Cyberattacks on small to medium sized businesses are increasingly targeted, sophisticated, and severe. These attacks result in damaged reputations, downtime, and average costs to a company of around $1.2 million dollars.
76% of individuals say they would stop working with or buying from companies with a history of cybersecurity breaches.
Statistics like the ones above are everywhere, and as a business you can’t afford to ignore them. You don’t have to be a cybersecurity expert to understand the importance of taking every precaution when it comes to cybersecurity for your business.
This guide will discuss:
- How cybersecurity applies to your business
- What specific risks you should be looking for
- Real world examples of cybersecurity risks
- How to increase cybersecurity preparedness in your company
- How to train cyber-aware employees
As cybercriminals get smarter, the ways to keep your company safe continue to change. No business is too small to be targeted or attacked, so if you believe that you don’t need to put thought into your cybersecurity because you're under the radar, it’s time to change that way of thinking.
In January of 2018 the FBI helped define what small businesses should be watching for in a statement on combating foreign cyber threats. The statement starts with a quote from the Deputy Assistant Director of the cyber division:
“the growing number and sophistication of cyber threats poses a critical risk to U.S. businesses, and the impact of a successful attack can be devastating to small businesses in particular.”
While this may be directed at small businesses this is still true for businesses of any size and industry.
According to Infoguard the top five industries vulnerable to attack are:
- Financial Services
In 2016 there were 5.6million businesses, 3.7million of those businesses’ fell into the top five most vulnerable industries. But even if your business doesn’t fall into one of those industries it doesn’t mean you don’t have to take cybersecurity seriously. In 2017 alone over 60% of small to medium sized businesses said they have experienced a cybersecurity attack resulting in a data breach. Everyone is vulnerable and everyone should be taking precautions.
In his 2018 survey for americanbar.org Stephen Zetzer wrote that “hackers are actively targeting… smaller professional services firms specifically to gather intelligence about their clients.” Zetzer’s survey also had firms rate their perceived preparedness on a scale from 1-10 and showed that
- In regards to their overall cybersecurity preparedness the average response was a 3.5
- In regards to their preparedness for hackers and malware the average response was 3.4
- In regards to their ability to prevent ransomware the average response was 4.1
So how does this apply to you? Even with these low rankings “only 10 percent [of professional service firms] reported seeking advice from vendors or security professionals.” Let’s think about that...only 10% of professional service firms seek advice to ensure data security, if this trend follows in other industries it’s logical that only a very small fraction of small businesses are actually seeking advice and ensuring their businesses are properly protected, that is a serious cause for concern. And for those small businesses in Austin, TX it’s important to know that according to a Malwarebytes report that analyzed malware trends for small and medium businesses in Q1 of 2017, “Texas was the state with the highest total of malware incidents detected”, with the second largest increase in ransomware incidents in the nation and 105 data breaches resulting in 2.5 million stolen records and a loss of $277 million to the state in 2017.
Cybersecurity is such a broad topic that it’s easy to feel overwhelmed when it comes to learning about all the different ways cyber criminals can gain access to your devices, networks, and data. The biggest cybersecurity risks we see are phishing attempts, spoofing, cyber criminals taking advantage of weak or compromised passwords, ransomware, and hacking.
Phishing is most commonly done through email, and is a way for malicious parties to obtain your information. In most phishing attempts, you get an email that pretends to be from someone or some organization that you trust, tricking you into revealing something secret or doing something that you shouldn’t. These fake emails, and fake websites, can look very real and are carefully crafted to fool even the most suspicious users. These emails often try to obtain your username and passwords for online accounts to commit identity theft, compromise financial information, install malware on your computer, or find their way into your company’s secure network. Just take a look at how similar these two Office 356 login screens look. Which one is real, and which one was sent by a phisher?
Because phishing is a pretty common issue there are a few big forms of phishing you should be aware of.
The average phishing scam takes the form of a mass email, sent to an unknown number of individuals that pretends to be from someone the recipient trusts. A common example of this kind of attack involves a recipient opening an email that appears to be from their bank notifying them that something is wrong, that they must login to address the issue, and provides them with a link to a login page. This login page is a fake page, controlled by the hacker, designed to look like the bank page with a place for the individual to enter their credentials. Once the credentials are put in, the cyber criminal now has all they need to access the individuals banking information.
