Cybercrime is in the news almost every day. We read about large-scale attacks that damage companies’ reputations, contemplate the cost – billions of dollars – to remediate, and generate significant stress about being the next business targeted.

And it’s important to note: Big corporations aren’t the only targets of cybercrime. Data from Verizon’s Data Breach Investigations Report shows that small businesses have increasingly become targets for cybercriminals. In fact, Verizon found 46% of all cybercrime breaches hurt businesses with fewer than 1,000 employees.

 

We hear about cyber attacks so often these days that it’s easy to become numb to the risks. But the cost of complacency is severe. Not only do companies face hard costs (e.g. fines, legal fees, lost revenue), which average more than between $120,000 and $1.24 million for SMBs, but there are soft costs to consider as well (e.g. recruiting, partnerships, investors). The loss of business due to a damaged reputation is hard to measure, but those who have experienced it know it’s substantial.

Your small or medium-sized business can proactively protect itself against these attacks when armed with the knowledge of the very real threats – and take very real steps to secure your systems. The guide we’ve prepared for you shares what you need to know and do in order to mitigate the risk of security breaches.

There is never a 100% guarantee when it comes to cybersecurity, but following the advice outlined in this guide will drastically limit the chances of falling victim to an easily-prevented problem – and help you prepare if you do experience an attack.

 

Would you rather watch a video?

While the specific tactics of cybercriminals always vary, they tend to use a few common strategies to accomplish attacks. We’ll look at three of these frequented tactics, as well as another significant-but-often-underestimated cause of breaches: Human weaknesses.

 

1. Ransomware

 

Ransomware has become one of the most popular ways for cybercriminals to make money. The current most common method for ransomware delivery is called a “Trojan Horse” which, as you can probably guess, is spread through email or a malicious link. As a Trojan Horse, the program or link is masqueraded as a helpful tool or a legitimate file with something sinister hidden inside. Once the program is downloaded, it quietly drops its contents (ransomware) onto your computer. The program then runs in the background, undetected, until it's too late.

Ransomware can be spread through other methods. If you can recall the major Wannacry ransomware attack, for instance, it was spread by exploiting a vulnerability in older operating systems that were never updated.

When a company has mapped network drives that connect back to the corporate server, the encryption will go beyond the local computer to infect the server and encrypt all of the company’s files. Criminals are getting savvier and developing more complex attacks that use more advanced malware payload droppers – what they use to install the malware – and take advantage of encrypted web communication, making it even harder to detect an infection.

 

The Great Debate

A big debate in the cyber security community is whether companies should pay the ransom or not. On one hand, if you pay the cyber criminals, you’re giving them what they want, and the resources to continue what they're doing to other businesses. On the other hand, if you can't access any of your files, your business is at a standstill at best, and at worst will shut down entirely.

The best advice here is to backup your company data frequently. If your company does become the target of a ransomware attack, your files aren't lost and you don't have to pay a fee at all, you just need your IT team to remove the malicious files and restore your files from the backup.

Variations and Imitations

Ransomware has become such a popular form of cybercrime that criminals are now using it as a disguise for other types of malware. Believe it or not, it's almost impossible to distinguish these from ransomware attacks just by looking.

Non-encrypting ransomware/scareware: This type of malware looks just like real ransomware, but doesn't actually encrypt your files – its goal is to scare you into paying the ransom. Sometimes, these are made to look like it's a warning message from a government organization saying you need to pay a fine.

Wiperware: This form of malware looks just like ransomware, but rather than encrypting your files, it erases them altogether, meaning paying a fee won't get you your files back. This is usually the worst-case scenario when it comes to ransomware, and why we recommend backups so strongly.

 

Steps to Prevent Ransomware

Fortunately, there are simple steps that will keep ransomware off your system if you follow them.

1. Don’t open emails or the files in emails from email addresses that you don’t recognize.
   
   
2. Don’t click on links in emails or open files from email addresses that you do recognize if there is anything abnormal going on. Criminals have now learned how to “take over” an email account and can send ransomware from legitimate accounts (even those within your company). When in doubt, call to confirm with the sender that a link or file is safe before clicking on it.
   
