With nearly 90% of businesses opting for digital-first strategies, the playground for cybercriminals is only increasing.
In today’s cyber threat landscape, every organization, large or small, is at risk of an attack. Your business might not represent the biggest haul for the cyber-criminals, but increasingly, small and mid-sized businesses are the focus and often serve as a launch pad or conduit for bigger campaigns. Rightly or wrongly, smaller organizations are often seen as a soft target with less ability to manage and respond to threats.
And in similar ways to the physical world, by the time you realize how attractive your organization is to cybercriminals, it is often too late; usually after or during an attack. Recovering from a cyberattack can be difficult and costly-if not impossible- for small businesses. Our research (Cisco 2018 Security Capability Benchmark Study) indicates that more than half (54%) of all cyberattacks result in financial damages of more than $500,000 including, but not limited to, lost revenue, customers, opportunities, and out-of-pocket costs. That is enough to put an unprepared small business out of operation – permanently.
A recent study by the Better Business Bureau (BBB) helps to underscore how small and mid-sized businesses can struggle financially to survive following a severe cyberattack. The BBB asked small business owners in North America how long their businesses could remain profitable if they permanently lost access to essential data, and only about one-third (35%) said that they could remain profitable for more than three months. More than half reported that they would be unprofitable in under one month.
There is no silver bullet to making sure your business does not fall foul of determined criminals, but there are things that you can do. Make sure you have processes in place and technology to help secure your business, but most importantly, know your stuff. Educate yourself on what the threats are and what you can do about them. After all, cybersecurity is everyone’s responsibility – especially when you work for a small business and wear many hats (Note: ‘do many roles’ if the phrase doesn’t translate).
What is it? You can be contacted by cybercriminals through email, telephone or text message by someone pretending to be someone they’re not (i.e part of a legitimate company). Their aim is to lure you into providing sensitive data such as personal data, banking and credit card details, and passwords. The information is then used to access important accounts and can result in identity theft and financial loss.
Watch out for: A sense of urgency—i.e you have to act now to take advantage of something or prevent something. An overly generous offer, or an email or attachment you weren’t expecting/ from someone you don’t know.
What to do: Hover over links before you click on them. If it looks suspicious, it probably is! Do simulation exercises for assessing how your employees react to a staged phishing attack, and then educate them.
Email spoofing for a wire transfer
What is it? Email spoofing is the forgery of an email header so that the message appears to have originated from someone or somewhere other than the actual source. They may be trying to be someone you know, and you would normally open or take an action (in this case, making a wire transfer) if you received an email from them.
Research is key. The scammer can look at your website, get your name as the owner/financial director, go onto LinkedIn and find your connections and find the name of your trusted employee who does your accounts. They can find out various facts about you and your business and what you do.
They then craft an email in the tone of you to your employee, asking for a wire transfer to be sent to an important customer. This may well be nothing out of the ordinary.
The thing about this scam is its simplicity. It doesn’t require access to your system, so there’s no need to hack past firewalls or guess passwords. It just uses knowledge, freely available online, about you and your company, and the hope that whoever gets the email does no more than a cursory glance at the name sees the boss’ name, and just goes straight into autopilot.
What to do: Check the sender’s address. Is there a slight misspelling? Put a policy in place—always verify wire transfers with a phone call (don’t just email back—the scammer can do that too!). You will want to filter any messages that have an envelope sender (Mail-From) and “friendly from” (From) header that contain one of your own incoming domains in the email address.
Ransomware—locking down your files for a release fee
What is it? A ransomware attack encrypts a victim’s data until the attacker is paid a predetermined ransom. Typically, the attacker demands payment in a form of cryptocurrency such as bitcoin. Only then will the attacker send a decryption key to release the victim’s data.
This is usually done through email and the user clicks on a link or opens a malicious attachment. It’s also done through malvertising—which is an advert online which has been placed by cybercriminals. The trouble is, these adverts do show up on legitimate websites —it’s the ad (normally a banner or pop up) that’s the problem, not the website. The cybercriminals have gone through the normal ad bidding process in order to appear and have hidden their malicious code from the website owners. The ad then takes you to a new website, which can contain malicious code which can start to attack your system, or lock your files and issue you a ransomware note.
What to do: Patch, patch, patch. Patching commonly exploited third-party software will foil many attacks. Keep your browser up to date. More and more ransomware attacks target the network. Limit the resources that an attacker can access. By dynamically controlling access at all times, you help ensure that your entire network is not compromised in a single attack.
Never, ever, pay the ransom. There’s no guarantee you’ll get your data back, and you’re only fuelling the cybercriminals for more attacks. Back up regularly. You can afford to lose the files if you have a decent backup system in place.
Supply chain attacks
What is it? An emerging and growing threat, which shows how skilled cybercriminals have become. Supply chain attacks are an advanced persistent threat, which can compromise the software update mechanisms of otherwise legitimate software packages. That then allows them to piggy-back on the distribution of legitimate software. Crucially, the cybercriminal will target a business in the supply chain with weak cybersecurity practices—especially when it comes to sharing information. This is why SMBs often get targeted.
Once they’ve identified the weak link, the attacker can then focus on the exploitation of the ultimate, intended target.
What to do: If you have a place in a supply chain, ask your vendors/partners how they secure their supply chains. Ask them about their development practices and their internal security controls. How do they roll out patches and updates to their internal systems, and how often? How do they segment and secure their development, QA, and production environments? How do they vet their partners and vendors?
And be sure to ask all of these questions of your own organization, or you could find that it’s your organization that is the weakest link in the supply chain.
Using a mobile device off the corporate network
What is it? You could probably run a good chunk of your business from your mobile device. But what happens when you step outside the perimeter of your corporate firewall and log onto open Wi-Fi—say in a coffee shop? The issue is, on most public Wi-Fi networks, information sent to and from a mobile device is unencrypted. Anyone with a laptop and easily obtained sniffer software can access all the data moving over the wireless network.
Users may also connect to rogue Wi-Fi access points that can monitor the content of all transmissions. Neither is a huge problem for people streaming a movie from Netflix, but it certainly can be if they are doing business research or moving sensitive documents. Any unpatched vulnerabilities or other security holes can also be exploited by others on the same local network.
What to do: Choose a public network that uses a password, indicating that encryption is in use. A VPN connection will help, but when most employees are using cloud services to get their work done, consider a Secure Internet Gateway to stop threats at the DNS layer. Use secure websites (https). Keep security software up to date.
Disable sharing. Users’ Wi-Fi-enabled devices might be set automatically to allow sharing with or connecting to other devices. In a public network that means connecting to an unknown and risky device.
Don’t leave your laptop unattended. No matter how safe you feel in your local coffee shop, never leave your laptop unsupervised and don’t stay logged in to any site you’re not actively using. Likewise, always remember to log off if you’re using a shared computer, such as at a hotel business center.