Kevin Loud recently received an email from someone seeking delivery of multiple HVAC items. The emailer requested pricing information, what type of payment they accept, and their address and phone number.
Loud, vice president of operations at Loud Brothers Inc., Glenview, Ill., immediately had warning sirens go off, but decided to go with it. The emailer wanted any type of brand and it would be picked up by a freight company. Loud eventually got an address and phone number to “ship to,” and ran a search on both. As he suspected, they were linked to scams, so he reported it to the emailer’s local sheriff’s office and ceased contact.
“You get that red-flag feeling,” Loud said. “Being a smaller business, you don’t necessarily expect to have people reach out blindly via email requesting equipment acquisitions. Installation services, maybe, but not deliveries. If you’re selling stuff online, that would make sense. We’re based in the Chicagoland area, and, being a small business, a lot of our clients are referred. But, an email asking for random equipment and a price, that’s odd. Certainly not in the daily routine I go through.”
Loud’s experience shows the dangers many HVAC contractors and their employees face on a daily basis — how to keep your company safe on the Internet.
“The scary part is, it’s hard enough to make a small business run, and this could be enticing if business is slow,” Loud said. “If you’re put up against the ropes, and something like this presents itself, there may be people who are tempted to pursue it. If you’re already struggling to pay bills and keep people on payroll and you do this, your next move could be closing your doors for good.
“I talked with my insurance agent about general liability with our business insurance covering something like this and they don’t cover it. You’re out. If they use a credit card to pay and it comes back as fraudulent or stolen, then the credit card companies are going to come after you. You have to protect yourself.”
Stu Sjouwerman, founder of KnowBe4, a security awareness training firm, said contractors need to practice defense-in-depth, making sure their network is protected, that all firewalls and anti-virus programs are up-to-date and tuned-in, and, most importantly, that all employees are trained not to fall for hacker’s tricks.
“Users are the low-hanging fruit,” Sjouwerman said. “Cyber criminals do research on social media sites and send sophisticated phishing attacks that will infect the workstation of the users and allows the bad guys to take over.”
Greg Crumpton, president, AirTight Mechanical, Charlotte, N.C., said his company is very aware of the dangers the Internet brings, noting that the Internet’s web of negativity most often impacts contractors’ finances or reputations. He places a lot of importance on it, and has a full-time IT person on staff. He says his company buys insurance against scams and hackers through talent.
“You have to trust the steps you take internally to educate and train. You also have to build as strong of a firewall as you can, to maintain your Internet security,” Crumpton said.
“It requires money. You have to pay somebody who knows what they’re doing, and you can’t just hope the firewall that comes with Windows will work. You have to go several layers beyond that. … You need to carry the same dedication to excellence you have with technicians all the way through your organization, even on IT.”
Greg McAfee, president, McAfee Heating and Air Conditioning, Kettering, Ohio, said the importance of having an IT professional cannot be understated — especially for a small business.
“That’s one thing contractors need to be doing,” McAfee said. “I consult with a lot of them, and a lot of them don’t have an IT guy. They’re letting things get too old or outdated, which makes it easier for somebody to hack in. Or you click on the wrong website and your Internet fleet can automatically be shut down.”
McAfee knows all too well about the impact of hacking. About a year ago, a user at his company clicked on a link he thought was safe, but it ended up hacking into several computers, rendering them inoperable.
“Fortunately, it didn’t get into our main server,” McAfee said. “Each desk has its own system that links into the main server. It got into some of the PCs and shut things down. It wouldn’t let us into our own system. Fortunately, we had other filters in place, keeping them away from the main server, but they did take some information off each PC.”
McAfee does not employ a full-time IT professional, but does have a qualified techie available on call 24/7, who also comes in once a week to assess the system. He stressed the importance of making sure your data is backed up to not just one but two places. His company sends its data to the cloud and a separate server, both of which are protected and backed up daily. Internet security is a topic that is often discussed, he said, and he often gets emails in his inbox from himself, flush with attachments that will ruin the day.
“Now, what’s even scarier is we’re going paperless here soon, and everyone is going to have tablets out in the field,” McAfee said. “We have them set up where they are secure and filtered — if one’s left laying around, they do have a password — and we have to allow it in to our server, but with these kinds of things all out in the field, you’re really more vulnerable than ever. It’s not just in the office anymore. Now we’re opening it up to technicians and installers out in the field, and warehouse people keeping track of inventory. It’s needed for growth, but it’s a little scary.”
Even though conventional wisdom would suggest these scams would see depreciating returns over time, that’s not the case, Sjouwerman said. “Are you kidding me? These scams have exploded,” he said. “Most employees are still blissfully unaware that they actually are being targeted. These sophisticated spear-phishing emails are making it through spam filters all the time.”
That’s why it’s so important to make sure your company is as up-to-date and aware as possible. Crumpton suggested either hiring or partnering with a person who understands how the Internet works.
“Education and awareness are very important. These lessons must be repeated often, with the common theme of keeping your circle of trust intact at all times,” Crumpton said.
“All of our employees are there, and we’re working to keep everyone else out. Every person with an Internet connection at this company has to decide if they are taking care of the company before they click. It’s like playing Russian roulette, but instead of a six-shooter, you’re armed with a mouse.”
If a hacker infiltrates your network, that often equals money, as shutting down your computers makes it a lot more difficult to do business.
“We have clicked on the wrong website before. We’ve experienced that sort of take over,” McAfee said. “We got our IT guy in here and we literally had to rebuild our server because things had gotten so bad. It literally shut us down for a day. It’s a serious issue.”
As McAfee said, this is something that can happen to anyone. The best strategy for anyone is to be prepared and let employees know how important it is to be smart, and retain that companionship that Crumpton referred to as the “circle of trust.”
“Make it real. Make employees aware that these bad guys are actively going after small businesses because the big companies are well protected, and spend a lot of money and resources doing that,” Sjouwerman said. “Small businesses are the ones at risk.”
Publication date: 1/20/2014