   
3. Don’t go to websites that you don’t recognize, and verify the URLs of websites that seem legitimate. Hackers are building websites that look just like the real ones they are impersonating with URLs that are only slightly different than the real ones.
   
   
4. Block executable file types from coming through on email (here's how) or block file attachments entirely, requiring a safe word to allow emails with file attachments through. This step will stop Trojan Horse programs from entering through email attachments.
   
   
5. Don't click on any links or open attachments when you're in a hurry. You are less likely to notice the red flags when you are feeling rushed.
   
   
6. Start running Deep Packet Inspection on all traffic on your network, both encrypted and plain text. This protection is typically run on a firewall and will spot the network traffic of ransomware that’s trying to communicate with its host. Deep Packet Inspection will then kill the connection, stopping the damage.
   
   
7. As always, keep your antivirus, operating system, and programs up to date. Updates patch vulnerabilities that have been discovered and exploited by these hackers.
   
   
8. Make sure that you keep good, working backups that are easily restored.
   
   
9. Ask your IT company (or IT manager) to examine your users’ permissions on shared folders on your servers. Are there users that have full access where less will suffice? Encrypting ransomware takes advantage of the permissions of users on network drives, so limit access as much as possible.
   
   
10. Tell your users to not save anything locally on their computers. Instead, save all important data on network drives or in Cloud storage.
    
    
11. Train your employees on data security. One person clicking on one bad link can infect an entire company. Remind employees regularly about the importance of security and review warning signs, what to look out for before opening attachments or clicking links, and what to do if something goes wrong.

 

 

 

 

 

 

 

 

 

2. Phishing Attacks

News that sounds too good to be true usually is, especially when it comes through the internet. Phishing attacks originally began in the form of emails that announced that the recipient had won money or that asked for help with the promise of a reward. Today, attackers have added new tools to their arsenal. What all forms of phishing attacks have in common is the goal of tricking the target into thinking that the email is from a legitimate source to gain access to personal or business information or money.

Phishing attacks take aim at both individuals and companies. Some criminals are sending emails that appear to be from the IRS, saying you’re entitled to an additional tax refund. They ask you to click a link to receive the money they owe you, winning your trust quickly.

Some more sophisticated phishing attacks impersonate someone in your company, usually a high-ranking individual or an HR manager asking for money for various reasons. Other attacks directed at companies target based on apps or software you use. We've seen dozens of phishing attempts targeting Office 365 users, and most of these try to scare the user into clicking by claiming their account is suspended while others try to trick them by blending in, like by imitating a spam quarantine notification.

 

Types of Phishing Attacks

There are a few different types of phishing attacks, varying in severity.

Phishing is typically an undirected attack, like a large-scale email sent out to as many addresses as possible with the hopes of enough people falling for the scam to make the reward worth the effort.

Spear Phishing is a directed attack in business and personal settings where the attacker has researched his or her target to better tailor the attack to increase the chance of success.

Whaling is a spear phishing attack directed at executive level users. As companies often publish the names and contact information for their executives on their websites, hackers can easily learn what they need to know to successfully target high-ranking company officials.

 

How to Identify a Phishing Attack

Phishing emails often share a few telltale characteristics:

1. Bad grammar or misspelled words

2. Spoofed email addresses

3. A request to be contacted via a link or only one method of contact

4. A request for financial or other sensitive information

5. Fonts, colors, or a different writing style than the sender typically uses

 

Steps to Prevent Phishing Attacks

1. A strong spam filter will help eliminate the majority of attacks, analyzing the message before it ever arrives in your inbox and refusing any blatant attacks.
   
   
2. A robust antivirus software will scan emails and attachments for any malicious programs or backdoors that may be working to break into your system and steal personal data.
   
   
3. If you get an email from a co-worker or institution that looks suspicious, just give them a call and ask them if the email is legitimate before clicking or downloading anything.
   
   
4. Look at the sender email address before opening, don’t rely merely on the sender name that appears in the email, and don’t open emails that you aren’t sure are legitimate.
   
   
5. If you do open an email that you realize is suspicious, don’t open any attachments or click on any links, and report it immediately to your IT team.
   
