For years, small businesses were an unlikely target for sophisticated cyber attacks. Anonymity and smallness, it was thought, would provide a level of security in and of itself. Not so anymore. In fact, the majority of all cyberattacks happen to small and medium businesses. The reality is that most small and medium businesses (SMB) are attractive targets because they tend to be less secure and automation allows modern criminals to mass produce attacks very cheaply.
Why Prey On Small Businesses?
Well. . .in part because SMBs are much more interconnected. Instead of a simple e-mail account and website, they have much more complex networks that involve on-premise, mobile, & cloud connections with customers and partners. And the data generated by all that is what’s attractive to criminals. Because larger enterprises themselves have become better defended, attackers are looking for a way in any way they can. SMBs are often viewed as a point of entry into the larger enterprises they partner with. They’re more a means to a larger end than being the ultimate target themselves. Indeed, when Target had their massive security breach in late 2013, hackers gained entry to Target’s network using login credentials stolen from Target’s HVAC vendor. So, while you may not think your agency’s data is all that enticing, if it can in any way help an attacker gain access to a larger organization you partner with then it’s pure gold - and must be protected as such. To think otherwise is to invite a great degree of financial and reputational risk.
Attacks against small businesses are on the rise because, quite frankly, they’re easier targets. Larger enterprises are better defended than ever. And while they’re a bigger potential payoff, the amount of skill required has risen dramatically. As a result, crooks are moving downstream to the low-hanging-fruit - small and medium businesses. Unlike larger enterprises, small businesses generally don’t allocate the time, budget, training, or expertise toward security. When we first engage a client, we’re used to seeing cheap consumer-grade networking equipment like you’d find at Best Buy - which provides virtually no protection at all.
They Also Want Your Money
Small business owners open their business checking accounts with the mistaken belief that it is covered by the same fraud protections that apply to their personal checking accounts. WRONG! Federal regulations that protect financial accounts from fraud cover only personal accounts - not business accounts. So if a cybercrook manages to gain access to your account, you’re almost guaranteed to be out of luck in getting the bank to give your money back. The internet is littered with stories of small businesses that have been wiped out because their business checking account was compromised and the bank refused to cover the loss. For the most part, the only way the bank will cover the loss is if you can show that they didn’t provide commercially reasonable security or if they should have reasonablybeen able to spot the fraudulent activity. Yeah, good luck with that.
So What's A Small Business To Do?
We always advise clients that with the right combination of time, talent, and motivation, a hacker can breach any system. So we want to implement systems and processes that adjust those variables in your favor. The idea is to make yourself expensive to attack, so crooks will move on and target someone else. Here are some basics that will help minimize your company's risk and exposure. . .
Out of date software is a major attack vector for crooks. So keeping your network gear and your Macs updated and patched is very important. Did you know that Apple generally puts out security updates only for the current version of macOS and the one prior? Implement systems and processes to keep things updated - and to monitor that it's been done.
• The Password Paradox
For years, we've had it drilled into us that our passwords need to be long and complex with so many of this type of character and so many of that other type. Oh, and we need to change them what seems like every week. But. . .study after study has shown us that the the password policies in place by most companies actually make things LESS secure. To see why this is so requires a look at human nature. When someone is forced to create a password that's long and complex, it tends to be hard to remember. Couple that with being required to change it every 90 days or so - and multiply by the number of passwords someone has to remember - is it any wonder why people are inclined to make their passwords as easy as possible and/or leave them on stickie notes on their monitor or under their keyboard? You know who you are. Real password security works with human nature, not against it. Our recommendations are two-fold. 1) Make passwords of at least 8 characters that incorporate three or four memorable words. For example, "probableaffordairplane1" is 23 characters, but is very easy to remember. And 2) Use a password manager. 1Password is our favorite. It's a subscription that remembers your passwords and other information and makes them available across all your devices with the 1Password app.
• Develop A Skeptical Eye To Avoid Going Phishing
Our guidance is to treat every message as if it could be used to get personal information like passwords from you. Crooks are getting really good at crafting messages that look like they came from Google or Microsoft or your bank, etc. Please don't just blindly click on anything. If you move the cursor over links in the message and hover for a second or two, a bubble will come up and show you the true destination of the link. When in doubt, don't click! For vendors and services you work with, you'll never be wrong by bypassing the links in the message and just logging into your account directly.
• Don't Give Away The Farm
Be conscious of the information you give away. When you see all of the Facebook surveys and "Which Harry Potter Character Are You" questionnaires, understand that many of them are solely to gather information about you via social engineering. Crooks will come up with all kinds of ways to try to get you to give them the information they need. They may not get your password, but if they get enough information to be able to answer your security questions then they still get access to your account(s). Also. . .assume that anything you send in the body of an email - or in an attached document that can be indexed - can be read while en route to its destination. So sending passwords, SSNs, or credit card information in the body or a message or in a PDF attachment is a really bad idea.
• Ongoing Training & Practice
Educating staff on the threats and risks is key. We know. . .everyone dreads security training. Because it's been stale and dry. But it doesn't have to be. Modern security training is all online and self-paced. What's more, it works. Studies have shown that security awareness training drops phishing click-through rates by an average of 64%. Then results double when training is paired with phishing simulations!
If you're ready to look at your security posture and potential risks andexposures, give us a call at 614-218-8798.