One of the difficulties in getting people like you – and I suppose me, too – to be on guard against bad guys online, is that we are not quite as clever as we think.
“In graduate school, I worked in a computer lab managing systems, and what fascinated me is how people used to hide their passwords on Post-It notes, and they all put them in the same place!” said Dr. Khole Gwebu, associate professor of decision sciences at UNH. “Everybody thinks they’re smarter than the rest, but we all behave in the same ways.”
Gwebu has created an e-course on cybersecurity for small businesses that is part of a new statewide initiative. While it doesn’t include good note-hiding locales (I put mine in the drawer full of old, tangled power cables, because nobody wants to mess with that), he says it starts with the basics because that’s needed by companies with small or non-existent IT departments.
“Once I held a summit on cyber at UNH and what stuck with me is … one person came up and said: There’s just so much, we’re overwhelmed and we don’t even know where to start,” he said.
That feeling is part of the reason that the Small Business Development Center at the University of New Hampshire and the New Hampshire Tech Alliance have teamed up for what they are calling the Cybersecurity Initiative, a free program for small businesses that include Gwebu’s course, webinars, regular blog posts and one-on-one counseling.
“This is an area we’ve long wanted to do more in,” said Linda Gray, state director for the SBDC in New Hampshire. Funding became available through the CARES Act. The final push was COVID-19, which has forced even the smallest of mom-and-pop operations into the 21st century, where malware, ransomware, data breaches and identity theft await.
“We’ve watched a lot of small businesses move to remote work, online e-commerce sales, communicating with customers and clients through electronic channels. We knew this was an area we needed to better support our businesses in,” Gray said.
According to research from the Ponemon Institute, 66% of small businesses around the country have been targeted by some sort of cyber-attack and 63% were victims of a data breach. Business owners are aware of this and worried, Gray said. She noted that in SBDC surveys, “in June 2020, 40% said they were very or somewhat concerned about cybersecurity. In February (2021), 52% said they were concerned.”
Alas for the geeks among us, the Cybersecurity Initiative isn’t heavy on firmware backdoors or cool crypto tech, because what keeps a business safe online is mostly non-thrilling things like written policies and checklists.
“The whole policies-and-procedures aspect should be developed well – that’s your strategy. Some companies don’t even have policies and procedures, and that makes people unsure what to do,” said Gwebu.
“One area that is growing is taking a company laptop home, or bringing mobile devices to work. … The e-course has a section that deals with home security because more and more, people are working at home. When a person takes a laptop home, do they apply the company policies there, and how do we make sure that people are adhering to those policies?”
Indeed, Gwebu said, anticipating and guiding shaping people’s behavior is the key, particularly since online security usually seems more like an obstacle to getting work done rather than a benefit.
“Everyone feels restricted by security and it can be a headache, so it really has to be really well thought out,” he said. “There’s a lot of research on how you get people to comply and follow rules. Some are written too strictly, or not thought out well, which makes it difficult. … It’s a delicate balancing act.”
A big piece of the Cybersecurity Initiative is the Data Assured program developed by the Delaware chapter of the Small Business Development Center. “We’re using it as a framework for educating clients on how to protect themselves and how to recover if they do fall victim to a cyber-attack,” said Gray.
Its advice ranges from keeping track of credit card numbers to establishing data-backup protocols to weighing third-party liability insurance. And then there’s complying with state law, which requires businesses to notify any New Hampshire resident “whose unencrypted personal information was acquired, or reasonably believed to have been acquired, by an unauthorized person.” A breach that exposes more than 1,000 state residents’ information has to be reported to the state attorney general.
The Cybersecurity Initiative will launch Tuesday, April 13, at 11 a.m. with a virtual event featuring Jeremy Hitchcock, the state’s second-best-known tech entrepreneur after Dean Kamen. Hitchcock is cofounder of Internet-of-Things security startup Minim but is best known for co-founding Dyn, the domain registrar that bloomed in the Manchester Millyard before being sold to Oracle in 2016. Dyn was subject to a massive denial-of-service attack after Hitchcock left that brought down large chunks of the Internet, evidence that security can be difficult even for the most knowledgeable of firms.
As for Gwebu, he’s working to develop a decision-tree system that would create “a more customized solution rather than a one-size fits all,” in which answers to online questions give different sets of recommendations.
“This is just the very first step in trying to help. Hopefully more might come from this. This is not going to go away – it’s a cat-and-mouse kind of thing. And it’s all our problem.”