   

You've been phished, now what? Do THIS After You’ve Been Phished

 

Examples of Phishing Attacks 

Phishing attempts can take many, many forms. These are just a few different examples we've seen targeted at our customers: 

1. Out of Office
   
   
2. Office 365 Account Notice
   
   
3. Spoofed Email Attacks
   
   
4. CEO Impersonation Attacks
   
   

   

 

 

3. Physical Threats

Not every security threat comes via a computer or through the network. Recognizing and protecting against physical, in-person threats is just as important to your data security as preventing ransomware and phishing attacks. Physical threats come in three main types: social engineering attacks, USB drive attacks, and stolen devices.

 

Social Engineering Attacks

A social engineering attack is when a cyber criminal tries to trick you into giving up confidential information over the phone or in person. Attackers will call companies, claiming to be a representative from a government agency, their IT company, or bank, and ask for sensitive information that they can use for criminal purposes.

The best way to defend against these attacks is to train your employees to be suspicious of everyone calling and looking for information like this. Instruct employees not to give out confidential information over the phone to anyone. Legitimate institutions will never call and ask for this over the phone.

 

USB Drive Attack

It’s painful to admit sometimes, but criminals are creative. The USB drive attack strategy is exceptionally clever.

It works like this: A criminal will drop an infected USB in your company’s parking lot. One of your employees finds the USB drive and picks it up, intending to find its owner. The employee plugs it into his or her computer, hoping to find a name associated with the drive, and malicious software immediately begins installing in the background. Or, weeks later, the employee has forgotten where the USB came from and plugs it into his or her computer to use it.

It seems like a longshot, but it works unless you train your employees to treat unknown USB drives or other external drives with suspicion. If an employee finds a USB that may belong to someone in the company, never plug it in to find its owner but instead send an email asking if anyone has lost such a device.

 

Stolen Devices

The rise in popularity of small, lightweight tablets, laptops, and smartphones makes it easy for criminals to walk off with your sensitive data. The reality of the hybrid work era is that employees need to take devices everywhere, but there are ways you can protect the data on these devices no matter where they end up.

One of the best ways to protect yourself is data encryption. Windows (in every version since Vista) includes a product called BitLocker. BitLocker will encrypt the contents of your hard drive so that if your computer is stolen, the thief is required to enter your encryption key to unscramble the contents of the hard drive.

Implement policies for automated screen lock, password history, and complexity at your small business. Creating complex passwords and entering passwords dozens of times a day is annoying, but these tactics make it harder for a criminal to take over an unattended workstation or device.

If you use removable storage like USB thumb drives, be sure to encrypt those devices as well. Mobile device management allows you to set automatic parameters that govern behavior at the device level. These policies and more can prevent thieves from accessing data once they’ve stolen a device.

 

Other Ways to Protect From Physical Threats

Consider how easy it would be for a criminal to access your company’s data, network, or devices. Here are a few things to think about:

1. How many doors stay unlocked during the day, leaving them susceptible to unauthorized access?
   
   
2. Is your server room locked?
   
   
3. Do you have any way of tracking who is going in and out of your office? Your server room?
   
   
4. Would fingerprint scanners or keycard-coded doors that allow your employees to come and go easily but keep criminals out be beneficial to your strategy?

 

4. Human Weaknesses

According to Uptime’s Data Center Resiliency Survey, nearly 40% of organizations have suffered a major outage caused by human error over the past three years, and over 60% of these kinds of outages result in at least $100,000 in total losses. Human weaknesses aren’t just a problem – it’s a major problem that often goes unaddressed.

 

How to Prevent Cyber Attacks that Target Human Weaknesses

The strongest protection against employees who just don’t know better is twofold: tools and training. Give your employees the tools they need to do their job effectively and securely. They need access to reliable email and storage. If their job involves handling and sending sensitive data, they need encrypted email and the know-how to use that kind of technology.

If employees don’t have company-approved ways to do something, or if the company-approved way is too cumbersome or unreliable, they’re going to find some other way to get the job done, and that way may open the door wide for your company to suffer a cyber attack.

