Flooring businesses rely on technology, but if you’re like most, you don’t consider yourself a technology expert. You’ve read news headlines about cyberattacks and know cybersecurity is important. Beyond that, you may think, “We’re just a flooring company. Why would cybercriminals be interested in us?” Unfortunately, these bad actors are targeting the flooring industry — in part because they assume we aren’t focused on cybersecurity.

Here are five important cautions:

1. Monitor your website continuously

Many flooring businesses, particularly smaller ones, build their own websites — sometimes with the help of a contractor, friend, or family member. With userfriendly “drag-and-drop” platforms like Wix or WordPress, non-technical people can build an attractive web presence for a reasonable price. Once the site is live and functioning smoothly, business owners tend to move on to other activities and may not give the website much thought.

Unfortunately, ignoring a site can open the door for cybercrime. Take WordPress, for example, which powers over 40% of the world’s websites. Of this 40%, over a quarter (or 10% of websites globally) have not updated to the most current version of WordPress. Businesses running older versions do not have the latest security patches.

Further, WordPress relies on “plugins” to provide various functionality, such as e-commerce capabilities. A simple website may have 10, 20, or more plugins to facilitate email, contact forms, online payment, and so forth. Each of these plugins can serve as an entry point for a cybercriminal and requires regular updates.

The takeaway: Your website can become out-of-date and vulnerable quickly. Just as a car requires maintenance, so does your website. You need to “look under the hood” once a month or more often. In addition, you need a way to detect unexpected activity 24/7. If you’re not a techie, find an expert who can provide guidance.

2. Train your team to spot suspicious emails, texts, and calls

Several studies show human error contributes to more than 80% of cyberattacks. The Computing Technology Industry Association (CompTIA) puts the number over 90% . Common mistakes include clicking on a malicious link in a phishing email or falling prey to a social engineering attack. In the latter, a cybercriminal builds trust with the victim then tricks them into sharing data or sending funds.

If “phishing” and “social engineering” aren’t familiar terms, that’s a sign your organization is particularly vulnerable to cybercrime. All employees need regular training on types of cyberattacks, warning signs to look for, and prevention protocols. Further, you want to establish rules for handling sensitive requests and large invoices.

For example, cybercriminals engage in invoice manipulation. You think you’re paying a legitimate invoice, and your funds instead go to a criminal’s bank account. Establishing procedures for verifying invoices can prevent this type of financial fraud.

Similarly, if an employee receives a request to change a supplier’s bank routing information, what is your procedure for confirming the request is authentic?

3. Implement cybersecurity best practices

Imagine leaving your showroom door wide open at night so anyone could walk off with your products or equipment. Many flooring businesses are doing the equivalent with their cybersecurity. Practices that put you at risk include:

● Using short, easy-to-guess passwords such as Carpet123

● Utilizing the same password for multiple websites

● Sharing passwords with employees, instead of having each person create a unique, secure password

● Failing to update software (some businesses skip updates because they don’t want to pay for the new version; however, the old version doesn’t have the latest security features)

● Allowing guests to connect to the same Wi-Fi network you utilize for running your business

● Avoiding two-factor or multi-factor authentication because “it’s a hassle”

These are just a few examples of poor cyber hygiene, and criminals are waiting to walk through these “doors” you leave open. To protect your business and customers, learn and implement cybersecurity best practices. And stay current — the cyber landscape is ever-shifting.

4. Safeguard your business and personal electronics

Top line: Do not leave any electronics unattended in your place of business or other public settings. Second, do not use any public charging stations or peripherals of unknown origin (such as charging blocks, cables, or USB memory sticks).

In less than a minute, a cybercriminal can extract data from an unattended laptop in your flooring showroom. Or, they might place a “Ninja cable ” on your desk, where later, an innocent employee uses it and infects your network with malware.

At trade shows, avoid accepting (or giving out) flash drives, charging cables, and similar devices. If a mem- ory stick arrives in the mail, treat it with extreme caution. If you’re not 100% sure you’re using a legitimate, known cable or memory stick, don’t risk it. If you feel a flash drive might contain important information, have an expert test it to verify it’s safe.

5. Recognize your responsibility for customer data

Flooring businesses often outsource payroll or other administrative activities involving personal information such as names, addresses, taxpayer ID numbers, and so forth. Even when you outsource to a trusted vendor, your business remains responsible for your customers’ and employees’ data.

Consider this example: Let’s say you own a Georgia-based flooring company that does extensive business in California. Your credit card processing vendor experiences a data breach. In California, the law “requires a business to notify any California resident whose unencrypted personal information was acquired, or reasonably believed to have been acquired, by an unauthorized person.”

Even though the cyberattack happened to a vendor’s system and not yours, your Georgia business may have an obligation to communicate the data breach to your California customers. If you learn of a vendor data breach involving your customers’ information, consult your legal counsel and cyber insurer for guidance.

The flooring industry can fight cybercrime together

Criminals target non-tech businesses, because they assume you don’t have strong procedures in place to protect your data. They view you as an easy target who is looking the other way. Let’s work together to prove them wrong. WFCA members can request a free cybersecurity assessment. ■

To learn more, contact seickhoff@risk-strategies.com

About the authors Stacy T. Eickhoff, a risk management and insurance expert, has been advising the flooring industry and construction businesses for over 20 years.

Allen Blount leads the Cyber Team at Risk Strategies, where he guides businesses on navigating cyber risks such as ransomware attacks. Before his insurance career, he practiced law.