Like with the Office 365 example, can you tell which bank login page is a fake, and which is real?
Spear phishing is especially important for those in business, or high-profile industries to be aware of. This phishing variant is when a cyber criminal takes the time to craft an email targeted at one specific person. In a spear phishing attack, like with a mass phishing attack, the email will seem to come from a trusted source. If you’re in business, it may look like it’s coming from someone of authority in your company, or a vendor you work closely with. According to research, 91% of cyberattacks and resulting data breaches begin with spear phishing emails.
This is similar to spear phishing in that the attacks are directed at a specific group of professionals or a single employee within a firm. But, instead of looking like they come from someone of authority, they target those in positions of authority, like the company’s top executives in order to obtain their login credentials, under the assumption that their credentials will give them full access to anything within the business. These emails will be highly customized and are less likely to be filtered as spam.
Spoofing is when someone makes an email appear as though it was sent from somewhere it wasn’t, such as your email address. Spoofing may be used to trick someone into downloading a virus or revealing confidential information. For example, say you’re in charge of payroll. Someone could send a spoofed email to one of your coworkers asking for a copy of their W-2. Your coworker would never just give their W-2 to a stranger, but if they thought the email was from you they may not hesitate to send it over. While spoofing isn’t harmless, your account hasn’t been fully compromised. Spoofers take advantage of weaknesses in Internet email implementations, unlike when your account has been hacked.
Let’s face it, most of us are pretty bad at creating new logins for every single account that we use, both at home and at work. A big component to cybersecurity is having different logins for each account you use online. Otherwise, if one password was compromised and that same password has been used for every account you have, your likelihood of being hacked increases. Cybersecurity reports show that 80% of hacking related breaches leveraged stolen, weak or highly guessable passwords.
Ransomware is a form of malware or malicious software that ultimately holds users data for ransom. This form of malware became a household name after the Cryptolocker virus made headlines in 2013 and 2014. With Cryptolocker and end user would receive an email with an attachment, open it, and immediately the virus would begin encrypting all of their data files and any network shared being used.
For businesses with up to date backups, it’s possible to restore data and eliminate the virus, but for businesses without backups, or without off-site backups, many are forced to pay the ransom via bitcoin, and have to suffer through days of downtime before getting their files back. Obviously not an ideal situation. Ransomware is only continuing to evolve as both cyber criminals and cybersecurity experts get smarter.
If you’ve been hacked it means that someone has gained unauthorized access to your privileged accounts and data. A hacker may get into your email through viruses, malware unintentionally downloaded on your computer, by guessing your password, or from information leaked after a data breach.
Hackers have a variety of techniques to gain access to your account or device:
- Vulnerability scanning
- Password cracking
- Spoofing attacks
- Trojan horses
One of the most common ways we’ve seen hackers gain access to your computer is to utilize a trojan horse.
A trojan horse is a version of malware that looks like a legitimate application or software download. Once a trojan is activated on your device cyber criminals can steal sensitive data, spy on your actions, and gain backdoor access to your entire system. While trojans cannot self-replicate, meaning they cannot directly insert itself into other files or programs and directly infect them, they can still delete, block, modify, and copy your data, while also wreaking havoc on the performance of your network and your device itself.
Now that we’ve talked about how these cyber attacks can affect you and what they are, what do they look like? Unfortunately over the past years, we’ve been given many examples of how these attacks are carried out.
Google Chrome Font Scam
Say you head to a post on your favorite blog using the Google Chrome browser and this is what you see:
You’re going to be confused right?
Well confusion what hackers were hoping for. After seeing this users were served a popup saying “Hoefler Text Font Was Not Found” in a box with the real Google Chrome logo and instructions telling them to “Update the ‘Chrome Font Pack’”. This scam resulted in users installing malware onto their computers, enabling cyber criminals to gain access to all their network and data files.