You also need to have clearly outlined policies for how to handle company data. Policies should describe how employees can access company data (approved devices, approved apps, and software, etc.) and how they should interact with company data (rules for sharing, backing up, etc.). Your employees should be trained on all policies, and the policies should be strictly enforced.

Your IT team can even set some policies to be turned on and enforced automatically. For example, if you’re an Office 365 user, you can implement Data Loss Prevention policies in Outlook and other apps. These tools automatically identify sensitive information like social security numbers and credit card information and prevent it from being shared outside of your company.

Make data security training part of your new employee onboarding and regularly re-train employees. Your employees are your first line of defense and potentially your biggest weakness. Your employees also need to be trained to use the company-provided tools to do their jobs. Even if you give your employees the best software available to work productively and securely, they’re still going to use personal solutions if they don’t know how to use what you’ve provided.

Choosing the right tools and building a robust training program for your small business are both important keys to success.

 

Other protections to consider: 

1. Multi-factor authentication — Combining something you know (like a password) with something you have (like a phone app or a keyfob) makes it much harder for an attacker to access information.
   
   
2. Encrypted Email — Encrypting your email ensures that it can’t be read by third parties.
   
   
3. Data Loss Prevention — Data Loss Prevention is a set of policies that allow email communications to be monitored for sensitive material. These rules scan all emails to and from an organization looking for information like credit card numbers, SSNs, Taxpayer Identification Numbers, and Passport numbers.
   
   
4. Outbound Internet Monitoring — Monitor your outbound Internet connections to ensure your Internet traffic is going where it should, and not being redirected to a malicious site or server.

 

As a small- to medium-sized business, you likely have limited resources to spend on security. Cybercriminals know this, and they’re betting that you’ve neglected to protect yourself. But with careful planning and creative strategy, you can keep your company secure.

Please note: If you’re in a regulated industry, especially healthcare, what you need will be a bit different. Reach out to us, and we can help you make sure you stay compliant.

 

1. Essential Equipment

There are a few things you can purchase and install that will go a long way in protecting your data. Here are the essentials.

Firewall — A firewall acts as a gatekeeper between your local network and the Internet. Business-grade firewalls can seem expensive, but consider what you are getting in return: this device scans all traffic coming into and going out of your network from the outside world for threats.

Looking to equip your business with a firewall? How to Choose the Right Firewall for Your Business

Encryption — Encryption keeps your data safe if you experience a data breach or if a computer or hard drive is lost or stolen. It scrambles your data so the information cannot be read without an encryption key. If you’re using Windows, you probably already have basic encryption software: BitLocker.

Backups — Data backups can save your business if you fall victim to a cyber attack. Even if you pay the fee to a ransomware criminal, there’s no guarantee you’ll get your files back. With a robust backup system, you’ll only lose files created after your last backup, and you won’t have to pay the ransom.

 

2. Training

As we mentioned earlier and all the time, employees are often your weakest link – but should also be your first line of defense when it comes to data security. Onboarding training and regular re-training will help employees remember the best practices of data security. Giving your employees the knowledge and tools they need to do their job securely is one of the best ways to protect your company from attacks.

Regularly test your employee’s security knowledge to identify any holes in their awareness. This testing will help you know where to focus your training.

Speaking of your training and testing, it should never be used as punishment. Punishing your employees for falling victim to an attack isn’t going to make them less likely to fall victim to an attack in the future – but it may make them less likely to report it.

Don't know where to start? Here are a couple extra resources:

• Why You Need to Implement Cyber Security Training Today
• Which of Your Employees Should Do Regular Security Training & Why?
  
  

 

The basics are easy to overlook, but following them will prevent the majority of cyber attacks. Here are the do’s and don't's:

DON’T use the same password(s) for multiple accounts, or references to things that a hacker could guess or find elsewhere, like a favorite food, your address, phone number, or date of birth..

• DO use long, complex passphrases with letters, numbers, and special characters.

DON’T enter your password on an unsecured WiFi network.

• DO seek secured networks, like your cellphone's hotspot, to do your personal and professional work at all times.

