Equipment and event rental business owners, consider this: According to data contained in a 2023 report by Small Business Trends, nearly 43 percent of cyberattacks are targeted at small and medium-size businesses (SMBs).
Among other alarming revelations, that same report revealed that SMBs spend, on average, between $826 and $653,587 on cybersecurity incidents and it cited data showing that 95 percent of cybersecurity breaches are attributed to human error.
To learn more about the latest cyberthreats faced by equipment and event rental operators and potential countermeasures, Rental Management spoke with Emmett Long, CIC, rental risk adviser, Jowers-Sklar Insurance Agency, Rome, Ga., and an ARA Insurance preferred agent, who has helped many of his insureds navigate through losses perpetuated by cybercriminals.
Rental Management: What types of cyberfraud schemes are most common among your equipment and event rental insureds? Emmett Long: One is ransomware. An example of this would be if a store has its computer system essentially locked down with the thief saying, “Give us $10,000 or your data is gone.” I’ve seen ransomware cases work out well for stores when they had good backup data and were able to pretty quickly, with the help of an IT person, get their systems back up and running. I’ve also seen it where they had essentially no backups and were really unprepared. Not having data backups basically reduced them to having to do everything by hand with paper and pencil for a couple of weeks until they could get their systems back and running. It was very hard on the business.
The other thing we’re seeing more and more of are phishing attacks — targeted attacks where someone gets an email that appears to be from a trusted source, like a vendor or somebody who they had done business with, but it turns out the communication is not from that trusted source at all. It often comes in the form of an email with instructions to change the address where you send [remittance] payments to and that kind of thing. It’s common in these phishing emails for one letter to be off in the sender’s name or email address. You can get an email that you think is from someone you know and just keep on reading. We have seen some very large losses — some in six figures — with those.
Rental Management: Between ransomware and phishing scams, what would you say is more common today? Long:A year ago I would have told you ransomware, and I still see some of that, but I think since more and more stores have gone to SaaS (Software as a Service) for their software I don’t see that quite as much. Phishing has definitely become more of a recent thing.
Rental Management: What kind of systems do you recommend a business put into place to best safeguard against these threats? Long:The businesses that are better prepared have a firewall, they have regular backups being done at least every day so that they can put [any ransomed] data back, or they’re using a rental software that is a SaaS so that their data is actually held by the software company — it’s automatically backed up. There are still some operators that are using really old software that isn’t regularly backed up and just don’t have the protections in place to prevent somebody, if they do get in, from really wreaking havoc.
Emmett Long, CIC
Rental Management: Aside from the kind that is built into rental software, are there other types of SaaS out there that rental operators can take advantage of? Long: There are resources from Google Cloud to Amazon. It just depends on your level of sophistication and comfort in doing that type of backup. But for the average rental business, I think SaaS is probably the quickest and easiest solution — to let somebody else handle that security side of it.
Rental Management: What can businesses do on the personnel side to manage cybertheft risk? Long: Having systems updated is important but when there is an issue, it’s most likely a human error. Maybe somebody clicked on a link they shouldn’t have. Maybe your staff member doesn’t verify it when they get an email that says, “Our address for submitting funds has changed” or, “Our routing account number has changed; please change your ACH to this new number.”
Staff should be educated that if there is something that is out of the ordinary, take a look at it a little bit closer before you click on a link. Read links, sender email addresses and other content in the message to make sure that things are spelled correctly. If somebody is asking you to change banking information, make a phone call to your trusted contact there to ask, “Hey, is this legit?” before you take action.
One of the things that I have started asking people is, “What is the largest amount of money that you would typically send to a vendor and how do you send that?” If people are telling me that they are regularly sending payments of $100,000 or more — which is not a lot of equipment — then I think it’s worthwhile to have the conversation about what kind of procedures they have in place: Do you wire this money? Do you ACH it? Do you just drop a check in the mail? Who sets up payables for you? Who has authorization to change information on payables?
Rental Management: Do you think more companies adopting SaaS in their operations will mitigate some of the loss due to human error? Long:Yes, but one thing I haven’t seen be an issue yet, but I can foresee becoming an issue especially as people are moving more and more to SaaS-type products, is that you have to take precautions when an employee who had access to financial matters leaves the business. If you have a team member who leaves, make sure that all their login credentials get locked out so they can no longer access anything. This can also help prevent somebody else who is still with the organization from accessing any systems under the former employee’s username/password.
Rental Management: Who do you recommend a business contact immediately after the discovery of a breach? Long:If something happens, time is of the essence. Every hour is critical to potentially getting your data or money back or not. Your first call should be to your IT person, whether that is internal or external IT support. Second, depending on what has happened, should be either to the police or your software provider. And then definitely your insurance agent somewhere closely thereafter.