Cybercrime is an ever-growing risk that threatens both individuals and businesses around the world.
Earlier this year, we consulted a panel of cybersecurity experts to find out about the biggest cyber threats that small businesses face in 2017 who cited ransomware as one of the top three threats. The extent of organisations’ vulnerability has been further highlighted by the recent attack affecting our very own National Health Service, which impacted the lives of millions needing emergency care or waiting for scheduled operations and appointments.
This international attack took hold so fiercely that it infected computers in over 150 countries affecting organisations both large and small. Cybersecurity firm F-Secure based in Helsinki has labelled this largescale attack as ‘the biggest ransomware outbreak in history’. [1]
Whilst well-known organisations such as the NHS and FedEx have been the focal point of media attention, little is known about the small businesses that would have been caught up in the crossfire and suffered as a result of the ransomware ‘WannaCry’.
Since the global outbreak of WannaCry, organisations have become more alert to the increased risk of ransomware. However, cybercriminals are continuously developing techniques to find new ways to exploit businesses. This week a new form of ransomware, ‘Petya’, has victimised The Ukrainian Central Bank and Russian oil giant Rosneft, as well as others, however experts have speculated that the spread of this ransomware is likely to be much slower than last month’s attack.
Though smaller businesses may not dominate the headlines as the target of such attacks, they are probably some of the most vulnerable, as Rob Hadfield, Technical and Training Director of Get Safe Online pictured here, explains: “The problem is that small business owners may not have spare capacity in terms of people to take on board training and online monitoring and they don’t always have the money to spend on the IT solutions and training.”
But why would cybercriminals victimise smaller businesses when they could target larger organisations with a view to higher gains? Rob Hadfield explains: “Most big companies have got sufficient security in place, typically a team of 20 plus people looking after online security alone”
Rob elaborates further on the reasons that small businesses can be seen as easy targets: “Even a very small business could have many thousands of pounds in their business accounts…and often have lots of transactions in and out of their bank accounts, so for example if a large sum was to go missing…they may not necessarily notice this straight away”.
So how can business owners protect themselves from the ever-growing threat of cybercrime? How are cybercriminals successfully deceiving business owners and unwitting employees to gain access to their hard-earned cash?
Having examined the main threats to businesses at the beginning of the year, we explore other popular techniques online criminals are using to gain access to systems worldwide.
Phishing/Spear Phishing
What is it?
Phishing and spear phishing refers to emails sent by cybercriminals that are often disguised as though they have been sent by a known sender, such as a colleague or company. Typically they will ask the recipient to visit a link contained in the email which often leads to a dummy site that then requests user information to login in or even card details. In many cases all you have to do is click the link to provide your attacker with a degree of access or information needed to hack into a particular account or network.
A report published by Wombat Security, 2016 State of the Phish, highlights the increase in the number of firms falling victim to phishing emails, stating that the sophistication and personalisation of these emails has also intensified. [2]
How to help prevent it
– Be wary of unexpected emails: Personalised emails are the most common cause of phishing attacks on small businesses, if you have received an email with links or attachments that you weren’t expecting, speak to the company who have sent it to you before opening any attached documents or clicking on any links.
– Don’t enter or send personal details: Never enter personal details in any pop up screens and avoid sending any personal information via email – you never know who may have access to your inbox.
– Hover over the sender’s email address to reveal the sender’s true identity: While this is not always a bullet proof method of detecting a phishing email, it can reveal the actual email address that the email has come from. If the email appears to have come from someone you know, this should tally with their email address.
Rob Hadfield shares his expertise on the matter: “Stopping people clicking on links is a challenge and managing people’s behaviours is the hardest part of prevention. This is where criminals are starting to realise that they can exploit small businesses”.
Malware
What is it?
Malware (or malicious software) is a term used for a variety of cyber threats including viruses and Trojans, which are designed to gain access to or damage a computer or network, often costing into the tens of thousands to put right. Malware is often introduced to your system or computer via an email attachment, software downloads or operating system vulnerabilities.
Independent IT-Security Institute, AV – TEST registers over 390,000 new malicious programs every day. [3]
How to help prevent it
– Delete suspicious emails: If you have emails in your inbox that you weren’t expecting or with attachments, avoid opening them. They may contain fraudulent requests for information or could contain a virus.
– Download all software updates as soon as they appear: Make sure that all of your devices are up to date on their cyber protection software. The software updates stay in line with current threats online so make sure that you update them as soon as you are prompted to. Personal information should be kept safe and you should ensure that your network is secure.
– Regularly run system security scans to identify potential threats: As well as keeping your software up to date, it is essential that you scan all drives on your PC or laptop to identify threats at the earliest possible stage.
Password Attacks
What is it?
A password attack is a third party trying to gain access to your systems by cracking your password. Hackers will generally use their own software to try and guess your password(s). Programmes use a number of methods including brute force attacks which compare various words against dictionary words.
How to help prevent it
– Strong password: Having strong passwords is really the only way to help avoid a password attack. Using different passwords for different accounts can boost your online security too.
– Keep your password a secret: It goes without saying that passwords should be kept secret. Never write down a password or send it via email as this can be intercepted. It is also worth remembering that not all cyber security issues will come from outside of your organisation – you must be internally vigilant as well.
SailPoint’s Market Pulse Report found that one third of employees surveyed have shared their password details with colleagues [4].
