Cybercrime is in the news almost every day. We read about large-scale attacks that damage companies’ reputations, contemplate the cost – billions of dollars – to remediate, and generate significant stress about being the next business targeted.
And it’s important to note: Big corporations aren’t the only targets of cybercrime. Data from Verizon’s Data Breach Investigations Report shows that small businesses have increasingly become targets for cybercriminals. In fact, Verizon found 46% of all cybercrime breaches hurt businesses with fewer than 1,000 employees.
We hear about cyber attacks so often these days that it’s easy to become numb to the risks. But the cost of complacency is severe. Not only do companies face hard costs (e.g. fines, legal fees, lost revenue), which average more than between $120,000 and $1.24 million for SMBs, but there are soft costs to consider as well (e.g. recruiting, partnerships, investors). The loss of business due to a damaged reputation is hard to measure, but those who have experienced it know it’s substantial.
Your small or medium-sized business can proactively protect itself against these attacks when armed with the knowledge of the very real threats – and take very real steps to secure your systems. The guide we’ve prepared for you shares what you need to know and do in order to mitigate the risk of security breaches.
There is never a 100% guarantee when it comes to cybersecurity, but following the advice outlined in this guide will drastically limit the chances of falling victim to an easily-prevented problem – and help you prepare if you do experience an attack.
While the specific tactics of cybercriminals always vary, they tend to use a few common strategies to accomplish attacks. We’ll look at three of these frequented tactics, as well as another significant-but-often-underestimated cause of breaches: Human weaknesses.
Ransomware has become one of the most popular ways for cybercriminals to make money. The current most common method for ransomware delivery is called a “Trojan Horse” which, as you can probably guess, is spread through email or a malicious link. As a Trojan Horse, the program or link is masqueraded as a helpful tool or a legitimate file with something sinister hidden inside. Once the program is downloaded, it quietly drops its contents (ransomware) onto your computer. The program then runs in the background, undetected, until it's too late.
Ransomware can be spread through other methods. If you can recall the major Wannacry ransomware attack, for instance, it was spread by exploiting a vulnerability in older operating systems that were never updated.
When a company has mapped network drives that connect back to the corporate server, the encryption will go beyond the local computer to infect the server and encrypt all of the company’s files. Criminals are getting savvier and developing more complex attacks that use more advanced malware payload droppers – what they use to install the malware – and take advantage of encrypted web communication, making it even harder to detect an infection.
A big debate in the cyber security community is whether companies should pay the ransom or not. On one hand, if you pay the cyber criminals, you’re giving them what they want, and the resources to continue what they're doing to other businesses. On the other hand, if you can't access any of your files, your business is at a standstill at best, and at worst will shut down entirely.
The best advice here is to backup your company data frequently. If your company does become the target of a ransomware attack, your files aren't lost and you don't have to pay a fee at all, you just need your IT team to remove the malicious files and restore your files from the backup.
Ransomware has become such a popular form of cybercrime that criminals are now using it as a disguise for other types of malware. Believe it or not, it's almost impossible to distinguish these from ransomware attacks just by looking.
Non-encrypting ransomware/scareware: This type of malware looks just like real ransomware, but doesn't actually encrypt your files – its goal is to scare you into paying the ransom. Sometimes, these are made to look like it's a warning message from a government organization saying you need to pay a fine.
Wiperware: This form of malware looks just like ransomware, but rather than encrypting your files, it erases them altogether, meaning paying a fee won't get you your files back. This is usually the worst-case scenario when it comes to ransomware, and why we recommend backups so strongly.
Fortunately, there are simple steps that will keep ransomware off your system if you follow them.
News that sounds too good to be true usually is, especially when it comes through the internet. Phishing attacks originally began in the form of emails that announced that the recipient had won money or that asked for help with the promise of a reward. Today, attackers have added new tools to their arsenal. What all forms of phishing attacks have in common is the goal of tricking the target into thinking that the email is from a legitimate source to gain access to personal or business information or money.
