By Murray Goldschmidt >>
NO BUSINESS is safe when it comes to cyber-attacks, and this is what small business fails to realise.
Most attacks are focused on a positive monetary outcome for the cyber-attacker. Often the secondary target within a business is the personal information of individuals (customers, partners, suppliers and acquaintances that are usually kept in mail systems) as this data is used to identify the attackers’ next set of potential victims.
Unfortunately, the size of the target is often irrelevant. Cyber-attacks are an asymmetric threat. This means that the cost to develop or execute the attack can be very small but the impact resulting from an attack can be extraordinarily high – including monetary losses.
Many (most) small businesses generally have not taken the time to consider the risk of a cyber breach, nor the impact to their business. Many are of the mind that it won’t happen to them and are under the impression that attacks only target large enterprises.
In fact, the opposite is usually true, with larger businesses implementing more security controls to protect their IT systems and data repositories. As a result, today’s attacker finds it easier to target smaller organisations with less robust security in place.
Some of the top digital dangers facing small business start with a technique candidly called ‘phishing’ in cyber-speak.
A phishing attack uses an email, instant message, text message or even a phone call requesting the user to take an action, usually to click a button – which starts the download of malicious malware – or to trick the user into sharing passwords and other user details.
When it comes to phishing attacks, there are many different techniques that the attacker might use. These include ‘spear phishing’ which is a more targeted attack to a specific individual with a specific objective.
A ‘whaling’ attack often targets C-level executives (or business owners) and these types of attacks can often be hard to identify – as the attacker has customised them to appeal to a specific individual.
With the increase in phishing attacks the question then is how can you identify such an attack?
Many emails may appear to come from a reliable address with all the details of a known associate which makes it difficult to differentiate between a phishing email and a normal one.
Luckily there are often tell-tale signs to help identify a phishing email.
Always look out for an email with a generic greeting as well as one requesting personal information. If an email is coming unexpectedly from a known associate, it should be treated as suspicious until validated as genuine.
Tip – Don’t open attachments or click links received via email or social media from unknown individuals or ones requesting you to update or verify your details.
Phishing attacks may lead to the accidental downloading of Malware – which is malicious software, written with the intent to do harm to data, devices or to people.
Attackers use malware to perform their actions – including by remote control – and to monetise the attack.
Examples include searching for and stealing confidential information such as usernames and passwords, internet banking credentials or installing further programs without your knowledge to extend their attack.
One particularly nasty form of malware is ransomware that takes over your computer, encrypts your data and then demands a ransom in order to release access to the computer and the data.
Tip - Update your security software, change passwords and back up data regularly. Store your backups offsite and offline. Ensure you have the ability to recover by testing re-installation from backup.
CONNECTING TO E-MAIL
Phishing may also pass users details, passwords and other data to the attacker. A very common attack, that uses these details, allows the attacker to remotely connect to the e-mail system of a business.
Once connected, the attacker reads incoming and outgoing emails – when they see one that relates to the paying of funds they immediately send another email to the recipient explaining that they had made a mistake along with a request to send the funds to an alternate bank account which the attacker strips at their leisure.
Cybercrime can create issues for small business such as causing damage to their reputation, result in loss of assets and incur expenses to fix the damage caused.
These attacks could mean the difference between cutting a profit or going under.
Tip – Keep your computer patched and up-to-date including with the latest anti-virus and anti-spyware software.
BEST DEFENCE: COMMON SENSE
The good news is that these and other attacks can often be thwarted through the implementation of common sense processes, appropriately configured IT systems and a small number of security controls (something that increases your security posture).
For instance – it may be hard to avoid being infected by ransomware – but simple to offset the risk to your business.
Ensure that you keep regular backups of your key data, ensuring that at least one up-to-date backup is not connected to the environment – and is preferably off-site. Test the process from time to time and make sure that it continues to deliver.
Hijacking of mail accounts can often be offset by deploying multifactor / two factor authentication for all users – it is free these days through most cloud email offerings. Well configured, and patched systems are also important when defending against cyber-attacks.
Moving on from an attack and building up resilience for the organisation is a very important aspect for any small business to undertake.
An important element to this process is to develop a security centric culture. Implementing a security awareness program within your organisation could be the difference between a successful attack or avoiding an attack that would have resulted in data loss.
Train your staff to understand the potential threats to your business and industry as well as keeping data safe. Human error is the most common factor that leads to a successful attack.
Tip - Use safe behaviour online and always stay informed and updated on the latest threats.
In today's world, it’s not a case of ‘if’ your business will be hit, but more a case of ‘when’. By keeping your organisation prepared and allocating resources and funds in training your staff as well as implementing policies and procedures you will be on the right path with your cyber security.
Warding off cyber threats does require an investment of time and budget, but the impact to your business will be far less than dealing with the effects of a breach.
Murray Goldschmidt is the chief operating officer of Sense of Security.