probably will want to use your own merchant account with a lower discount rate instead of [a payment processor such as] PayPal,” says Perosi. “When using your own merchant account, you will have to save the payment card information to the website for the short amount of time it takes to verify the payment, and then it can be deleted. You could also choose to save the information permanently. Most banks frown upon the permanent storage of payment information.”
• Stay PCI DSS compliant. “Have your website tested,” says Perosi. “Pay for the needed upgrades when new security holes are found.” If you have done everything you can and should do to protect your client’s information, you may not be hit by fines in the event of a breach.
Regardless of size, all businesses must prepare for a possible cyberattack. Experts say that almost every company will be hit, many of them multiple times. “No industry is immune to cyberattack,” says Pottebaum. “Everyone in the jewelry industry needs some kind of cyber protection.”
However, preparing for a cyberattack is not something you do once and forget about it. The speed, frequency, and sophistication of cyberattacks increases every day. Unseen behind your computer system, firewalls and software are under relentless attack. If you do not stay on guard, and if firewalls and anti-malware software are not updated regularly, sooner or later they will fail and your system will be compromised or held hostage. It’s imperative you evaluate your protections, update them, and then keep updating them to protect your personal and financial data and that of your customers.
Don’t be one of the 60 percent of cybercrime business victims that are forced to close.