Skip to content

RBJ: Small businesses are the big phish in cyber scams

By: Dea Corsi
Published: Friday, 11 February 2022

Small businesses are the big phish in cyber scams


Whether your business is a retail store or restaurant or you’re a partner in a law firm or medical practice, you’re really in the cybersecurity business.

“Cyber threats are real and threaten every business out there,” said Cheryl Nelan, president of CMIT Solutions of Monroe.

“It’s not something that just the IT people have to worry about,” she said. “If you care about the business you’re working for or running, the biggest risk to that business is a breach.”

“If you think you don’t have time to learn how you can prevent those breaches, or making complex passwords seems like too much pain in the neck, then how is your business going to survive into the next decade if you’re not thinking about these things today?” she cautioned.

Breaches of big-box stores and health insurers within the past decade made headlines and forced corporate leaders to fortify their electronic barricades against intrusion. Now, small businesses find themselves the targets of hackers, whether through phishing schemes targeting employees or attacks on software.


“Everybody used to say, ‘I’m only 15 people, nobody cares about me,’” said Eric Houck, chief virtual information officer of Iconic IT. “That way of thinking has changed. Actually, you are the person in the sights at this time.”

Cybersecurity is the responsibility of every employee; but getting staff to realize they need to log in with multifactor authentication and to carefully read the address on the email they’re about to open starts at the top. If the CEO clicks on pictures of puppies, it’s hard to hold employees to a different standard.

In her training, Nelan teaches employees to take 30 seconds when they see an email to scan the address of the sender. Is everything spelled correctly? Once the employee opens the email, think about what it says. Would your boss or colleague really say what’s written?

She gave an example of client who received an email that looked like it was from the boss asking for money to be wired to close a deal. At first glance, it made sense. The employee knew the company was working on a deal.

“She did the 30-second breathe that I tell them to do all the time,” Nelan said. “Instead of doing the wire, she said, ‘Wait a minute. That’s a little unusual for my boss. Let me look a little closer.’”

The employee spotted a misspelled email address and reported the attempted breach. Nelan said CMIT was able to alert others in the company and prevent a problem.

With all the training that companies are required or choose to do – from HIPAA to sexual harassment to diversity – employees could feel overloaded. Much of training is web-based, and there’s a temptation just to get it done and get back to work.

Plus, guidelines taught at an annual training session tend to be forgotten. To make sure employees have paid attention, “You go and test them,” said Jeff Reinholtz, senior manager, partner training with Datto, Inc. “That wakes people up really quickly … when you do that, it changes people’s sense and awareness.”

Employees who click on the set-up email get immediate feedback and additional training.

Reinholtz suggested using internal communications to remind employees and provide a daily security tip. Messaging and testing need to be frequent as brushing your teeth. “If it’s not, you’re jeopardizing the organization.”

The popularity of cloud computing has added to the imperative.

The cloud makes it convenient for legitimate users to access data and tempting for hackers to try. If customer data were compromised, the damage to the company’s reputation could be irreparable. Even if data aren’t stolen, a breach could put a company out of business.

To protect against unauthorized use, companies are moving to multifactor authorization – the cyber version of wearing a belt and suspenders.

In some cases, making sure employees use more than one identifier when logging in to the system is a condition of insurance. Houck said he gets two or three calls a week from clients who have received letters from their carriers requiring proof of multifactor authorization. He said he has been talking to clients for several years about increasing security in their systems, and some thought he was trying to scare them.

Houck said he was an IT director for 12 years, and admitted he was naïve to threats. “I happened to get lucky. I ran a business that could have gotten breached and had it gotten breached, it would have gone out of business.

“You can’t be the last business to adopt this,” Houck said. “If you do, you’re literally leaving yourself out for the wolves.”

The other side to cybersecurity is software – making sure there are no coding errors that create vulnerabilities for attack.


“This is a much more shrouded area,” said Craig Lamb, partner at Envative, a custom software technology consulting firm.

Lamb gave an example of a business needing to collect information on customers who place orders, then sending the data on the orders to the warehouse and once the order is filled, sending data so the company can issue a bill.

“What they’re not asking is, ‘How do you do that?’ and ‘While the data is flying around the ether, how are you making sure my data is safe?’” Lamb said.

This is important in any type of e-commerce. For an artist selling online, making sure the software can handle heavy traffic helps protect data. “Say you get a huge order in one day,” Lamb said. “If your developer didn’t handle buffering very well, which means it’s jamming a bunch of data at once, that can be a buffer overrun. When packets are overrun, while they’re waiting to get to the end point, if that data has not been encrypted, it can be absconded.”

If your business must adhere to regulations – such as health care and HIPAA – it is also crucial to ask how the software developer is adhering to standards.

Lamb said you may not understand the complete answer, “but there are nuggets of things you can double check.”

He said professional software firms may anticipate a question you don’t know to ask. He said businesspeople looking to have any coding written should ask about the protocols for protecting data. Even if they train employees to detect malicious emails and to not click reflexively, they may not know the vulnerability is in the software.

The result could be catastrophic.

“Your data is the most important part of any company,” Lamb said.

Patti Singer is a freelance writer in Rochester. She covers a range of topics and can be reached at

Tagged as: Cybersecurity, Software Development

Dea Corsi

About the Author:

Dea Corsi

Original author of this article is Rochester, NY freelance writer, Patti Singer. As representative of Envative, Dea has reprinted this article in it's entirety here to highlight the contribution of software and technical subject matter expert, Craig Lamb.