At Liberty Rent Guarantee, a Fairhope, Alabama-based company that acts as a guarantor for people signing apartment leases, a handful of employees recently received emails from customers. The gist of each was the same: The customer wanted to correct something on an application, and by opening an attached document the employee would see the section they were referring to.
It's a classic tactic used in phishing scams--hackers send an email that looks like it's coming from a co-worker, client, or other correspondent. Once the employee clicks to open the attachment, a virus or trojan can attack. The employee doesn't even realize what has happened.
In this case, the emails weren't from hackers--they were from a hired cybersecurity firm. Liberty Rent founder and CEO Bubba Grimsley had paid the company to probe its network for vulnerabilities, a practice known as penetration testing. In a climate where data breaches are an always-looming (and potentially devastating) threat to small businesses, it's an appealing prevention method. In a November Inc. survey, 21 percent of high-ranking executives from Inc. 5000 companies said they have hired an external team to break into their own systems as a security measure. Of those who did, 87 percent found it worthwhile.
The faux phishing emails was just one of many steps the security firm, called Abacode, took to find potential holes in Liberty Rent's system. And while Grimsley is proud to reveal that none of his employees fell for the spoof email--which he credits to training by the IT department--the company was told it should make some updates to its network, including changing the way it was configured on the Amazon Web Services cloud.
In all, the cybersecurity firm's services cost Liberty Rent, which had $2.2 million in revenue in 2018, about $14,000. Grimsley says he found the expense to be well worth it. Security is important for all companies, of course, but especially for one like Liberty Rent, which has its customers' financial data and credit histories. "When Target got hacked, that was a huge deal," he says, "and all the hackers got was a customer name and one credit card number."
Rick Lund, founder of Fort Lauderdale, Florida-based SRT Group, which creates technology for the wireless communication industry and had $57.2 million revenue in 2018, says his company frequently detects hackers attempting to probe its network for vulnerabilities. The idea that computer-savvy experts with bad intentions lurk just beyond the company's firewalls scares him. "Everybody talks about what keeps you up at night," he says. "For me, the thing I worry about at 3 a.m. is being the target of a cyberattack."
Lund decided to hire a firm to check for security weaknesses back in 2011. While his company often performed tests itself, he wanted to bring in a team with an outsider's perspective. "Your love and affection for the company can get in the way when you're looking at your own company," he says. "We wanted to get some opinions from people that didn't have any equity."
While the security firm didn't find anything major, it did point out some vulnerabilities that SR Technologies soon addressed. The company has since added layers to its infrastructure to contain an attack or outage in one area of the network so that it can't spread to others. It hasn't hired an external firm since then but it does continue to perform its own penetration tests.
Chris Carter, founder and CEO of Milwaukee-based enterprise software company Approyo, hires a cybersecurity team to perform penetration testing at a cost of between $15,000 and $20,000 every two years. His business, which generated $4 million in revenue in 2018, alternates between two different companies, with the idea being that fresh eyes and different approaches might improve their chances of finding issues.
"I don't want to have to send a letter to all of my customers and their end users saying, 'We've been hacked and this is why,' " he says. "It's better to be proactive than reactive."
Of course, hiring an outside cybersecurity team doesn't guarantee your company will become impervious to attacks--hackers are constantly finding new ways to break in. And businesses should do their research about which firms to trust and make sure they're priced fairly.
But in the end, many CEOs think it's a practice that helps keep their data--and their customers' data--secure.
"We hire outside accounting firms, we hire outside engineering firms to do peer reviews," Carter says. "Why wouldn't we do this with our network? It just makes sense."