Cryptolocker, a ransomware attack that targeted Windows computers between 2013 and 2014, was a trojan with a virus payload that encrypted the files on your computer and network, locking you out of them until you paid a ransom. Once the Cryptolocker malware ran, no antivirus software could recover from it. Since the encryption key was inaccessible and held by the attacker on a secret server somewhere on the Internet the victims had the option to pay the ransom, restore their files from a backup, assuming that they have backups, or simply lose all of their data. For those affected there were only two outcomes that resulted in the company retaining their files, one more favorable than the other:
- The first, and more favorable option, involved employees opening an email attachment disguised as an invoice but really containing the virus. These businesses had valid, up-to-date backups of all their files. The program then encrypted the users local files on their windows profile, and as many network files as it could find and modify. Thankfully the virus was able to be removed and the network files restored from off-site backups.
- The second, and less favorable option, involved a company that contracted the virus on their network through another email phishing tactic. The virus was identified as Cryptolocker, but unfortunately, due to an IT oversight the company had no complete or valid backups of their data, so there was little they could do to retrieve files. After paying the ransom, and experiencing days of near-total network downtime, their files were eventually decrypted.
Cyber criminals successfully extorted $3 million in total from victims with this scam.
Petya was a ransomware attack that spread in March 2016 affecting Windows machines. It began as an email appearing to contain a job applicant’s resume, in PDF form, and an image of the applicant. The purpose of the “resume” file was to get the victim to execute/download the file and agree to the “Windows User Access Control” warning, giving the virus permission to make changes on the device.
Why was this virus different? Rather than searching for specific files and encrypting them it ultimately, without going into too many technical details, encrypts the master file table or roadmap for the hard drive which makes everything initially appear fine but in reality your device cannot access the location of any files and without an encryption key all files will be lost.
NotPetya made its way into the headlines in June of 2017 and was a variation of the Petya ransomware. This version spread rapidly between devices and networks without needing to utilize spoofing emails or social engineering to gain administrative access to devices. The fact that NotPetya was spreading on its own and leveraging tools built into Windows to remotely access other devices was alarming enough. But to add fuel to the fire NotPetya also encrypted everything, not just the master boot file, and in the process of encrypting everything it actually damaged all the files beyond repair.
Many of the infected devices were running old Windows versions that were no longer receiving security updates, while others on Windows 10 were able to fend off the attacks because the new security features were able to block the various ways the virus attempted to spread from machine to machine.
This is why it’s important to know when your hardware, operating systems, and frequently used applications are reaching “End of Life”.
In January 2019 we saw the biggest collection of usernames and passwords collected and freely distributed to hacker websites. Collection #1 came first and contained 773 million unique usernames and passwords. Collection #2-5 added a total of 25 billion records. Now, the majority of these records were compiled from previous corporate data breaches, so these were most likely old and out of date. But there were around 750 million that weren’t exposed in other breaches meaning some were leaked for the first time and now have the potential to be exploited and it’s very possible that you may have employees using these logins on work accounts.
Once you’re aware of these types of security breaches it’s almost impossible not to notice them in the media.
Since 2013 it's been reported that there are 3,809,448 records stolen from cyber attacks every day. This is why cybersecurity is so important, don’t let your business become a statistic.
You know the risks of falling victim to a cyberattack, you’ve seen what they can do, so now...how do you make sure your company is prepared to ward off any cyber attacks?
Simple Steps to Improve Security
Enable Two-Factor Authentication
Two-factor authentication (2FA) is an easy way to add another layer of protection between your important and confidential data and cyber criminals. In addition to your current passwords, a secondary form of identity verification is required to gain access. There are a number of different systems your company can utilize to achieve this and most can be set up to work in conjunction with the security protocols you have in place already.
Some of the more popular forms of secondary authentication are:
- Automated phone calls
- PIN codes sent via text message
- Smartphone apps
- Physical security tokens
These days, two-factor is increasingly easy to implement on login accounts. If you use applications like G-Suite, Office 365, most social media platforms, Apple operating systems, Amazon, Slack, and many others, they will give you the option to enable two-factor authentication. This is a good way to ensure that any data stored on devices, networks, or in a cloud-based application has an extra layer of security against those who may seek to compromise your simple password login.
Keep Devices, Networks, and Applications Updated
While those “update” notifications on your phone or your computer might be annoying when you don’t have the time or desire to update your device or operating system, they are actually important. Many of them contain security patches to make sure that cyber attackers can’t get through any loopholes in the current version, and some of them contain fixes that improve the device’s performance. So really it’s a win-win.