Phishing attacks take aim at both individuals and companies. Some criminals are sending emails that appear to be from the IRS, saying you’re entitled to an additional tax refund. They ask you to click a link to receive the money they owe you, winning your trust quickly.
Some more sophisticated phishing attacks impersonate someone in your company, usually a high-ranking individual or an HR manager asking for money for various reasons. Other attacks directed at companies target based on apps or software you use. We've seen dozens of phishing attempts targeting Office 365 users, and most of these try to scare the user into clicking by claiming their account is suspended while others try to trick them by blending in, like by imitating a spam quarantine notification.
There are a few different types of phishing attacks, varying in severity.
Phishing is typically an undirected attack, like a large-scale email sent out to as many addresses as possible with the hopes of enough people falling for the scam to make the reward worth the effort.
Spear Phishing is a directed attack in business and personal settings where the attacker has researched his or her target to better tailor the attack to increase the chance of success.
Whaling is a spear phishing attack directed at executive level users. As companies often publish the names and contact information for their executives on their websites, hackers can easily learn what they need to know to successfully target high-ranking company officials.
Phishing emails often share a few telltale characteristics:
1. Bad grammar or misspelled words
2. Spoofed email addresses
3. A request to be contacted via a link or only one method of contact
4. A request for financial or other sensitive information
5. Fonts, colors, or a different writing style than the sender typically uses
You've been phished, now what? Do THIS After You’ve Been Phished
Phishing attempts can take many, many forms. These are just a few different examples we've seen targeted at our customers:
Not every security threat comes via a computer or through the network. Recognizing and protecting against physical, in-person threats is just as important to your data security as preventing ransomware and phishing attacks. Physical threats come in three main types: social engineering attacks, USB drive attacks, and stolen devices.
A social engineering attack is when a cyber criminal tries to trick you into giving up confidential information over the phone or in person. Attackers will call companies, claiming to be a representative from a government agency, their IT company, or bank, and ask for sensitive information that they can use for criminal purposes.
The best way to defend against these attacks is to train your employees to be suspicious of everyone calling and looking for information like this. Instruct employees not to give out confidential information over the phone to anyone. Legitimate institutions will never call and ask for this over the phone.
It’s painful to admit sometimes, but criminals are creative. The USB drive attack strategy is exceptionally clever.
It works like this: A criminal will drop an infected USB in your company’s parking lot. One of your employees finds the USB drive and picks it up, intending to find its owner. The employee plugs it into his or her computer, hoping to find a name associated with the drive, and malicious software immediately begins installing in the background. Or, weeks later, the employee has forgotten where the USB came from and plugs it into his or her computer to use it.
It seems like a longshot, but it works unless you train your employees to treat unknown USB drives or other external drives with suspicion. If an employee finds a USB that may belong to someone in the company, never plug it in to find its owner but instead send an email asking if anyone has lost such a device.
The rise in popularity of small, lightweight tablets, laptops, and smartphones makes it easy for criminals to walk off with your sensitive data. The reality of the hybrid work era is that employees need to take devices everywhere, but there are ways you can protect the data on these devices no matter where they end up.
One of the best ways to protect yourself is data encryption. Windows (in every version since Vista) includes a product called BitLocker. BitLocker will encrypt the contents of your hard drive so that if your computer is stolen, the thief is required to enter your encryption key to unscramble the contents of the hard drive.
Implement policies for automated screen lock, password history, and complexity at your small business. Creating complex passwords and entering passwords dozens of times a day is annoying, but these tactics make it harder for a criminal to take over an unattended workstation or device.
If you use removable storage like USB thumb drives, be sure to encrypt those devices as well. Mobile device management allows you to set automatic parameters that govern behavior at the device level. These policies and more can prevent thieves from accessing data once they’ve stolen a device.
Consider how easy it would be for a criminal to access your company’s data, network, or devices. Here are a few things to think about:
According to Uptime’s Data Center Resiliency Survey, nearly 40% of organizations have suffered a major outage caused by human error over the past three years, and over 60% of these kinds of outages result in at least $100,000 in total losses. Human weaknesses aren’t just a problem – it’s a major problem that often goes unaddressed.
