Cybersecurity and threat Intelligence expert says businesses can protect data simply and affordably
By T.J. Minichillo.
As the pandemic reshapes where and how we work, small and mid-sized businesses (SMBs) through enterprise-level face incredibly tough decisions around business continuity and staying afloat financially. Cyber attacks may seem like a distant worry, but studies show that bad actors are taking even greater advantage of coronavirus anxiety by intensifying the volume and sophistication of COVID-themed phishing, malware and scams on SMBs and their employees.
Cyber attacks at major corporations usually attract most of the news headlines, yet 28% of breach victims are small businesses, according to Verizon’s 2020 Data Breach Investigations report. Criminals are primarily after individual credentials and personal data via attacks on a user’s own device.
With remote work a business reality, the so-called attack surface — downloadable malware, well-disguised phishing scams, ransomware assaults and distributed denial-of- service attacks by cyber criminals – has rapidly expanded to messaging apps on insecure mobile devices and to sophisticated email spear-phishing expeditions targeting newly remote workers unaware of basic security measures.
Safeguarding confidential or personally identifiable information is extraordinarily difficult for any business, even during the best of times. Hackers gravitate to attack pathways that offer the quickest entry and the greatest financial payoff. But because most SMBs don’t have dedicated tech teams to deter hackers, the odds of a successful breach are in the attacker’s favor – especially now, as greater numbers of employees work remotely over longer periods of time.
IBM’s latest X-Force Threat Intelligence Index found that 31% of cyber attacks relied on phishing in 2019, while ransomware attacks were up 67% and operational technology attacks surged 2,000% year-over-year.
In the latest Cost of a Data Breach Report, IBM and the Ponemon Institute found that data breaches cost U.S. companies an average of $3.86 million and 280 days to identify and contain a breach.
The fallout from a data breach equates not only to lost company sales and revenue but damage to its reputation and even loss of critical intellectual property, such as confidential software code and product designs.
More than half of small and mid-size businesses surveyed by Intermedia believe remote work is here to stay, even after the pandemic is over. Zoom, Microsoft Teams and similar teleworking technologies have equipped SMBs with free or low-cost access to virtual meetings and digital collaboration with their remote workforce.
On the plus side, many SMBs are seeing company overhead costs go down while employee satisfaction with their jobs and work-life balance is up. On the downside, threat actors are gaining attack momentum as employees and suppliers unwittingly create multiple entry points for hackers to exploit. Cyber criminals never sleep. Nor should an SMB’s defenses against hackers. Here are five tips for staying ahead of the bad guys.
1. Replace old technologies. SMBs who try to keep legacy IT systems safe from cyber attacks while giving remote workers access to their internal servers via a virtual private network (VPN) need to be extra vigilant, according to the Department of Homeland Security. Earlier this year, an alert from the Department’s Cybersecurity and Infrastructure Security Agency cautioned all organizations using a VPN for connecting teleworkers to their networks of certain vulnerabilities that could allow hackers to take over control of those systems. VPNS are intended to providea secure, remote “tunnel” from one part of the organization’s network so employees can easily access and share data electronically. Yet, more VPN vulnerabilities are being found and targeted by malicious cyber actors 24/7.
2. Adopt affordable, new technologies that protect data anywhere. Information is the lifeblood of every business, flowing in and out of a company like a river. Securing that data is often the CFO’s responsibility at a small business, who may or may not be familiar with the most cost-effective or best technologies for protecting data. Outsource your IT to vendors who know how to infuse multi-layered, embedded security protections into actual data files, wherever they’re sent. Virtually any type of data can now be un-stealable easily and affordably (e.g., email, Word document, text file, spreadsheet, Adobe pdf, media file, etc.). Any SMB that owns the data can grant or refuse user access for particular individuals or groups by geographic location. The owner can also set embargo time windows for user access, starting or ending on a specific day and time. Because the owner can also change or revoke permission parameters on the fly from his or her computer or smart device at any time in the future, the data stays under its owner’s control, regardless of where the data is located or who has it. Should an unauthorized user try to gain access or steal data without appropriate permissions, the data would self-protect, much like a “Mission Impossible” message.