Distributed Denial of Service (DDoS) Attacks
What is it?
DDoS (Distributed Denial of Service) attacks focus on disrupting a service to a computer, network or website. Hackers send high volumes of data to overload and ‘crash’ the system until it can no longer function or perform at a useable speed. Attackers will often use a number of computers to send much higher levels of traffic and make it harder to trace the source of the attack.
Attackers may block you out of your servers/ user profiles and demand payment for you to regain control. This is often used as a distraction whilst they extract and/or copy data from your company. Cybercriminals also use this form of attack to take payment details from your bank, your customers or your employee payroll data.
How to help prevent it
– Monitoring your site traffic: Ensure that you or your provider are regularly monitoring your site, this will help to give you an indication of any unusual activity or a significant increase of visitors to your site.
– Have a recovery plan for your website: Consider using an external provider or a back-up system to host your website in case it is blocked or goes down. This helps keep down time to a minimum and ensures that you can continue to trade and appear online whilst the problem is fixed. Your recovery plan should be built in as part of your business continuity plan as well.
Telephone Scams (Vishing)
What is it?
These are cold call scams typically involving fraudsters deceiving people into believing that they are a police officer, member of bank staff or even a representative of another company. Their objective is to gain financial or business information which they will generally do by convincing you that there is an emergency situation in which you will need to give them information. These are often used in conjunction with phishing emails.
By the end of 2015, the number of online banking fraud cases had doubled, a recent Financial Fraud Act report states that social engineering scams such as phishing, vishing and a combination of the two have contributed significantly to the sharp increase in numbers. [5]
How to help prevent it
– Train your staff: Make your members of staff aware of cyber security threats and make sure there is a protocol for unwarranted calls. Continuous training can increase awareness and help you and your employees remain alert to the threat of cybercriminals.
– Use a different phone to call back: If you receive a call from a bank/organisation or the police, even if the number is correct, tell them you will call them back. Call them back on a different handset – fraudsters will occasionally keep the line open so your call goes back through to them without you realising.
Data Theft and Copying
What is it?
Data theft is far more common than we think and happens a lot more than is reported, sometimes because it goes completely unnoticed as Rob explains: “It’s underreported by businesses as they are unlikely to say something – they don’t want bad publicity or they could get in trouble for not protecting that data properly – especially if it’s personal and sensitive data. Copying of data is a huge problem more so than data theft, businesses may not have any idea whatsoever about being compromised. If a criminal copies your data and leaves without messing with anything then you would never know”.
How to help prevent it
– Data Encryption: Encrypting files and data means that only those with the decryption key or password will have access to read it. This can help protect sensitive information so that it is only visible to those with authorised access.
– Dispose of sensitive data: If you’re holding sensitive information about clients or colleagues it is important to know the rules around handling different types of information, including the rules around disposal or ‘data shredding’.
Preventing Cyber Attacks
Rob Hadfield offers his expert advice on how small businesses can protect themselves from becoming a victim of cyber-attacks: “The employees in your company will likely have access to the system that a criminal wants to gain access to. All they need to do is convince one person to believe that they are calling from the bank or Microsoft for example and they’re in. Telephone and email attacks are one of the areas where small organisations especially are most vulnerable because the only solution for it is to have people trained and aware”.
How to identify if your system has been compromised
While a substantial withdrawal from your business account might stand out like a sore thumb, smaller transactions could go unnoticed without due diligence and attention. Rob elaborates on the importance of regularly checking your accounts: “The obvious thing at first is to look for any unusual transactions on bank accounts. For a small business you may have a lot of transactions in a month and it can be hard to identify it but having regular check in place is essential.
“Paperless accounts are very popular now but can also cause problems as you are less likely to examine them as you would a paper statement. You should always make time to check your statements”.
What should a business owner do if they have been compromised?
Depending on how your system has been breached, Rob offers his professional guidance on what to do if your system or security has been compromised: “If you have been compromised in terms of the bank, contact them first. The bank should refund the money if you haven’t made the payment and have actually been hacked.
“But if you or one of your employees has transferred money at the request of the criminal, banks are getting more and more careful about refunding that money. If you pay the money out to someone then it is technically not theft as you gave the permissions for that money to be transferred”.
There are lots of cybersecurity insurance products available that can offer financial protection against a number of cyber risks, tailored to suit your business needs.
Premier BusinessCare offers a range of commercial insurance products to provide financial protection against the unexpected from liability cover to property damage, including cyber risks. Working closely with some of the UK’s leading insurers we work hard to find tailored cover to meet your business needs.
We would like to thank Rob Hadfield from Get Safe Online for his guidance and input into helping us produce this article.
Premier BusinessCare offers a broker service for UK businesses ranging from micro SMEs to those larger businesses with more complex insurance needs.
SOURCES:
[1] http://www.telegraph.co.uk/news/2017/05/13/nhs-cyber-attack-everything-need-know-biggest-ransomware-offensive/
[2] https://info.wombatsecurity.com/blog/wombats-2016-state-of-the-phish-report-shows-double-digit-increases-in-phishing-threats
[3] https://www.av-test.org/en/statistics/malware/
[4] https://www.sailpoint.com/weak-security-practices-leave-organizations-exposed/
[5] https://www.financialfraudaction.org.uk/wp-content/uploads/2016/07/Fraud-the-Facts-A5-final.pdf