The strongest protection against employees who just don’t know better is twofold: tools and training. Give your employees the tools they need to do their job effectively and securely. They need access to reliable email and storage. If their job involves handling and sending sensitive data, they need encrypted email and the know-how to use that kind of technology.
If employees don’t have company-approved ways to do something, or if the company-approved way is too cumbersome or unreliable, they’re going to find some other way to get the job done, and that way may open the door wide for your company to suffer a cyber attack.
You also need to have clearly outlined policies for how to handle company data. Policies should describe how employees can access company data (approved devices, approved apps, and software, etc.) and how they should interact with company data (rules for sharing, backing up, etc.). Your employees should be trained on all policies, and the policies should be strictly enforced.
Your IT team can even set some policies to be turned on and enforced automatically. For example, if you’re an Office 365 user, you can implement Data Loss Prevention policies in Outlook and other apps. These tools automatically identify sensitive information like social security numbers and credit card information and prevent it from being shared outside of your company.
Make data security training part of your new employee onboarding and regularly re-train employees. Your employees are your first line of defense and potentially your biggest weakness. Your employees also need to be trained to use the company-provided tools to do their jobs. Even if you give your employees the best software available to work productively and securely, they’re still going to use personal solutions if they don’t know how to use what you’ve provided.
Choosing the right tools and building a robust training program for your small business are both important keys to success.
As a small- to medium-sized business, you likely have limited resources to spend on security. Cybercriminals know this, and they’re betting that you’ve neglected to protect yourself. But with careful planning and creative strategy, you can keep your company secure.
Please note: If you’re in a regulated industry, especially healthcare, what you need will be a bit different. Reach out to us, and we can help you make sure you stay compliant.
There are a few things you can purchase and install that will go a long way in protecting your data. Here are the essentials.
Firewall — A firewall acts as a gatekeeper between your local network and the Internet. Business-grade firewalls can seem expensive, but consider what you are getting in return: this device scans all traffic coming into and going out of your network from the outside world for threats.
Looking to equip your business with a firewall? How to Choose the Right Firewall for Your Business
Encryption — Encryption keeps your data safe if you experience a data breach or if a computer or hard drive is lost or stolen. It scrambles your data so the information cannot be read without an encryption key. If you’re using Windows, you probably already have basic encryption software: BitLocker.
Backups — Data backups can save your business if you fall victim to a cyber attack. Even if you pay the fee to a ransomware criminal, there’s no guarantee you’ll get your files back. With a robust backup system, you’ll only lose files created after your last backup, and you won’t have to pay the ransom.
As we mentioned earlier and all the time, employees are often your weakest link – but should also be your first line of defense when it comes to data security. Onboarding training and regular re-training will help employees remember the best practices of data security. Giving your employees the knowledge and tools they need to do their job securely is one of the best ways to protect your company from attacks.
Regularly test your employee’s security knowledge to identify any holes in their awareness. This testing will help you know where to focus your training.
Speaking of your training and testing, it should never be used as punishment. Punishing your employees for falling victim to an attack isn’t going to make them less likely to fall victim to an attack in the future – but it may make them less likely to report it.
Don't know where to start? Here are a couple extra resources:
The basics are easy to overlook, but following them will prevent the majority of cyber attacks. Here are the do’s and don't's:
DON’T use the same password(s) for multiple accounts, or references to things that a hacker could guess or find elsewhere, like a favorite food, your address, phone number, or date of birth..
DON’T enter your password on an unsecured WiFi network.
DON’T open an email attachment or click on a link from an unknown sender, even if the rest of the email looks normal – and vice versa.
DON’T share your passwords, even with coworkers, or store passwords insecurely.
It can be tempting to try to save money by going to a big box retailer and getting equipment meant for personal use to apply to business settings. But you’ll be better protected if you spend a little more money on business-grade equipment in the first place. Personal firewalls just can’t handle the same amount of traffic as a commercial firewall and will result in slow Internet speeds that hamper productivity, reducing profitability in the long run.
