Help Isom IGA recover from devasting floods
Cybersecurity isn’t a crime of the future—it impacts us daily. Today, half of American adults’ personal information has been made public by cybercriminals. Businesses from the top CPGs to the smallest independent grocers have been breached, putting their livelihoods at stake and costing billions.
"This is an existential threat for many small businesses," Andrews said. "They they have no clue what kind of damage cybercriminals will do to their business and their personal lives. It's absolutely a key topic that we have to get ahead of. We're already way behind; the risks are growing as you'll see on this presentation today.”
IGA CEO John Ross and Millennium Digital Technologies President & CIO Ken Andrews spoke about the cyber threat to independent grocers, especially as the holidays approach, during the October webinar Unlocking Your Store For Cyber Criminals? 5 Habits to Break Now! Keep reading and watch the webinar below for key takeaways.
An Urgent, Devastating Threat
"How easy have we have made it for active criminals to attack us? If you're not asking that question, we're probably not running our business appropriately," Andrews said.
Ransomware is a very real concern, with attacks occurring every 11 seconds, according to Andrews. The primary vector for malware? Email. Andrews noted that 94% of malware and ransomware is delivered via email. These attacks don't just lock users out of systems — they involve significant data breaches that can have prolonged, damaging consequences.
These consequences cost businesses money and their reputation — two assets independent retailers can't succeed without. Ransomware payments averaged $228,000 in 2022, according to Andrews, but he noted large companies often face demands of $20-30 million. With about 40% of companies paying the ransom, more than half are unable to recover data using backups.
On top of that, a hack at your store can hurt your customers at home.
All of a sudden your customers are being attacked — the cost is almost incalculable in these situations," Andrews said. "Once that data is exfiltrated, the problem absolutely never goes away. Maybe you get your systems back up, maybe you've restored everything, but the data that's out, once the genie is out of the bottle you can't ever put it back. The key to all of this is just don't get yourself into the situation in the first place."
Break These 5 Habits Immediately
1. Not Managing Your Network
"80% of the customers we are first introduced to have serious flaws in their networks," Andrews said.
What does that look like? A store without threat detection or a commercial-grade fire wall that inspects the traffic going back and forth and looking for malware.
"Your network is your first line of defense. It's core to your business. Everything runs on that: your point of sale, your back office computers, your scales, your wireless, your receiving system — everything is riding on that network, yet it amazes me how many people don't invest in it," Andrews said.
The fix is simple and inexpensive, with Andrews saying it's often under $1,000 as a one-time expense. "We rightsize the equipment — you're not over-buying it, but you're buying something with enough capacity and room for growth that the equipment will typically last you about 5-7 years."
With the cost at about $200 a year for five years, Ross said it's a no-brainer. "That's the cheapest business insurance we will buy," he said.
2. Not Controlling Remote Access
Each vendor that supports you brings their own remote access tools, from your accounting company to your point of sale vendor to back office vendors. Retailers can't control the security at all of these points, which can make it easy for cybercriminals to breach the vendors' systems and your own.
Andrews shared an example of a comptroller with an unauthorized remote access tool on their machine. A million dollars were stolen from their payroll account on payroll Friday. "It was an absolute nightmare," Andrews recalled. "They bounced payroll and they had a million dollars missing."
3. Committing Multi-Factor Authentication (MFA) Faux Pas
What is multi-factor authentication? It's using more than one factor to log in. For example, entering your username and password is one login factor. But typing in a code you receive via text or email is a second login factor, making this login process multi-factor.
Multi-factor authentication is important, because if someone steals a username and password, they still can't access your account with those assets alone. But multi-factor authentication isn't fool-proof. For example, sending MFA codes to vulnerable sources like email can compromise security.
For more examples of multi-factor authentication faux pas, including multi-factor fatigue, start watching the webinar at the 24-minute mark.
4. Ignoring Cloud Security
"Just because it's on the cloud, doesn't mean it's secure. In fact, it's often less secure and you must be more diligent if it's on the cloud," Andrews said, adding that major cloud providers like Microsoft and Google may not offer robust security by default.
Hackers are aware of the common misconception that cloud-based is automatically secure, and they exploit that misconception by breaking into cloud-based records.
5. Not Using EDR On Sensitive Computers
Endpoint Detection in Response, or EDR, is a powerful antivirus solution that leverages AI (artificial intelligence) to examine your system's behavior and assess risks based on that behavior.
"With EDR, we're looking at the behavior of the user and the behavior of the applications. For example, the behavior of the email you clicked on — we're looking at what it's trying to do on your system and then using AI to analyze that and say if it's a good action or a bad action. If it's a good action, we allow it to continue. If it's a bad action, we quarantine it."
Andrews noted that sensitive computers include both the retailer's own computer and computers that any employee is using to check their personal email. Every level of network access brings significant risks to a store's system.
Implement Solutions Before the Holidays
To help Independent Grocers Alliance members get protection in place before the holidays, Andrews and Millennium Digital Technology created an EDR Guard endpoint protection package that is all software — no hardware required.
"It provides a really good mix, with five of those EDR Guard client licenses so you can put that on owner computers, accountant computers, manager computers — whoever those high-risk computers belong to, we give you five of those client licenses," Andrews explained.
The software stops breaches and ransomware attacks before they get into the network, plus there is $100,000 of breach indemnity, so if a retailer using the software is hit by a ransomware attack, they have coverage. In addition, Millennium Digital Technology will scan the store's internet connection on a quarterly basis and reports on vulnerabilities so retailers know where they need to strengthen defenses.
Independent grocers can seem like sitting ducks to cybercriminals, and for good reason. They're often busy with day-to-day operations and invest in customer-facing improvements that shoppers can see instead of technology training and security.
Cyber attacks are most prevalent during the holiday season when businesses are at their busiest, making an attack easier and ransom more likely to be paid because having systems down during the most profitable season will cripple a small business.
Don't be a sitting duck. Make a small investment in security measures to save your business from substantial losses. Address potential vulnerabilities before the rush begins with a quick solution, like the EDR Guard, and consider an even more secure solution offered by Millennium Data Technologies through IGA. From the free level, which offers training and best practices, to the full level that includes a managed firewall, 24/7 support, internet backup, PCI and PII protection, and more, we've compiled options that allow retailers to run their stores while the tech experts protect their networks.
No Comments Yet
Let us know what you think