Lessons learned from the latest barrage of cyberattacks speak clearly to the mounting risks facing small businesses today. Unfortunately, cybercriminals will continue to morph their attacks to advance their cause – greed. These attacks can cripple small businesses both financially and logistically. Deliberate phishing attacks capture information, while ransomware locks data owners out of their information. The risks and impacts of both situations, however, can be mitigated through training and technology. Let’s review each of the attack methodologies and then discuss impact and mitigation strategies.
Phishing attacks have many names, but they essentially involve an attacker broadcasting a message to a number of recipients knowing that some will take the bait. More specifically, “spear phishing” is an attack methodology that targets a particular user within the organization, usually a member of the company’s Accounting, Human Resources or Information Technology (IT) departments. Lastly, there is “whaling,” an attack that targets a member of the organization’s senior leadership team—hence going for the “big fish” in the organization, such as the CEO, COO, CFO, or CIO. All of these attack methods are designed to either (1) steal information in order to access that business’ systems or personally identifiable information (PII) so that a bad actor could steal an identity, or (2) fraudulently direct money transfers out of the business’ account.
Encryption is a valuable data protection tool when implemented correctly; however, cybercriminals have developed attack methodologies using the same data protection technology to lock users out of their information, whether stored on a computer or server. An organization’s technology can be relegated to nothing more than a supersized paperweight when infiltrated by this cryptoviral extortion, which can leave businesses without access to their data and unable to bypass the cryptography. The only way to regain access to the data is to either pay the ransom or format the drives and recover your organization’s backups – if there are any.
Impact on Small Businesses
As reported by software company Symantec, cybercriminals targeted 43 percent of small businesses in 2017—a dramatic increase from 2011, when attackers targeted 18 percent of small businesses. According to a report published by Keeper Security in collaboration with the Ponemon Institute, of the 43 percent of small businesses targeted, only 14 percent rated their ability to mitigate cyber risks, vulnerabilities and attacks as highly effective and able to limit exposure and impact.
In October 2016, The Denver Post noted that 60 percent of small businesses that suffer a cyberattack are out of business within six months. It is estimated that 43 percent of the attacks against small companies were a variation of phishing, and two percent were associated with ransomware. The root cause of 48 percent of the breaches were due to negligent employee or contractor actions.
What is most valuable to cybercriminals who perpetuate these types of attacks? Simple: whatever can make the cyber actors the most money. This could be the organization’s information, such as customer information that includes PII, or access to its financial systems to initiate unauthorized financial transfers. In either case, the impact is clearly devastating for any organization, but potentially more so for small businesses that may not have the finances necessary to recover from the hack itself, not to mention the resources required to protect their brand and ensure customer confidence.
11 Mitigation Strategies for Small Businesses
The question we most often get is, “How can we protect our business from these malicious types of attacks?” While there are no 100 percent guarantees, here are some measures we recommend small businesses consider:
- Ensure employees and contractors are trained on Information Security Awareness.
- Implement quarterly training sessions to keep employees and contractors updated on emerging threats and best practices to identify malicious emails.
Update Policies and Procedures
- Develop a minimum password complexity and change schedule policy.
- Require employees to review and sign the company’s Acceptable Use Policy for company-provided technology annually. Create steps within a Security Incident Response Policy in the event of a cyber-breach.
- Identify the company data required to be backed-up, as well as the retention period.
- Conduct penetration and social engineering tests on your organization to identify your risks before the cyber-criminals do.
Know Your Technology
- Use automated tools to update systems and networks to address critical vulnerabilities identified by the manufacturers as well as password complexity and change frequency requirements.
- Limit access to information based on job responsibilities.
- Layer the organization’s network with intrusion detection/intrusion prevention (IDS/IPS), firewall, and managed switch technology to allow for virtual local area network (vLAN) segmentation.
- Enlist SPAM filtering technology to provide front-end email protection.
- Install virus and malware software on servers and workstations for endpoint protections.
If you are interested in learning about additional steps to strengthen your organization’s technology infrastructure protective measures, please call or email Steve Bova at 312-229-9815 or at firstname.lastname@example.org.