what All small businesses need to know!
With massive data breaches making headlines on a regular basis, it’s hard to ignore the fact that data security is becoming increasingly important. Unfortunately, there are still far too many small businesses that don’t understand just how serious the threat is.
The growing threat to small businesses
Recent research demonstrates that the growing cybersecurity threat isn’t a trend affecting only big, national companies. It’s just as serious—if not more serious—for small businesses to be prepared because data breaches and cyber attacks are very real possibilities for them. According to the National Small Business Association, 44 percent of small businesses report being the victim of a cyber attack, and the number of data breaches reported each year continues to climb. If that’s not alarming enough, 60 percent of small businesses that are breached go out of business within six months. The impetus is creating and implementing a cyber security policy within your organization before you become a victim.
In a recent survey, over a third of the small businesses who responded, said they only talked about cyber security when a breach or failure occurs.
We believe that’s much too late.
81% OF DATA BREACHES HAPPEN TO SMALL BUSINESSES
In this day and age, headlines like these are common:
- "Meet the new ransomware that knows where you live"
- "Spear-phishing campaign exploiting Windows zero-day vulnerability hits retail, hospitality industries"
- "Cyber Attacks on Small Businesses on the Rise"
As these headlines attest, ransomware, phishing, and other types of cyberattacks are increasing in number and sophistication. To avoid becoming a victim, you must take measures to protect your company, even if it is small. No business is too small to go unnoticed by cybercriminals. The fact is that cybercriminals like to attack small companies because those businesses often do not have the expertise or resources to fend them off.
You probably are running anti-malware software already in your business, realizing the essential role it plays in detecting and blocking known ransomware, viruses, and other types of malware. However, that is only one of several measures you need to take to protect your company against cyberattacks. Other important measures include reducing known security vulnerabilities, educating your employees, and preparing for the worst-case scenario.
Should You Beware of Ransomware?
Today’s ransomware landscape has grown exponentially over the past two years and continues to rise. Without proper protection and defenses, small businesses's are vulnerable to the increased volume of threats to their IT systems. Below are the annual number of discovered ransomware families, including the projection for 2017.
Educate yourself and your employees
Knowing what you’re up against is half the battle. As the owner of a small business, you need to learn about current cyber threats and what you can do to protect your organization. Then, share that information with your employees so they understand why cyber security is important and how they can contribute to keeping the company safe. Security is all about protecting data and preventing data loss. That used to mean protecting your data from fire, floods, and user error. Now cyber security is an even bigger threat than those more traditional dangers, and you need to make sure you’re prepared. After all, the survival of your company could depend on it.
Your employees can establish an important line of defense against cybercrime. By educating employees on how cybercriminals carry out cyberattacks, employees can spot these attacks rather than fall victim to them. Phishing, spear phishing, and social engineering should be at the top of your list of topics to cover.
Phishing and Spear Phishing
Despite being around for years, phishing emails are still being used by cybercriminals to obtain login credentials and other sensitive information, which they then use to steal money and data from businesses. Although people are now more aware of phishing, the attacks are still effective because of the growing sophistication of the emails.
The emails used to be easy to spot, as they often contained numerous misspellings and grammatical errors and spun fantastic tales about how you won the lottery or how a Nigerian prince needs your help. These days, cybercriminals are increasingly posing as legitimate companies, creating emails that look almost identical to real ones sent by those organizations. Plus, cybercriminals sometimes personalize the email to the point where it includes your name and other information about you—a tactic referred to as spear phishing.
Despite being more sophisticated, there are elements that indicate an email might be a phishing or spear phishing attack. Train your employees to look for elements such as:
- A deceptive email address in the "From" field. At first glance, the email address might seem legitimate. For instance, cybercriminals might send out an email message using the address "firstname.lastname@example.org" instead of the real "email@example.com" address.
- A request to update or verify information. Cybercriminals like to get sensitive information by posing as a popular legitimate financial institution (e.g., a bank) and asking you to update or verify your information.
- A sense of urgency. A common tactic in a phishing or spear phishing scam is to create a sense of urgency. The cybercriminals first let you know about a problem that requires your attention. Then, they let you know that there will be unfortunate consequences if you do not take action quickly.
