ERIE, Pa. — Cyberattacks siphoned $6.9 billion from U.S. businesses in 2021, according to the FBI’s annual Internet Crime Complaint Center report. Tech-support scams, identity thefts and data breaches all increased.
Nearly half of those attacks targeted employee email accounts, according to the report.
“Business owners too often look at cybersecurity as an IT issue,” said Jim Bahm, president and CEO of Networking Technologies and a featured speaker at the Dec. 2 ERIE Conference at Penn State Behrend. “It’s bigger than that. What we’re seeing is a human vulnerability – a failure in the way we hire and train people and make them aware of the risks.”
Those risks extend to employees’ personal lives, where so many daily moments are documented on social media, Bahm said.
“I don’t post pictures of my dog, or mention my dog’s name, on Facebook,” he said. “There’s too much risk. That’s always one of the first security questions, right? ‘What was the name of your first pet?’ If the answer is out there, anywhere, your data can be compromised.”
This year’s ERIE Conference focused on cybersecurity threats: malware, ransomware, phishing and denial-of-service attacks. Much of the discussion explored the risk to small businesses, which often lack extensive IT support.
Erica Plyler, the controller at Channellock, a Meadville tool company, offered a case-study: a ransomware attack that compromised nine of the company’s computer servers in November 2019.
“We were down for three days,” she said. “We weren’t able to ship product, pick inventory or pull orders into our system.”
Channellock had purchased a cyber insurance policy in advance of the attack. That mitigated the company’s losses, which totaled nearly $800,000.
Today, every employee at Channellock is required to complete weekly training modules in network and email security.
Employee training programs address the weakest point in any business’s cyber defenses, said Benyawarath Nithithanatchinnapat, an assistant professor of management information systems at Penn State Behrend. She worked as a systems analyst at IBM and GE Capital before joining the faculty at Behrend’s Black School of Business.
“Information security is an ongoing process,” she said. “It’s not a one-time thing. We talk a lot about the first step, which is assessing risk. Once you have assessed the risk, you begin to implement strategies and controls. But you should still be watching for threats and continually be updating your safeguards.”
The ERIE Conference is coordinated by the Economic Research Institute of Erie, an outreach center of Penn State Behrend’s Black School of Business. This year’s conference also featured faculty and staff from Behrend’s Center for Family Business. Learn more at https://eriedata.bd.psu.edu/.