Small Business Cyberattacks
What is a cyberattack?
Techopedia defines a cyberattack as a “deliberate exploitation of computer systems, technology-dependent enterprises, and networks.” These attacks are orchestrated through malicious code that “infects” a system to alter a computer’s data, coding or logic. This can subsequently lead to other cybercrimes like identity or information theft, fraud or extortion, and much more.
What are the most common types of cyberattacks?
According to a recent survey, the most popular types of cyberattacks that businesses experience are:
- Web-based attack (49%)
- Phishing (43%)
- General malware (35%)
Web-based attacks refer to threats you may find when browsing the internet. These malicious software programs will often target users who don’t have security products installed on their computers. In other cases, these programs are designed to target popular applications or operating systems; they reel you in by telling you your computer doesn’t have the latest update, for instance. Some of the most popular applications for these threats, according to security product brand Kaspersky, include Adobe Reader, Java, Windows and Internet Explorer. Whether your business uses these programs or not, you and your employees need to surf the web with extreme caution and never agree to download any updates that are not recommended by the program itself.
Phishing refers to attempts to trick users into clicking on links and/or giving confidential or personal information that can then be used to defraud that individual or business. Phishing emails, for instance, may look like they’re from a sender you trust (like your bank, a social networking platform or a retailer). If you respond to that email or click on the link provided and then give up your username, password, bank account information, credit card number or other data, you may not even realize you’re being scammed until it’s too late. With this information, a hacker can quickly take over your identity and steal from you or your business.
In many cases, phishing and malware can overlap. Ransomware attacks usually involve an email that contains a link or file that appears innocuous but actually contains dangerous malware. Once a user opens the attachment or clicks on the link, his or her computer immediately becomes infected. These malware programs encrypt the computer, which locks the user out of everything on the device (like files, folders and drives). Sometimes, the entire network can become infected. Then, the user will receive a message that promises to unlock the system in exchange for payment (usually requested in Bitcoin, a type of digital currency) — hence its name.
Ransomware is now an extremely prevalent phishing scheme. According to a report conducted by PhishMe, 93 percent of phishing emails sent last year contained ransomware. And considering that there were 6.3 million phishing emails sent just in the first quarter of 2016, that’s a lot of threats to be worried about. The reason for ransomware’s increasing popularity, according to experts, is the fact that it’s become much easier to send and offers a higher return on investment for cybercriminals. With other types of attacks, it can take a while for criminals to get the money they’re after; credit card and identity fraud both require more of a time commitment. But individuals and companies are more likely to immediately fork over payments so that they can get their system back. It may sometimes even seem to make financial sense to do so, since these ransoms rarely translate to more than $1,000. However, most experts recommend that you should not pay the ransom since there’s no guarantee your files will be returned. In addition, sending payment to cybercriminals only encourages this behavior in the future.
How to identify a phishing email
You might assume that phishing emails are obvious to spot, but they’re getting more sophisticated by the day. In many cases, attackers can nearly replicate a business’ logo and letterhead, making it almost impossible to distinguish these fake emails from the real thing. But there are some telltale signs you can watch out for:
- Look at the “From” address very carefully. Many attackers will switch around a couple of letters so that the address looks legit at first glance. Compare this address with any known emails you have from the actual sender. If it varies in any way, beware.
- Hover your mouse over the link provided to see the actual URL. Like fake email addresses, fake web addresses may contain very subtle differences (like a single letter being out of place).
- Check the email text carefully, especially for proper spelling and grammar. Legitimate emails sent from well-known companies will usually not contain many spelling or grammatical errors.
- Keep in mind that no legitimate company will send you an email asking for your personal or account information. A general sense of urgency (like warning that your account will expire if you fail to give information) is something that should immediately raise suspicion.
- Be cautious of ANY email you receive — even if it’s from someone in your contacts. This is especially true of emails that contain links and attachments.
Are small businesses really that vulnerable?
In a word: absolutely. The 2016 State of SMB Cybersecurity Report found that hackers had breached half of all small businesses in the U.S. within a 12 month period. But shockingly, a survey recently published by Manta shows that 87 percent of small businesses don’t think they’re vulnerable to a cyberattack. Further, one in three small businesses doesn’t even have the proper tools (like antivirus software, firewalls, data encryption programs or spam filters) to protect themselves.