If you’re working with an outsourced IT company like us at PTG, get them involved in choosing equipment. They’ll be able to help you pick the best firewall and backup solutions for your network and your budget. We already have relationships with vendors and can get equipment at a discounted rate that you won’t have access to yourself.
Firewalls are also now available in a firewall-as-a-service option with low monthly pricing. This is often an attractive option for budget-conscious business owners.
Once you’ve got the basics in place, you may want to think about boosting your security even further. There are additional apps, add-ons, and steps you can implement to take security to the next level.
Mobile Device Management — Whether you’re giving your employees cell phones to use for work or have a Bring Your Own Device (BYOD) policy, employees are likely using mobile devices to access company information like email and sensitive line-of-business applications. You need a mobile device policy to protect your data in the event an employee’s phone is lost or stolen.
Secure your hybrid workforce: The Six Pillars of Securing Your Hybrid Workforce
Multi-Factor Authentication — Authentication is a method of proving you are who you say you are. It can take several forms, including a password or PIN code, an RSA token or smart card, or a fingerprint or retinal scanner. Multi-factor authentication is simply using more than one of these methods for access. It dramatically increases protection.
Make MFA more convenient: Making MFA More Convenient for your Business
Advanced Threat Protection — Advanced Threat Analytics (ATA) is an add-on to Office 365 that detects suspicious activity and prevents malicious attacks from hitting your network. It combines the typical analysis that happens with security products like anti-virus with machine learning so over time, it actually gets smarter.
Data Loss Prevention — Microsoft provides another feature called Data Loss Prevention. This feature is essentially a set of policies that Office 365 provides that allows the organization to monitor email communications for sensitive material. Once turned on, these rules scan all emails to and from an organization looking for information like credit card numbers, SSNs, Taxpayer Identification Numbers, and passport numbers.
Cybersecurity is serious and complex, so you need a skilled expert with experience to manage your system for you. This expert can be an internal person who’s been trained and has managed security for other companies in the past, or you can outsource security management to a tenured team like ours at PTG.
Traditionally, data security has been treated as a capital expense. Even if they’re regularly updated, firewall and antivirus programs have only been purchased and thought about every few years. But because cyber threats are advancing and evolving quickly, companies are now shifting security to business operations, which not only keeps the business safer but also makes budgeting easier.
The best way to achieve this switch is to use a monthly security-as-a-service, or what some call a firewall-as-a-service, plan. Look for a monthly security plan that rolls multiple security expenses, like firewall, antivirus, and monitoring into one to get the most bang for your buck. Something like:
Data security can seem intimidating. But small businesses have more security tools and options available today than ever before. Smaller companies don’t need to dedicate large budgets to get the security they need. Putting best practices in place and providing your people with the tools and training they need will go a long way in protecting your business.
Palmetto Technology Group (PTG) is an outsourced IT company in Greenville, SC. We take the guesswork and frustration out of IT by working with businesses to help them align their technology to meet business goals. Want to learn more about how we can help boost productivity and make your business more secure? Visit our website or read some of our Success Stories.
Our mission of serving the homebound is dependent on daily operational IT needs. PTG helped develop a plan for technology resources that has been instrumental in the growth and sustainability of our organization. Making the decision to choose PTG as our IT provider was one of the best decisions the organization has made.
Catriona Carlisle, Executive Director Meals on Wheel of Greenville County
Everybody at PTG is very professional—they're all really good at what they do. When we call them, we know we're going to get someone right here. They know us on a first-name basis.
Brandon Herring, Director of IT and Security Armada Analytics
If you made it this far down, we're guessing you read something that resonated with you. This guide only scratches the surface of how complex each companies technology needs are. With over 15 years of experience, we have likely worked with a business similar to yours.
Our solutions specialists are trained to meet you where you are and will help you to get where you want to be. Enter in your information in the form to the right and we will make time to go through your needs.