DON’T open an email attachment or click on a link from an unknown sender, even if the rest of the email looks normal – and vice versa.

• DO regularly back up your data and make sure it’s easy to restore in the case of a slip-up by someone on your team.

DON’T share your passwords, even with coworkers, or store passwords insecurely.

• DO keep all the dedicated password managers, software, and operating systems on your computer, phone, and tablet up to date.

 

It can be tempting to try to save money by going to a big box retailer and getting equipment meant for personal use to apply to business settings. But you’ll be better protected if you spend a little more money on business-grade equipment in the first place. Personal firewalls just can’t handle the same amount of traffic as a commercial firewall and will result in slow Internet speeds that hamper productivity, reducing profitability in the long run.

If you’re working with an outsourced IT company like us at PTG, get them involved in choosing equipment. They’ll be able to help you pick the best firewall and backup solutions for your network and your budget. We already have relationships with vendors and can get equipment at a discounted rate that you won’t have access to yourself.

Firewalls are also now available in a firewall-as-a-service option with low monthly pricing. This is often an attractive option for budget-conscious business owners.

 

 

Once you’ve got the basics in place, you may want to think about boosting your security even further. There are additional apps, add-ons, and steps you can implement to take security to the next level.

Mobile Device Management — Whether you’re giving your employees cell phones to use for work or have a Bring Your Own Device (BYOD) policy, employees are likely using mobile devices to access company information like email and sensitive line-of-business applications. You need a mobile device policy to protect your data in the event an employee’s phone is lost or stolen.

Secure your hybrid workforce: The Six Pillars of Securing Your Hybrid Workforce

Multi-Factor Authentication — Authentication is a method of proving you are who you say you are. It can take several forms, including a password or PIN code, an RSA token or smart card, or a fingerprint or retinal scanner. Multi-factor authentication is simply using more than one of these methods for access. It dramatically increases protection.

Make MFA more convenient: Making MFA More Convenient for your Business

Advanced Threat Protection — Advanced Threat Analytics (ATA) is an add-on to Office 365 that detects suspicious activity and prevents malicious attacks from hitting your network. It combines the typical analysis that happens with security products like anti-virus with machine learning so over time, it actually gets smarter.

Data Loss Prevention — Microsoft provides another feature called Data Loss Prevention. This feature is essentially a set of policies that Office 365 provides that allows the organization to monitor email communications for sensitive material. Once turned on, these rules scan all emails to and from an organization looking for information like credit card numbers, SSNs, Taxpayer Identification Numbers, and passport numbers.

Cybersecurity is serious and complex, so you need a skilled expert with experience to manage your system for you. This expert can be an internal person who’s been trained and has managed security for other companies in the past, or you can outsource security management to a tenured team like ours at PTG.

Traditionally, data security has been treated as a capital expense. Even if they’re regularly updated, firewall and antivirus programs have only been purchased and thought about every few years. But because cyber threats are advancing and evolving quickly, companies are now shifting security to business operations, which not only keeps the business safer but also makes budgeting easier.

The best way to achieve this switch is to use a monthly security-as-a-service, or what some call a firewall-as-a-service, plan. Look for a monthly security plan that rolls multiple security expenses, like firewall, antivirus, and monitoring into one to get the most bang for your buck. Something like:

• Secure firewall with 24/7 software updates and annual hardware replacements, so you’re always protected
• Cloud-based, robust antivirus software and web security software scans in real time to keep you protected without affecting performance
• Email configuration services with optional encryption to lessen the chance of malicious emails reaching your inbox
• Real-time monitoring of outbound Internet connections, making sure you’re actually going where you think you’re going online, and not to a malicious site

Data security can seem intimidating. But small businesses have more security tools and options available today than ever before. Smaller companies don’t need to dedicate large budgets to get the security they need. Putting best practices in place and providing your people with the tools and training they need will go a long way in protecting your business.

 

About PTG

Palmetto Technology Group (PTG) is an outsourced IT company in Greenville, SC. We take the guesswork and frustration out of IT by working with businesses to help them align their technology to meet business goals. Want to learn more about how we can help boost productivity and make your business more secure?  Visit our website or read some of our Success Stories.