Top 4 Cybersecurity Threats for SMBs
October is National Cybersecurity Awareness Month, and with all the highly publicized hack attacks on major companies and government agencies, it’s easy to forget that small businesses are heavily targeted, too.
A study earlier this year by Symantec found that cyber attacks on small businesses have skyrocketed by 72%. One-third of all cyber attacks now target SMBs. The primary reason for this is that SMBs have, on average, weaker cybersecurity than larger companies. This makes them targets of opportunity for digital thieves who are looking for an easy payday.
It’s important for SMBs to realize a few things: First, hackers are targeting businesses like yours every day. Many companies seem to rely on obscurity as their primary means of defense, but this is not realistic. Hackers are full-time professionals - they’ll do the research needed to find small businesses that can be exploited.
Second, the types of hackers that target you are, in many cases, not the same ones who are targeting larger companies. Fortune 500 hackers are, by and large, hunting for intellectual property secrets and business/market intelligence. SMB hackers are almost always after one thing - money. They’re not interested in your IP - they want to figure out a way to steal money from your bank account, trick you into paying them money or stealing it from your customers.
Lastly, cost doesn’t have to be a hindrance to security. Just because your business doesn’t have the financial resources of a larger company, doesn’t mean you can’t make it harder (and thus, more time-consuming and costly) for a hacker to target you.
Entrepreneurs need to know the risks they’re facing and take some basic countermeasures to reduce their level of vulnerability.
Here are the top four threats to prepare for:
No. 1: Banking Trojans - The top online threat to SMBs continues to be the banking Trojan. These are malicious programs (like “Zeus,” “SpyEye,” “Citadel,” “KINS”) that infect a PC, either through a phishing email or a drive-by download from a website, and once they get in they create a backdoor that allows the hacker remote access to your data and PC operations.
The primary goal of a banking Trojan is to record your username and password when it detects you are logging onto a bank website. A number of small businesses have been seriously hurt by these attacks - like Patco Construction, which lost $500,000 and Choice Escrow Land Title, which lost $440,000. Even worse for SMBs, banks may not cover your losses for these types of attacks.
TIPS: Since anti-virus and firewalls won’t always catch a banking Trojan, the best defense is a simple one: buy an inexpensive laptop, like a Chromebook, and only use it to log into your bank account. Never log into your account from any other device, and never use the laptop for anything else. To be even safer, make sure the laptop uses a virtual private network (VPN) to access the Internet - this will encrypt your online communications and make it harder for someone to eavesdrop over WiFi.
No. 2: Ransomware - Another threat that is becoming more common for small businesses is ‘ransomware.’ In this type of attack, a hacker infects your PC and then locks your screen (often with a fake law enforcement warning message) so that you can’t use the computer again unless you pay a ransom of a few hundred dollars. However, even if you pay, the hacker won’t release the PC. Some security companies have predicted ranswomware to be one of the fastest growing scams this year.
TIPS: Anti-virus won’t always prevent ransomware from getting on your PC. The best solution is to make sure you’re backing up data frequently, either to the company server, external hard drive or a cloud service. Whatever you do, don’t pay the ransom. There are also a few online tools that may be able to remove the ransomware - like Norton’s Power Erase, Microsoft’s Security Essentials or Norton’s Power Eraser.
No. 3: Website Exploits - A lot of the same, basic website security mistakes continue to be made time and time again. According to a study by Veracode, 70% of web applications fail to meet basic security standards. If your website hasn’t been tested against basic attacks like “SQL injection,” “cross-site scripting,” “cross-site request forgery” or “authorization” exploits, you will eventually be hacked.
TIPS: You don’t have to be a tech guru yourself to fix these problems. Just ask your website developer if he or she has checked the website against the OWASP Top 10 - the industry standard when it comes to website security. Your developer could also use a new platform called SD Elements that allows them to build security in from the start, which will make the website more resistant to hacks. You can also sign up for a website vulnerability scanner that will actively check the site for flaws (McAfee SECURE for Websites and Symantec Safe Site are just two examples). Also consider using a security information and event management (SIEM) tool, like AlienVault or HP Arcsight, that will monitor the site for active attacks.
No. 4: Social Engineering - The easiest way for a criminal to hack a business is to trick an employee into doing it for them. The industry term for this is ‘social engineering,’ and it can include any number of things - email phishing to get someone to download an infected attachment; impersonating a vendor, IT administrator or supervisor to get account access; etc. People are always the weakest link when it comes to technology, so no matter how much you spend on security, an employee who clicks on a link or opens an attachment can undermine the whole thing.
TIPS: Security awareness training can be a good way to teach employees about these risks. It’s available online and is relatively inexpensive. Another tactic that can help prevent infections is to keep different types of employees on separate servers - i.e., owners/managers on one, ‘road warriors’ or sales teams on another, lower-level employees on another, etc.
Nish Bhalla, CEO of Security Compass, is an ethical hacker specializing in web and mobile security for Fortune 500s, major banks and well-known technology companies.