- A deceptive URL. A deceptive URL is one in which the actual URL does not match the displayed linked text or web address. For example, the displayed text might specify a legitimate bank name ("Chase") or bank web address ("www.chase.com"), but when you hover your cursor over it (without clicking it), you might discover that the actual URL leads to a website in a foreign country known for cyber attacks.
- An attachment. Cybercriminals sometimes use email attachments to install malware on computers. Many different types of files can contain malicious code, including PDF files and Microsoft Word documents.
When discussing how to spot phishing and spear phishing attacks with employees, be sure to stress the risks associated with clicking an email link or opening an email attachment, especially if the email is from an unknown source. You also need to let employees know what they should do if they receive a suspicious email (e.g., simply delete it, notify someone about it).
Cybercriminals sometimes try to con employees into giving them the information they need to access businesses' computer systems or accounts. This is referred to as social engineering. Hackers like to use social engineering attacks because exploiting human behavior is usually easier than hacking security and computer systems.
While social engineering attacks typically occur via email (a.k.a. spear phishing emails), they can also occur over the phone and in person. The cybercriminals often masquerade as employees, but they also might pretend to be suppliers, customers, or even trusted outside authority figures (e.g., firefighters, auditors).
To get into character, cybercriminals usually learn your business's lingo. When cybercriminals use the terms that employees are accustomed to hearing, the employees are more apt to believe the cybercriminals and do what they ask.
Besides learning the business lingo, cybercriminals sometimes search the Internet for information that can help them in their impersonations. Without realizing it, many people provide a lot of information about their professional and personal lives on LinkedIn, Facebook, and other social media sites.
When discussing social engineering with your employees, stress the importance of being careful about what they post on social media sites. It might become fodder for a sophisticated spear phishing attack. Or, it might provide cybercriminals with the information needed to hack online accounts. For example, if an employee posts pictures and stories about her favorite cat, cybercriminals might try using the cat's name as a password or the answer to the security question "What is the name of your favorite pet?" With some online accounts, all it takes to reset a password is an email address and the correct answer to a security question. If cybercriminals are able to reset an account's password, they gain full access to that account.
Our team can share their vast knowledge about cyberattacks with your employees. Armed with this information, your employees can present a formidable line of defense against cyberattacks.
Reducing Security Vulnerabilities
You can make it much harder for cybercriminals to attack your IT systems by addressing vulnerabilities that cybercriminals tend to exploit. Here are a few starting points:
Update Your Software Regularly
Cybercriminals like to target operating system software and applications that have known security vulnerabilities. These vulnerabilities provide a crack that cybercriminals can slip through in order to access your computer systems and install malicious code. Updating your software regularly with newly released patches eliminates known vulnerabilities, thereby reducing the number of exploitable entry points into your computer systems.
Update Your Firmware
Computers, printers, routers, and other hardware devices include firmware, which is software that gives a device its functionality. Just like software, firmware can have vulnerabilities that cybercriminals exploit. So, it is important to patch your devices' firmware whenever the device manufacturers release an update.
Upgrade Your Software When Necessary
At some point in time, software vendors stop supporting older operating system software and applications. This means that they do not provide any security updates. Cybercriminals keep track of when versions of popular applications reach their end of support. When that day arrives, cybercriminals intentionally launch new attacks that target the unsupported software. Sometimes, they stockpile malware until the end-of-support date and then set it loose. As a result, your business is much more vulnerable to cyberattacks if you are running software that is no longer supported by the vendor.
Our team can conduct a vulnerability analysis to identify security issues that are leaving your business susceptible to cyberattacks. Once identified, we can work with you to address those vulnerabilities and reduce your risk.
COMMON CYBERSECURITY MISTAKES
Bad habits are hard to break, and that’s especially true when it comes to small businesses and cyber security. After all, it’s easy for small organization's to ignore cyber security because they think “that will never happen to me.” But, letting things slide can end up creating real security concerns. As a managed service provider, we feel the need to communicate with business owners and educate them about what to do and what not to do to avoid unnecessary risk.