Having up-to-date security software like antivirus is another major and simple way to protect against unwanted viruses, malware, and other online threats. Most antivirus software should be set to update automatically, and most operating systems these days, like Windows, auto-update during off-hours as well. Make sure that your settings allow your system to automatically apply security-related updates and you’ve got one less thing to worry about.
Google Password Checkup
In February of 2019 Google rolled out their newest security measure, The Password Checkup Chrome extension is designed to help you discover if any of your user accounts have been affected by previous breaches, and alert you so that you can change them. The extension is a way to check if any of your accounts, not just Google accounts, that you log into using Chrome, have been compromised. Password Checkup was developed with Stanford cryptography experts to uphold the highest levels of security and give you the most accurate information when it comes to your passwords.
Use Resources Available
In October of 2019, as part of National Cybersecurity Awareness Month, the Federal Trade Commission (FTC) launched a bank of resources for small businesses solely focused on cybersecurity. According to an attorney in the consumer and business education division of the FTC, these resources were developed “out of discussion(s)...with small business owners across the country about cybersecurity challenges.”
These materials are co-branded with the National Institute of Standards and Technology (NIST), the Department of Homeland Security, and the Small Business Administration, and designed to get right to the point in order to help you and your employees understand the importance of cybersecurity. They also provide helpful information on how to implement these practices in your business and how to deal with a breach, should it happen.
Mobile Device Management
Mobile devices are susceptible to data loss, intrusions, theft, and malware just like desktops. Verizon reports that 29% of small businesses admit they’ve suffered a compromise that involved a mobile device, and 41% of those affected described the compromise as “major with lasting repercussions”, while 43% said moving forward after the attack was “difficult and expensive.”
As technology improves and the ability and desire to work remotely continues to grow, Mobile Device Management (MDM) becomes an even more important piece of the cybersecurity puzzle.
MDM is defined as “a type of security software used by an IT department to monitor, manage, and secure employees’ mobile devices that are deployed across multiple mobile services providers and across multiple mobile operating systems being used in the organization”
Essentially, every company has smartphones, tablets, and laptops that are limited to something short of traditional than your normal internal security setup. The resolution to this is a mobile device management system that operates over the Internet, which is perfect for remote employees or devices that aren’t consistently connected to the internal network. Most of these systems provide the ability to remotely wipe the device and implement security and network settings.
Since being proactive especially in these situations, is often more cost effective than being forced to be reactive, here is a short list of recommendations for Mobile Device Management systems:
- Cisco/Meraki: This suite is pretty popular, and they offer a 30 day trial.
- Symantec: Their MDM system integrates with other Symantec security products.
- Microsoft InTune: This is what IT Freedom uses internally and what we recommend to our clients.
- G-Suite: This is only a lightweight MDM built into the platform providing the capability to set a few security settings and wipe phones remotely, but doesn’t offer the ability to push apps, or perform other functions that higher end MDM systems allow you to do.
Develop a Cybersecurity Policy
In today’s world, every company, no matter the size, needs a cybersecurity policy. These are plans for how to protect your business from a malicious cyber attack and, just as importantly, how to respond if such an attack is successful. When it comes to discussing cybersecurity, having a thorough understanding of your business’ specific risks is important, and that’s why we recommend a “risk based cybersecurity policy.”
A risk-based approach focuses on understanding a company’s genuinely critical systems and the risks, be they financial, reputational, or regulatory, should those systems be compromised. After you understand the risks, the next step is performing a security audit. While there are many definitions of what a security audit is, it boils down to performing security scans to detect vulnerabilities, talking to the users to understand the current security practices (or lack of), and analyzing hardware and other systems. These steps serve to uncover areas of vulnerability in your company and can even uncover malicious activity already in progress.
Good cybersecurity plans consist of these major areas:
- Identifying and Defining Risks
- Protecting Data
- Detecting Possible Attacks
- Responding to Threats
- Recovering From a Cybersecurity Breach
Since the end of 2011 the percentage of cybersecurity attacks targeted at small businesses has continued to rise. So while developing a cybersecurity plan may not be at the top of your list right now, take into consideration that most small businesses can’t handle the legal, financial, or reputational risks associated with a data breach. For many small businesses the legal ramifications alone would put them under before there was even a thought about the reputational consequences of a data breach.