Unfortunately, this mistake comes with a colossal cost. According to CNBC, some attacks can derail a small business’ revenue-generating activities for up to a week, but a the long-term impact on a small business’ operations can be much worse. The U.S’ National Cyber Security Alliance found that 60 percent of small businesses that are the victim of a cyberattack go out of business within six months. That’s no surprise, considering companies that experienced these attacks spend an average of $879,582 due to damage or theft. They also lose an additional $955,429 on average due to disruption of normal business operations.
How can I protect my business from cyberattacks?
Other than investing in the best protective software available, one of the best ways to protect your business is to educate your employees. Around 75 percent of organizations consider employee negligence to be the greatest data breach threat, and 80 percent say “end user carelessness” is the main threat to cybersecurity. And although 70 percent of IT professionals claim cybersecurity policies are made perfectly clear to new hires, only 28 percent of U.S. employees report ever receiving briefings on the matter.
Here are a few suggestions if your small business is looking to beef up its cybersecurity:
- Train your employees on general best practices for maintaining cybersecurity, as well as company-specific policies and practices.
- Create a formal yet easy-to-understand training program that walks employees through digital security methods and provides ongoing education across all employee levels.Clearly explain data security classifications (public, internal, confidential secret) and their risks.
- Teach them how to recognize phishing emails and the dangers of clicking on links, attachments and sites they don’t recognize.
- Tell them to be wary of any unfamiliar individuals in the physical office, especially if they are close to cubicles/desks.
- Let them know they should never be afraid to report a breach or suspected breach and help them recognize when a breach has occurred.
- Keep all devices (computers, iPads, storage devices, smartphones, etc.) clean of and protected from malware and viruses.
- Remember to protect your network by allowing only certain devices/users to access it. This includes your WiFi network. Ensure that your business network is encrypted, and do not allow unauthorized users to connect to it. If you need to provide WiFi access to customers or guests, consider setting up a private guest network that is secured to not allow local network access. You may also want to restrict employees from connecting personal devices to the corporate network and either allowing them to connect to the guest network or setting up another separate network for them to use.
- Instruct employees to report lost/stolen devices that are connected to your business’ corporate network immediately to limit the amount of time potential hackers have to break into your company’s system(s).
- Change passwords often and make sure passwords conform to requirements for length and composition.
- Use a program (like LastPass) that forces all employees to change their passwords every month or even more frequently.
- Do not use the same password across devices/networks.
- Restrict data access.
- Compartmentalize/classify information and make sure only those who need data access are able to have it.
- Get rid of old data and information on a periodic basis.
How do I know if a breach has occurred?
Despite your best efforts, mistakes can happen. Wondering whether your system or network has been compromised? Look for the following unusual activities as a baseline:
- Standard programs/files won’t open or work
- Files or programs disappear (when you haven’t deleted them) or appear (when you haven’t downloaded them)
- File contents have changed without your involvement
- Inability to access programs/sites with your password
- Passwords have been changed on your device without your knowledge
- Computer accesses internet frequently when you aren’t using it
- Internet searches are being redirected or extra browser screens/toolbars appear
- Printer won’t work or will print different pages than you directed it to
- Random and frequent pop-up messages
- Virus protection and/or anti-malware software doesn’t work
- Inability to access/obtain a domain you’ve purchased
- Fake virus alert messages (if you don’t have a certain type of software or these messages don’t look like they’re from the program you use)
- Contacts report they’ve gotten fake emails from your address
What should I do in the event of an attack?
Of course, prevention is the best strategy of all, so be sure to make your cybersecurity a top priority. But if a cyberattack does occur …
- Find out what happened and what information was compromised and/or stolen.
- Communicate clearly with your employees, customers, partners and press outlets (as applicable).
- Repair and restore the breached systems.
- Report any crimes committed to the appropriate officials and obtain incident report information from authorities.
Unfortunately, cybercrimes like these have become part of life. While you may think your small business isn’t an appealing target to hackers, you’ll be doing your company a huge disservice if you fail to protect it adequately. Don’t operate under the assumption that you’ll never be hacked, because statistics show that it’s actually a very likely scenario. Therefore, you need to do everything you can to make cybersecurity a priority. Invest in protective software and professional IT help, provide ongoing education for your employees and stay up-to-date on all of the latest threats. This will give your small business the best chance of surviving in the digital age.
The Link Between HR Outsourcing and Cybersecurity
How can outsourcing HR help protect small businesses against cyberattacks?
As a leading provider of outsourced HR solutions for more than 20 years, G&A Partners helps companies of all sizes streamline their operations by providing them with access to best-in-class HR policies and procedures.