There seems to be a new cyber attack each week; Cryptolocker, WannaCry, Petya the list goes on. We hear and read about ransomware shutting down high profile organizations, hackers stealing customer information, and overall costing the global marketplace billions of dollars.
Although these headlines may seem a million miles away from affecting you or your business and your business might not make headlines in the event of breach, hackers and cyber criminals are setting their sights on you and other small and medium sized businesses.
In fact, 69% of Canadian businesses said they experienced some type of cyber attack, ranging from malware and computer viruses to phishing and "social engineering" attacks. Src.
There is good news however. There is plenty your organization can do to prevent falling victim to scams and attacks. Simply understanding the threat landscape for your business and instilling proper IT security policies in your corporate culture can defend against the majority of threats you're most likely to confront where network security and IT best practices fall short.
Here are the five most commonly successful cyber attacks against SMBs that you need to prioritize your defences against:
Cyber attack No. 1: Socially engineered malware
The most common attacks against smaller businesses are Web-based and involve social
Engineering techniques that rely on taking advantage of human nature. Victims of this type of attack are usually duped into downloading malware from a malicious email attachment or malware disguised as a downloadable free tool or flash update.
The downloaded malware will likely provide remote access to an attacker who can now use it to view and steal your information, passwords, and in the case of businesses, attacks will also begin to spread more malware to other machines on your network.
Socially engineered malware programs are responsible for hundreds of millions of successful hacks each year. It has become the most favoured type of attack lately because it is requires relatively simple technical experience since it relies mostly on targeting a user’s behavior.
Examples of these types of attacks are ransomware, keyloggers, spyware, and remote access tools (RATs).
What you can do:
Mitigating the social engineering techniques of hackers is best handled through ongoing employee education about the techniques being used, red flags to look for and the risks to the company and their personal information. Business can further protect themselves by installing content filtering to reduce the chances of employees visiting malicious sites on the web, spam filtering for business email accounts, and restricting the use of admin credentials and blocking unapproved applications from installing on workstations. Having up-to-date network security tools and devices are necessary, but they cannot always prevent an employee from clicking a malicious link or attachment, which is why ongoing cyber security awareness education is key.
Cyber attack No. 2: Password phishing attacks
Not far behind on the list of most commonly successful cyber attacks against SMBs are password phishing attacks. 90% of successful security breaches are the result of some form of password phishing attack. The reason these attacks are so successful is that they mimic trusted entities in order to fool users into providing their full usernames and passwords on fake websites that send that data straight to the attackers.
Once the attackers have that information, they can then change the password to lock out the user, and begin stealing information or infecting other computers on the network.
What you can do:
Fortunately, there are anti-spam devices and software which have made great strides in helping business keep employee emails reasonably safe. They are not 100% foolproof, and some will slip through the cracks into your employees' inbox.
The even more effective method is to require stronger methods of how passwords are used in your organization. Having login credentials that can’t be given away such as employing two-factor authentication (2FA) or using tools such as password managers that allow users to create unique and strong password for every secure website.
If you are able to provide something other than simple login name/password combinations for your employee logins, as mentioned above, then you’ve beaten the password-phishing game. If you’re stuck with using simple login name/password combinations you should be using anti-phishing devices or software, and decrease the risk of employees falling for these scams with end-user education about the risks, and what to look out for.
Cyber attack No. 3: Unpatched software
Coming in at a close third, which is also the easiest to secure and the most neglected for small businesses, is unpatched software vulnerabilities.
Browser add-in programs like Adobe Flash, Java, and even extensions are the most common unpatched and exploited programs are on the web which is why hackers target these exploits. Additionally, even programs such as Microsoft Word and Excel have vulnerabilities that if not patched, can give hackers easy access. Next is making sure your operating systems are up-to-date as much as possible and that you aren’t using old versions like Windows XP, which are no longer supported and patched.
When new security patches are released, it's imperative that you and your employees update as soon as possible, as hackers are known to reverse engineer new patches, in order to find the vulnerabilities they can use on out-of-date systems.
What you can do:
As mentioned this is the easiest countermeasure to do, although it is often the most neglected. Small businesses with only a handful of machines should be able to manage to keep their systems updated by encouraging and requiring employees to take responsibility for their own machines.
Businesses that have a large number of machines, and do not have the staff to patch all machines, or may not be able to afford automated patch management software on their own, should be working with an (MSP) Managed Service Provider such as Netmon Services who can manage updates for your entire organization along with other regular maintenance services, and security monitoring. The bottom line is that simply making sure your software is up-to-date is key in protecting your business.
Cyber attack No. 4: Social media threats
With hundreds of millions of people on Facebook, Twitter, LinkedIn and other social media sites hackers have realized these are prime locations to do the most damage.
Social media threats usually arrive as a rogue friend request, unknown application request or even a link to a “news article”. Lately we are seeing an emergence of fake news sites popping up, that contain malware. If you’re unlucky enough to accept the request, you’re often giving up way more access to your social media account than you bargained for, or downloading malware to your device.
Corporate accounts are also a much loved target for hackers to exploit either by getting the user of those accounts to click on malware or to possibly to hack the account to discover passwords that might be shared between the social media account and the corporate network.
What you can do:
Employee education about social media threats is a must and will make them safer online no matter if it's for business or personal use. Making sure that your employees know not to use their corporate passwords with any other website is also very important.
Cyber attack No. 5: Advanced persistent threats
Advanced persistent threats are one the least common type of cyber attack you and your business are likely to face on our list, but they can be the most effective. APTs are targeted attacks, that require extensive networking and coding knowledge, these are the type of attacks you will hear about in the news such as the Equifax breach, where hackers have breached a company’s network, usually with the end goal of siphoning large amounts of data. These attacks are sophisticated, strategic and very good at avoiding detection which allows them to monitor a network and steal information over a period of months or even years.
APTs typically gain a foothold using socially engineered malware or phishing attacks as mentioned above but where those are attacks of opportunity, APTs are very targeted and have a strategic plan in place.
A very popular method is for APT attackers to send a specific phishing campaign -- known as spearphishing -- to multiple key employee email addresses (IT directors, CISOs, CIOs, CEOs, accounting dept, etc). The phishing email usually contains an attachment such as an invoice, or job posting which once clicked downloads malware on the targets device. APT attackers can compromise an entire enterprise in a matter of hours, and lay dormant for long periods of time.
What you can do:
Detecting and preventing an APT attack can very be difficult, as these types of hackers know how to remain undetected, and it requires technical expertise in networking to even have a chance of detecting the breach.
All the above advice applies, but understanding legitimate network traffic patterns in your network and setting up alerts on unexpected flows can provide the needed insight to determine if a breach has happened. An attacker won’t understand which computers normally talk to which other computers, and what data is normally passed around, but your IT staff should. By having a good understanding of the normal network behaviour your IT staff should notice when an attacker will mess up and attempt to copy large amounts of data from a server to some other computer where that server does not normally communicate. When they do, you can catch them.
If you do not have your own IT staff, or the budget to purchase the needed tools for network monitoring, and traffic analysis, you should consider working with a third-party IT services firm such as Netmon Services to provide network monitoring, intrusion detection, secure network infrastructure design and remediation services.
Overall, you will want to figure out what are your business’s most likely threats will be and prepare for those the most. Too many companies waste resources concentrating on the wrong, less likely scenarios. Don't be one of those companies that spends money on high-dollar, high-visibility projects while the bad guys continue to sneak in using routes that could have easily been blocked.