Here are a few common errors you should try to avoid:
- The Post-It full of passwords, Take a walk around your office. Most likely, you’ll find at least a few desks with Post-It notes full of passwords stuck to the bottom of a computer monitor. Yes, it’s convenient, but it also provides easy access to sensitive information to people who shouldn’t have it—like disgruntled employees or a thief during a break-in.
- Out-dated operating systems, Technology is an important part of every small business, but it’s often not a priority. That’s how things like updating operating systems fall through the cracks or get ignored until they become a serious security threat. For example, do you still have systems running on Windows XP or Windows Server 2003? If they’re running a more recent operating system, are they keeping it up to date? If you don’t know, find out. The Fix: If you are running an outdated operating systems, it’s urgent that you transition to something more secure. If your newer operating systems are not up to date, it time to have a process in place to make sure updates are processed in a timely manner.
- Security software that never gets updated, Some small business owners think they’re secure because they invested in a firewall or installed antivirus software on their machines. But odds are they didn’t take the next step and pay for subscriptions or updates to go with it, which means they aren’t nearly as secure as they think. The Fix: Every Organization needs to have a process in place to make sure all PC’s are up to date and that updates are performed as soon as the updates are available.
- Old employees still have access, Lax password policies and passwords that don’t expire create another security concern for small businesses. If your organization doesn’t set passwords to expire regularly, there’s a good chance a number of former employees still have access to your system. That doesn’t necessarily mean any of them will do something malicious, but why take the risk? The Fix: Every organization needs to set up a solid password policy, and it’s important to have passwords that expire regularly. Yes, employees might think it’s a hassle at first, but the improved security will be worth it. While you’re at it, educate your employees on the best practices for choosing a strong password that’s easy to remember but hard to guess. Use these common cyber security mistakes as learning opportunities for your employees. Teach them why cyber security matters and what they can do to help make your business safer.
With cyber crime becoming an increasingly serious threat, it’s not a question of if businesses need security; it’s a question of what level of security they need. As an business owner, you should keep this in mind when thinking about your data security. It’s important to start protecting your business data as soon as possible, because new cyber threats emerge every day. Be proactive and start taking cyber security seriously now instead of waiting until after you experience a data breach or malware infection.
Don’t wait until it’s too late.
95% of breaches are caused by HUMAN ERROR!
Use good judgement to protect yourself from social engineering and phishing attacks. Don’t open emails from untrusted sources, and if you see an email that looks like it’s from a contact but seems suspicious, give them a call rather than responding via email.
For more information on Phishing Attacks, download our latest whitepaper
Educate your employees about ransomware
Ransomware is now considered a fact of life in today’s cyber security landscape, but that doesn’t mean small businesses are protecting themselves from a potential ransomware attack or even know it’s a possibility. Often, users recognize a ransomware threat after it’s too late. According to the Verizon 2015 Data Breach Investigations Report, 23 percent of small businesses that receive phishing emails open them, and 11 percent click on the attachment. And those types of mistakes can be costly. According to the FBI’s Internet Crime Complaint Center, ransomware victims reported more than $18 million in losses between April 2014 and June 2015, with ransoms ranging from $200 to $10,000. Small businesses need to start protecting themselves from the growing threat of ransomware. Educating your employees about the threat of ransomware and sharing these important tips is an important first step.
Put technical safeguards in place
As a best practice, have an intrusion-prevention system and security software running on all your computers. This should include anti-virus/anti-malware software, web-filtering, firewalls, and spam filters. Then, make sure all security patches are up to date, and deploy new patches on a regular basis. It’s also critical to have a backup solution in place and frequently test the backups running on your systems to make sure they’re working properly. If you’re hit with ransomware, you’ll want to restore your data as quickly as possible, and having a recent backup to recover from will save you both time and money.
Even with technical safeguards in place, it’s employees who ultimately risk exposing a business to ransomware. User error, such as clicking on an infected online advertisement, pop-up window, or attachment in a spam email, is often to blame for inviting ransomware into a computer. So, users are the most important line of defense. Talk with your employees about ransomware, educating them on what it is and how they can help defend the business. Try getting the whole staff together for a training session and bring lunch to make it a Lunch and Learn event. As a best practice, you should require all new employees to complete the training and offer it on an ongoing basis to avoid information being missed. If you don’t have the resources to put this type of training together, talk to your IT service provider. They should be able to run a program like this for you or provide other educational materials.