3. Use multifactor authentication. Don’t open the front door to cyber hackers by using the same or a common password (e.g., “guest” or “123”) for every online account. If a hacker cracks just that one password, it can cause a domino effect that opens the breach floodgates. Multifactor authentication, or two-factor authentication, is a widely used security practice among banks and financial services companies. Chances are you’ve already been asked by your bank for two pieces of credentials before logging you into your company account online. Those credentials are usually something or somewhere you know (e.g., name of your best friend, street where you lived as a child) or another form of identification, such as a unique code sent to your mobile phone. It’s smart to adopt a similar authentication procedure for your own business.
4. Only use software, apps and technologies from trusted sources. The FBI advises SMBs to be extremely cautious about installing new software or using cloud-based applications with which to equip their remote workers – from video conferencing software to voice over Internet Protocol (VOIP) conference call systems. Malicious cyber actors are increasingly placing SMBs and their employees at risk by compromising technologies that allow remote desktop sharing as well as access to organizational applications, resources and shared files. Hackers also tempt employees with free offers for legitimate-looking software from telework vendors that instead give criminals access to sensitive company data or allow them to eavesdrop on business conversations. Cyber actors are also using phishing links or malicious mobile applications that appear to come from legitimate software vendors.
5. Train employees and supply chain vendors in security basics. People are often the weakest link in a company’s line of cyber defense. Human error is to blame for 95% of all security breaches, according to IBM’s Cyber Security Intelligent Index. Criminals prey on human weakness, especially during COVID-19, to lure employees into giving up sensitive business information. At the same time, make sure supply chain vendors have deep security capabilities and a like-minded business focus. An annual risk report from supply chain company Resilience360 found that nearly 300 cybersecurity incidents impacted supply chain entities last year, with the most common attack due to ransomware.
Follow these security practices with employees and supply chain vendors alike:
- If your small business or supply chain vendor accepts credit card transactions, restrict all IP addresses that originate from countries where you don’t ship products or provide services. Some e-commerce and payment processing platforms allow merchants to easily block specific IP addresses. SMB merchants can also restrict the number of times a purchaser can incorrectly enter credit card numbers when ordering online as well as restrict them from ordering if they exceed a certain number of attempted transactions.
- Never open email attachments or click on pop-up windows and links from senders you don’t recognize. Fraudsters use email links to deliver malware to steal personal information or to lock your computer and demand ransomware payment. Some email addresses can be dead giveaways that they’re fraudulent, but others often seem genuine. If in doubt, hover over – but do not click on – any link in the body of the email to determine whether the sender is really who he or she claims to be.
- Be wary of websites and apps claiming to track COVID-19 cases worldwide. Criminals are using malicious websites to infect and lock devices until their ransomware demands for payment are met.
- Always verify websites that appear to be legitimate by manually typing their web address into your browser. To find out the website’s owner, conduct a WHO-IS.net or IP-Lookup.net search.
- Set privacy and security settings in software employees regularly use, such as Microsoft Outlook. Turn on all automated Windows updates to patch security vulnerabilities.
- Don’t use defaults for system passwords. Instead, use strong random password generators that are difficult to crack or guess.
- Establish protocols for employee use of social media on company computers and smartphones, since cyber criminals regularly troll these networks to create a collective picture of their victims before they strike. Have employees use mobile apps, such as Lookout, to detect and eliminate malware on their personal devices.
If you believe you, your employees or company are victims of an Internet scam or cyber crime, or if you want to report suspicious cyber activity, contact the FBI’s Internet Crime Complaint Center at www.ic3.gov.
For more information and tips on securing data, visit www.keyavidata.com/blog.
T.J. Minichillo is VP of Cyber Threat & Intelligence at Keyavi Data Corp. He is a nationally renowned cybersecurity and intelligence leader, helping to detect and thwart many of the world’s significant cyber threats. He has held strategic intelligence roles in financial services, the military and energy, including global head of threat intelligence at both National Grid and Morgan Stanley, deputy director at Citigroup’s Cyber Intelligence Center, chief cyber intelligence officer at Merrill Lynch, and senior intelligence special agent at the Department of Defense. Follow him on Twitter and LinkedIn.