Cybersecurity: practical advice for SMBs
It would be fair to say that 2016 was a banner year for computer breaches. From hospitals that opted to pay the ransom when hackers held their data hostage, to political hacking that is still causing a firestorm and to a billion email users whose data was compromised, it is clear that computer systems remain vulnerable and that bad actors often are one step ahead of people trying to protect those systems.
Although breaches in large organizations have been more highly publicized, almost 75 percent of data breaches occur in companies with fewer than 100 employees. Small and medium businesses (SMBs) are more vulnerable because they are less likely to have the resources to prevent or respond to attacks. They are also more likely to suffer severe consequences—for a small company, a data loss or financial loss might force it out of business.
The typical image of a cyberattack is of an intrusion by an outside agent, and those attacks are in fact on the increase. During the first quarter of 2016, distributed denial of service (DDoS) attacks more than doubled compared to the same quarter in 2015, according to “The Balance of Security and Performance,” a report published by Akamai. However, 55 percent of companies experienced a security incident or data breach because of a malicious or negligent employee, according to “Managing Insider Risk through Training and Culture,” a report put out by Ponemon Institute and Experian.
Despite the prevalence of cyberattacks designed to exploit humans, fewer than half of employees get any training in cybersecurity. Typical methods of exploiting human vulnerabilities are phishing (attacks based through email messages), spear-phishing (personalized and detailed email attacks), vishing (using voice contact via the phone to initiate a fraudulent transaction, also known as voice phishing) and SMShing (phishing through SMS or text messages) and impersonations (fraudulent activities while at an organization’s physical site). Those approaches usually involve gaining trust, either right away or over time, and then introducing some type of deception.
Where to start
Many companies don’t take steps to prevent cyberattacks until they have lost money or data, according to Joe Stewart, a threat researcher with SecureWorks. “The best place to start is to set up policies and procedures, especially for people who are making online payments,” he says. SecureWorks offers a counter threat platform for cybersecurity risk management, threat protection and other cybersecurity-related functions, as well as advisory services.
One of the more recent scams involves diverting electronic payments. Hackers intercept legitimate email and take over the conversation, providing a different bank account from a slightly different email address to which the payment is then sent. The payment then ends up in a different account rather than that of the original creditor. “Even small companies can lose payments in the five to six figure range,” Stewart adds, “and it’s very rare to get that money back.”
“Start with policies and procedures and by educating people in the company, especially those who are making electronic payments,” he suggests. Ideally, banking transactions should be carried out on a dedicated computer. “A lot of people get in trouble because they log into bank accounts on the same computer that they use for browsing CNN,” he says. “This will keep credentials a lot safer.” All employees should use two factor authentication (2FA), which requires not just a password but also some other form of verification, such as a card, token or a biometric form of authentication such as a fingerprint.
Things to watch for are domain names in the email that may have changed even by just one letter. Most users know not to provide any type of password or account information to unexpected messages, but the same may not hold true for a trusted source or what appears to be a trusted source. “Once the hacker has accessed email traffic, they can change a phone number or the destination of the message. That’s why users must have contact information outside of email for any of their business partners or customers,” Stewart explains.
Most companies are using basic protections such as firewalls and antivirus software, but those are no guarantee. “Virus software and intrusion prevention software are essential, and many products are available that are within reach of small organizations,” he says, “but there is a time lag from the point at which it is introduced and the point at which it is detected and countered. That is why endpoint solutions that don’t rely on known signatures of malware, but instead examine behavior of new code or use binary whitelisting approaches, should also be deployed.”
The bad actors continue to innovate, sometimes for political reasons but most often for financial gain. “Ransomware written in Eastern Europe can now be downloaded and recompiled,” says Stewart, “to provide ‘ransomware as a service.’” Ransomware encrypts data, preventing users from accessing it until a payment is made. “Backups are very helpful in these cases,” he continues, “because if the data can be replaced, the company can be up and running again very quickly.” Medical facilities, universities and even law enforcement organizations have been targeted because they have resources to pay the attackers and cannot function without their data, but ransomware agents have also extracted money from SMBs, which are equally dependent on their data.
Although the term “social engineering” can be used in a neutral or positive way, in the context of cybersecurity, it most often means persuading or manipulating people into revealing information that allows a bad actor to hack into a computer system, a company or an individual’s personal information. Social-Engineer helps employees to avoid such scams by providing ongoing testing that keeps them alert to threats. One of the company’s primary services is to send out emails regularly that are typical of those that hackers would use. The content is harmless, but the messages are monitored to see how employees react.
“We have seen an 80 to 85 percent reduction in the number of times that employees are taken in by phishing emails,” says Chris Hadnagy, founder and CEO of Social-Engineer and author of several books on the topic. “Watching a computer-based training program can be part of an overall awareness program, but regular, realistic phishing emails are much more effective in changing behavior.”