Training, awareness can go a long way in avoiding phishing, malware attacks
Cyberattacks are on the rise across the globe. In 2024, the number of cyberattacks jumped by 75% during the third fiscal quarter, with thousands of attacks targeting multiple industries each week. Those numbers are only expected to increase, affecting businesses, governments and individuals alike, including here in the Region.
Michael Tu, professor of computer information technology and director of The Center for Cybersecurity at Purdue University Northwest, said basic awareness of cyber threats is necessary for small business owners.
“Always be cautious,” he said. “The internet and cyber world is dangerous, even though it brings us a lot of entertainment or helps with our productivity.”
Cyberattacks are projected to cost the global economy $10.5 trillion in damages this year. That number is expected to nearly double to $20 trillion in 2026. In the United States, cybercrimes cost Americans an estimated $16.6 billion last year, a 33% increase over 2023, according to the FBI. The cost of cybercrimes in Indiana was more than $160 million in 2024. Last year, 43% of cyberattacks in Indiana targeted small businesses and that number is only expected to increase over the next several years as reliance on technology continues to rise.
The most targeted industries are typically health care and telecommunication.
In December 2024, the telecommunications industry was significantly impacted by the Salt Typhoon cyberattack, part of a massive espionage campaign against eight U.S. communications companies, including Verizon, AT&T, T-Mobile and Spectrum. Hackers sponsored by the People’s Republic of China were able to steal sensitive communications data, including audio recordings of telephone calls made by high profile government officials.
“This was a major assault on our infrastructure, and we’re not even sure if we know all of the ramifications yet,” said Robert Johnson III, president and chief executive officer of Merrillville-based Cimcor Inc.
He also said incidents such as Salt Typhoon are not an anomaly. These kinds of threats occur regularly, and people must take steps to secure and prevent the loss of data.
There are numerous types of cyber threats, including phishing scams and ransomware. In phishing scams, criminals pose as someone to deceive individuals into revealing sensitive information, such as login credentials or financial information. Ransomware, which is a type of malware, blocks individuals from accessing the data in their computers. Criminals demand a ransom payment in exchange for unlocking that data.
Cyber criminals are not only attacking Indiana businesses; municipal governments are also being targeted. In January, State Treasurer Daniel Elliott highlighted multiple cyberattacks on local governments, including a ransomware attack that shut down municipal services for a week and a phishing scam that disrupted water and waste services in a rural county.
“These violations pose risks for Indiana’s local governments, particularly those with limited budgets, as they work to protect sensitive data from sophisticated cyber threats,” Elliott wrote on the state’s Cyber Hub Blog.
It’s not necessary to be an expert in the different types of cyberattacks that impact millions of people each day, Tu said. But it’s important to be aware of the threats and take steps to mitigate them.
“It’s always good to take awareness training to protect yourself,” he said. “These are very basic things. You don’t have to have a lot of knowledge, but you need to protect yourself.”
Protect data
The threat landscape in cybersecurity is constantly changing, with new vulnerabilities emerging as quickly as old ones are mitigated, Johnson said. It’s imperative for companies of any size, from mom-and-pop operations to Fortune 500 businesses, to protect their data. Citing a 2024 IBM report, Johnson said the average amount of time before a business realizes its security has been breached is 194 days.
“That’s really concerning. If you don’t realize you’ve been breached, hackers have 194 days to exfiltrate your data, add backdoors to your system and do all kinds of malicious things,” Johnson said.
For small businesses, Johnson said, the threat of ransomware and phishing scams are probably the biggest threats they face. The starting point for protection is typically email.
“It’s critically important to understand,” he said. “You have to do basic triage and make sure you’re not clicking on links, and if you do, you have to know it’s from a trusted source. That basic advice is so critical.”
Chris Kotul, general manager of Valparaiso-based Trust Tech LLC, agreed. He cited the old adage of “trust but verify” when it comes to emails. (When contacted for this article, Kotul confirmed with an editor before responding to emails.)
He noted that mistakes often happen because people don’t perform their due diligence from a lack of training in cyber awareness.
“The threat landscape is bigger than it used to be, and you have to train users on what to look for, what not to click, how to react to phone calls and emails,” Kotul said. “End users have to be trained, not just once a year, but consistently trained.”
Trust Tech, an IT company that works with small- to medium-sized businesses, typically sends out test phishing emails to its clients. If users click on the link, they will receive additional training. Conducting such tests repeatedly and consistently familiarizes people with what a bad email looks like, he said.
Faith Spencer, an enterprise technology consultant and CEO of IronWorkz Co. in Gary, also stresses the importance of realizing that cyber threats are a serious concern for small business owners.
“We need to get small businesses to recognize the threat. Just because they’re small doesn’t mean anything, and they need to be ready,” Spencer said. “You have to train people who are working for you to identify phishing emails. When you receive emails, don’t be reactive, be proactive. You need to check for spelling errors, hover over the links to see where they actually (go), determine if the (email) subject line matches the content of the email.”