While technology like antivirus software and Internet firewalls is necessary when it comes to your company’s cybersecurity preparedness you can’t overlook the role your employees play in the cybersecurity equation. According to the cyber risk culture survey released by Willis Towers Watson, 90% of successful cyber attacks can be pinpointed back to human error. Falling prey to a phishing email or clicking through a dubious security warning on a web page is all too common for busy people getting their day-to-day jobs done, and they’re all the more likely to fall for such things if they haven’t been given a basic amount of training on what not to do and what to look out for. Your cybersecurity training should include the following things:
The Right Leadership
For a topic as important as cybersecurity, it’s critical to have someone who is not only excited about the training, but is also knowledgeable about cybersecurity and all the measures your company takes to keep itself protected. This individual should be able to communicate clearly and effectively, work with everyone in the company, and should be someone you can trust to show employees on how important this is.
Memorable Training Methods
For the majority of your team, a cybersecurity meeting isn’t how they want to be spending their day. Make sure you’re not just using a PowerPoint slide and reading it aloud to them. Think back to when you were in school didn’t lessons like that make you want to stop paying attention? Use videos, scenarios, and have people participate and answer questions. Making the trainings fun keeps employees engaged while increasing the likelihood that they will retain the information and use it every day.
Come up with rules and guidelines with your team that are short and to the point, that reiterate what one should do in different situations, and that can be posted around the office as reminders.
Every month, pick a new situation and email employees steps on how they should respond in the company newsletter, or something similar. Reminding employees over and over and keeping these ideas and guidelines visible keeps them at the top of everyone’s mind.
While your trainings should be fun and engaging, this is still a serious topic for your business, so what you’re teaching them does need to be practiced every day. If you notice a team member going out of their way to make sure they are following all the security guidelines, reward them - whether it be monetary, or just a shout out at the next meeting. Giving your employees that boost makes them more likely to keep up the good work, and will encourage others to do the same.
What should you be discussing with them?
Making sure all your data is secure can be complex but there are a couple things you can do internally to make it easier.
Determine what data you actually need
The less personal data you keep about your customers the better. If you don’t need their social security number, don’t ask for it. If you don’t have it you’re off the hook for keeping it secure.
Only keep data for as long as you need it
Make sure your employees understand your retention policy. If you’re only required to keep data for five years, make sure you have a plan to securely dispose of it after those five years are up.
Only give employees access to what they need
If an employee doesn’t need access to a certain database or file, don’t give it to them. By only giving access when needed you reduce entry points for cybercriminals. Make sure employees understand this and don’t give access to coworkers who don’t need it.
The time to stop ignoring update notifications is now. We know that updating can take time, cause stress, and is overall an inconvenience. That being said, it is still extremely important. This applies to operating systems, browsers, and applications. Hackers will often try to take advantage of security vulnerabilities, and a large number of malware infections come about by accidentally browsing a site designed to automatically compromise computers with an out-of-date browser. For businesses with certain compliance requirements, updates are often mandatory. For example, running software like Windows Server 2003 or XP, which no longer receive security updates from Microsoft, may cause compliance issues with HIPAA and PCI.
The Importance of Strong Passwords
This is one of the most important topics in your cybersecurity training. Strong and unique passwords are important. Usernames and passwords are exposed every day through website hacks and account leaks. If one of your passwords gets out, will it unlock every account you’ve ever had? Will it give a cyber criminal access to your company’s entire network of data?
Here are some do’s and don’ts from the new NIST SP 800-63 password guidelines:
- Do create passwords with a minimum 8 characters
- Do enable two factor authentication
- Do use different passwords for every account
- Do store passwords safely, using something like a password manager
- Do not use previous passwords
- Do not use repetitive/sequential characters
- Do not context specific passwords (for example, never create a password that includes your company’s name)
It’s important to consistently revisit these rules as well. As cyber criminals’ ability to hack passwords evolves so should how we go about keeping passwords safe. It’s no secret that technology is always changing and because of that, so are the cybersecurity threats facing your business, and the ways to protect against those threats.
Now that you’re aware of what cybersecurity is, how it’s important to your business, what risks to look out for, and how to increase your company’s preparedness including what to discuss with your employees, you can take this knowledge and put it into practice in your business no matter the size!
Download the full Small Business Cybersecurity Guide here!