'Critical vulnerability': Smaller firms may find it harder to stop hackers from exploiting Log4j flaw

If you’re in the package shipping business, fretting about a dangerous new computer software glitch is about the last thing you want during the critical holiday rush.

That’s why MyUS.com, a 400-employee company based in Sarasota, Florida, didn’t wait to contact cybersecurity specialists when the threat of the Log4j vulnerability flaw arose over the past week.

“We immediately hired a third-party company to perform a security audit of our systems specifically for the Log4j exploit. We felt that they would do a more thorough audit than we could internally,” said Corey Stone, MyUS.com's vice president of technology.

It paid off: all was fine.

Around the nation, it’s not just giant banks, manufacturers and corporations scrambling to fix vital systems laid bare by the Log4J problem, which has thrown the internet into a tizzy. It’s also small and midsize businesses like MyUS.com, 

The security issue arises from a commonly used utility with the decidedly cyber-worldly name of Log4j.

It just became widely known that the utility has a barndoor-sized weakness that could allow hackers to swoop in and take control of programs that businesses need to function. If nothing is done, ransomware extortionists could lock corporations, government agencies, hospitals — and small businesses — out of their systems and paralyze them unless they pay up.

►Kronos hack: Ransomware attack could disrupt how companies pay, manage employees for weeks

The 'critical vulnerability' in Log4j

Since the revelation, big companies have been able to employ armies of in-house IT troubleshooters to ferret out every vulnerability they can find and patch them with new software coding. Some Java-based programs are considered especially vulnerable.

But small businesses either have to try to bring in outside help or figure out how to install the patches themselves — then hope for the best. The race is on to slam the door on hackers and ransomware artists before they can exploit the weaknesses to pull off crimes.

“All indications are that this critical vulnerability is both widely spread and being actively exploited by a range of sophisticated, opportunistic nation-state threat actors,”  said Chris Roberti, senior vice president for cyber, intelligence, and supply chain security policy at the U.S. Chamber of Commerce in a statement to Paste BN. “As a result, all organizations – both large and small – must act immediately to patch their systems and identify any internet-facing devices that have Log4j installed.”

►Log4j vulnerability: The security flaw that's freaked out the internet

Help is out there

Industry associations are doing their best to assist. Roberti said the chamber is sharing information about the issue with its members and urging them to maintain strong cyber security programs.

The American Hospital Association posted a link to the Cybersecurity and Infrastructure Security Agency’s web page on the issue for the benefit of its members.

Companies need to patch any vulnerability on their multiple systems and they have to try to make sure they don’t miss any. Then, they can only sit back and wait to see if criminals probed their systems before they could make the fixes. If they were breeched, businesses are likely to see ransomware attacks, which experts say could come within weeks.

The extortionists may skip over smaller and midsize businesses initially as they focus on the big pockets of large businesses, experts say.

“I think it’ll be a while before the full effects filter down to the very small business,” said Andrea Manning, CEO of cyber security firm CyberPie. “But as we see more ransomware attacks on the larger organizations, this has a knock-on effect.”

What small businesses can do about Log4j

She said, however, small businesses are more vulnerable because they lack the elaborate security resources of the big ones. To protect themselves the best they can, she said they should focus on the basics, like being quick to update software and regularly backing up data.

MyUSA.com, however, was fortunate to have professionals that could immediately address the problem.

“They gave us a 24-hour turnaround,” said Nabetsi Torres, vice president of product and marketing.

For a company in a busy time of year and one and doesn’t use Java, closing the vulnerability allows it to focus on what it does best: move millions of packages a year.

“Definitely a big relief — something we don’t have to worry about this time of year,” Torres said.

►Sign up for the Daily Money newsletter:  A collection of articles to help you manage your finances like a pro.

►There's a retirement newsletter, too: Hard work goes into retiring. News and analysis to help you plan well.