Artificial intelligence dangers
Artificial intelligence programs, such as ChatGPT, Microsoft Copilot, Claude and DALL-E, are tools commonly used across the world. However, they’re also tools being used by bad actors as well, Johnson said.
“Now someone who didn’t have the skillset to develop malware can do it cheaper and easier with AI,” he said.
The use of AI has increased the power of hackers, Tu said. Using these tools, they are able to gain more information about an individual or employees at a business.
Kotul shared concerns about the impact AI is having on cyberattacks. Not only can tools like ChatGPT be used for research, AI can be used to create “deep fake” images, or enable the mimicking of someone’s voice. These are all methods that bad actors employ to gain access to valuable data.
Kotul noted that it only takes a recording of a few spoken words for computer programs to replicate them and provide hackers and other bad actors with a new weapon that can be used to fool unsuspecting individuals.
“Information is the key,” Tu said. “You have to be cautious and protect your sensitive information.”
Preventative measures
Benjamin Franklin’s advice that “an ounce of prevention is worth a pound of cure” rings true when it comes to protecting against cyber criminals. Johnson, Spencer, Kotul and Tu all echoed the importance of taking simple steps to ensure your data is as protected as can be, even if you’re unable to afford the services of IT specialists.
“The key is the user,” Tu said. “The user needs to be trained to be aware of what’s dangerous. If you’re not aware, it could damage your organization.”
Johnson recommends what he calls the 3-2-1 method of protection — three different backups on two types of media with one stored offsite.
“People don’t recognize the importance of backing up data until you need it,” Spencer added, noting the importance of being able to retrieve it in case of an emergency. “You can lose data locally, but if you’ve got it stored, you can retrieve it.”
Kotul shared the story of a small business owner client who risked her life to try to save her company’s server during a fire. The system was severely damaged, and she wondered if any of the data was retrievable. However, shortly before the fire, she allowed Trust Tech to back up her data to the cloud, servers that are accessed over the internet. Within 15 minutes, Kotul said her business’ system was up and running as if the onsite servers had never been damaged.
“She had all of her life in that building,” Kotul said. “Knowing that we can give her that peace of mind to know that her data is safe in the cloud was rewarding.”
In addition to backing up data and ensuring employees are trained on proper email safety etiquette, experts said there are other simple measures people can take, such as strong passwords that contain a mixture of capital letters, numerals and special characters, as well as two-factor authentication.
Spencer also noted that updating computer operating systems to the latest version is important because the newer information has addressed known vulnerabilities that hackers can exploit.
Likewise, having an insurance policy specifically for cyberattacks, as well as incorporating the use of a VPN, a Virtual Private Network that creates a secure, encrypted tunnel for internet traffic.
Despite these recommendations, Johnson said it’s important to be realistic.
“People need to be prepared,” he said. “Make sure you have the right controls in place so in case something happens, you can still do business.
“There is nothing that anyone can say that is golden advice to risk every threat out there. We want to reduce it by being careful about your email, but in the end, something is going to fail.”
Cybersecurity resources
Across Indiana, there are a wealth of cybersecurity resources available to small business owners and entrepreneurs, such as Indiana Cybertrack and Purdue University’s cyberTAP, which assists organizations in assessing their information security risk.
The Indiana Small Business Development Center partnered with the Global Cyber Alliance to provide the GCA Cybersecurity Toolkit, a free-to-download kit that helps business owners select a variety of tools that can help protect their valuable data.
In the fall, Valparaiso University will offer a certification for students interested in cybersecurity. The cybersecurity specialization graduate certificate will be offered through the computing and information sciences department. The program “equips students with technical expertise to address modern cybersecurity challenges and opportunities,” according to the university.
Spencer also notes that companies like Google offer cybersecurity certificates, and LinkedIn Learning operates basic cyber protection programs. Tu said there are several YouTube channels that also provide useful cybersecurity tips.
With a workforce shortage crisis in cybersecurity, Tu said, this field provides excellent career opportunities. He said the pay is exceptional and noted job security because “it can be difficult to outsource the jobs due to the sensitivity of the data.”
“If you’re a small business, you can always work with universities and colleges like us, who can provide low-cost and no-cost services to help them secure their business,” Tu said. “We cannot guarantee we can provide help to everyone, but we’re a good resource.” •
Read more stories from the current issue of Northwest Indiana Business Magazine.
Entrepreneurial roots
Tech progress for everyone
Silicon Valley lessons
Humble beginnings
Home grown lending
Creating second chances
Cultural cultivation
Passionate about people
Chesterton: Big downtown plans
Stay the course
Beyond the bachelor’s
Attorneys on fence about AI
Professional advancement