Provide examples to end users
The most effective way to educate your employees on ransomware is to show them examples of what it looks like so they’ll know the warning signs and be able to identify a suspicious message or attachment before they click on anything. For example, you can share McAfee’s phishing quiz, which includes examples of infected and legitimate emails and provides explanation of how to tell the difference. Once ransomware has infected a computer, a message is displayed on the screen letting the user know their machine has been compromised. Examples of these messages can be found here. It’s helpful to share this type of information with employees as well so that, even if it’s too late, they’ll know to alert management and ask for help ASAP.
For more information on Ransomeware, download our latest whitepaper
NATIONAL CYBER SECURITY AWARENESS MONTH
October is National Cyber Security Awareness Month which is an annual campaign to raise awareness about cyber-security. National Cyber Security Awareness Month (NCSAM) is designed to engage and educate the public and private sector through events and initiatives which will help raise awareness about cyber security.
As part of our commitment to Cyber Security, we are offering a FREE Security Assessment.
SCHEDULE YOUR FREE SECURITY ASSESSMENT TODAY!
YOUR DATA NETWORKS ARE CONSTANTLY AT RISK
There are too many ways that a network can be compromised to leave it to chance that nothing wrong is going on "behind the scenes". Here are some key issues:
- Email-based viruses getting through unprotected mailboxes
- Worms, viruses and malware infiltrating outbound port/protocol access, backdoors, and "command and control"
- Trojan applications and phishing schemes
In addition to the potential damage to networks and data, there are other critical business reasons to be tracking and documenting key network security attributes::
- Employee productivity – wasted by accessing Facebook, ESPN, shopping, adult sites
- Bandwidth abuse that can be slowing down critical business applications
- Downloading of pirated software
- Loss of proprietary business data and information from the inside
INSTALLED SECURITY PRODUCTS ARE NOT ENOUGH
There are a number of very effective tools and techniques that can help you address many of the common threats and problems, including firewalls, virus production tools, Internet Content filtering, and more. However, if any of these tools were 100% effective, there would be no security breaches. As soon as a known threat is addressed by these tools, a new one emerges. There’s not a product out there in the world today that can create security policies for your network and enforce that those policies are adhered to.
And if you’re the one who is responsible for specifying, installing, and/or managing these tools, you absolutely need to make sure that they’re working on a regular basis. Even if the hardware and software are performing perfectly month after month, there’s no guarantee that they’ll be working tomorrow.
That’s why your networks need a regular security check-up.
Backup Don't Pay-up!
Last but not least, make sure you have a good off-site backup of all your data.
Our CloudDrive service delivers easy-to-use file share, sync and real-time backup of your data via the cloud.
One of the most compelling reasons to use our integrated file backup and file sharing service is business continuity in the event your PCs become infected by ransomware. CloudDrive allows you to set continuous, real-time backups of synced files and folders, local folder backups, custom or unlimited retention, and restore files and folders from the cloud, including Mass Revision Rollback.
Prepare for the Worst-Case Scenario
Cybercriminals are constantly devising new ways to attack businesses, so despite your best efforts, your business might become the latest cyberattack victim. This is yet another important reason why you need a data backup strategy.
Although having backup copies of your data and systems will not prevent a cyberattack, it can mitigate the effects of one. For example, if your business becomes the victim of a ransomware attack, you will not have to pay the ransom to get your data back.
We can help you develop a data backup strategy and test it to make sure that your information can be restored in case your company is attacked.
Protect Your Business
Cybercriminals are constantly releasing new malware programs or variants of existing ones. As a result, relying solely on anti-malware software to protect your business is risky, as it takes a while for the vendors to update their anti-malware software to defend against the new programs and new strains.
After conducting an in-depth security assessment, our security experts can recommend other measures you can take to protect your business from cybercriminals. We can also help train your employees so that they can spot cyberattacks rather than fall victim to them.
Contact us today to make sure your company has the proper safeguards in place. Waiting until tomorrow might prove to be too late.
Recent Cyber Security Articles
Sign up to receive news and updates.
We respect your privacy.