When you hear the word cybersecurity what do you think of? Probably the old meme of a hooded teenager, hunched over a computer screen. There may well be cybercriminals who wear hoodies, but today, cybercrime is a massive business that is expected to be valued at $6 trillion USD a year by 2021 and is more profitable than the combined worth of the drugs trade.
Cybercrime is a mixed bag. It describes threats and attacks on anything digital, such as data and IT resources. The impact of such attacks are widespread and include both financial losses as well as downtime and reputation damage. It is a crime that keeps on giving too. The cybercriminal network is far and wide and reaches out to the most sinister of networks, the dark web, where stolen information is bought and sold to commit further crimes. To get a flavor of how cybercrime is affecting businesses of all sizes and across all sectors, let’s look at some facts and figures:
The Impact of Cybercrime
The Ponemon Institute along with IBM, publish an annual survey into the costs of cybercrime to business. This year’s study shows that the costs associated with a cybercrime have increased by 6.4 percent to, on average, $3.86 million USD.
Cost of Cybercrime to Smaller Companies
In another Ponemon study, which specifically looked at the costs of cybercrime on smaller organizations (100-1000 employees), they found the average cost to a small organization was over $2.2 million USD when disruption to operations and loss of IT assets were added up.
Phishing and Ransomware
The cybercriminal’s toolkit is full of goodies. Tricks and techniques abound and many of them hit the very nature of human beings. Phishing is the weapon of choice of many cybercriminals; they use the spoof emails and texts to infect business computers and steal login credentials. In 2017, 76 percent of businesses experienced a phishing attack. Ransomware which often enters a company via an email attachment is prolific. In 2016, a company was attacked by ransomware every 40 seconds.
Ransomware is a type of malware. The total number of malware strains has been increasing, year on year, and in Q1 of 2017 a new malware strain was discovered every 4.2 seconds. This means that it is very difficult for companies to protect themselves against it.
Small Company Specific Impacts of Cybercrime
Smaller organizations are low hanging fruit for hackers as they are less likely to have dedicated security defenses. The Ponemon study into cyber attacks on small businesses found that 48 percent of respondents had experienced a phishing attack; 43 percent a web-based attack; and, 36% said their company had been infected with malware. The UK government survey found an even higher rate of cybersecurity incidents amongst small to medium sized firms, with 50% of small organizations experiencing attacks.
Cybersecurity: Hitting Small Business Where It Hurts
Small businesses are sweet spots for certain types of cybercrime. Let’s have a look at some of the cybercriminals favorite methods:
Hands Up! Ransomware and Its Impact on Smaller Organizations
Ransomware is everyone’s most feared type of cyber threat. If you become infected by ransomware all of your files, locally stored, across your network, and even out into Cloud folders will be encrypted by the rogue program. Once encrypted you will see a warning message pop up on your computer screen stating that if you pay an amount of cryptocurrency within X days you’ll be given a special key to decrypt the files. Of course, we are dealing with criminals here, so chances are you won’t get the key even if you pay up.
Becoming infected with ransomware is the digital equivalent of a bomb going off. You won’t be able to work on any of your files; spreadsheets, Word documents, PowerPoint slides, etc., are all locked. According to research, small companies lost, on average, $100,000 per ransomware incident. Twenty-Two percent of small companies attacked by ransomware were immediately put out of business.
Smile, You’ve Been Framed: The Scourge of Business Email Compromise (BEC)
Business Email Compromise (BEC) is a scam that preys on human behavior. The goal is to trick an employee, often at the C-level, to transfer large sums of money to the bank account of the cybercriminal. The scam sometimes uses phishing emails which they use to steal login credentials to email accounts and calendars. This part of the scam is to gain intelligence on the target. They use this intelligence to trick the target person into a relationship with the scammer. The goal is to build trust to get the chosen person to transfer the money.
The trick sometimes includes creating spoof emails which look very much like the email has come from a C-level person. The emails use a sense of urgency to transfer money. For example, “this amount MUST be transferred by 12 noon or the company will lose a lucrative contract”. The email looks real because they are based on intelligence gathered about the target. So, for example, firstname.lastname@example.org would become email@example.com. Many people wouldn’t notice the difference in the email address and believe it was a valid request from a senior person. The FBI looked at the costs of BEC worldwide and found that between October 2013 and December 2016, $5.3 billion USD was lost to BEC scams.
A Phisher’s Guide to Tricking the Small Business
Phishing is the most popular tool of the cybercriminal because it works really well. This tactic uses our basic human responses in order to infect computers with malware such as ransomware, steal login credentials to important accounts, and also steal sensitive and personal data. Phishing comes in a number of forms such as spoof emails (including spear-phishing which targets an individual in a company), Vishing, which uses a phone call to steal information, and SMShing based on spoof mobile messages. Phishing is also the favorite way to deliver ransomware – the Ponemon study found 76 percent of ransomware was delivered via a phishing email.
5 Ways to Help Prevent a Cybersecurity Incident
It may seem as if managing the risks of cybersecurity is an uphill struggle. However, there are a number of fairly straightforward exercises you can do to help reduce the likelihood that your small company will be hit by a cybersecurity incident, or if it is, to lower the impact.
Being aware of what risks exist is half the battle. If you know the tactics used by cybercriminals, such as how to spot the tell-tale signs of a phishing email, you can prevent a malware infection or the theft of login credentials. A tangible solution might be to organize a cybercrime seminar for your employees.
You may have heard of second-factor authentication (2FA) which is where after entering a password a person then receives a code on a mobile (or uses a biometric like a fingerprint). Only if you enter this into a field you can log in to an account. Although 2FA is not perfect it reduces the risk of phishing significantly. Even if a hacker stole your password they would still need the code or biometric to log in. If you have the option to use 2FA to log in to accounts, use it.
Secure and Safe Backups
Ransomware effectively removes the ability to use your files and documents. You can help to minimize the impact of a ransomware infection by having secure backups. However, ransomware can also affect backup systems, so you need to have the right type of backup system. Make sure that you do not connect your backup to your network. A survey by SentinelOne found that those firms having safe backups were able to get operations running more quickly.
Using the Tools of the Trade
Encryption may be the tool of the ransomware criminal, but it is also a force for good. You can encrypt data at rest and in transit. When you visit a website that has HTTPS in the URL it generally means that data, such as your personal data or passwords, etc., is securely transmitted. Using encryption and digital certificates is making the internet slightly safer. There are exceptions to this of course. Some spoof websites are tricking users into thinking the site is secure by using HTTPS. Encryption is also important for storing sensitive information and personal data on databases and on hard drives such as a laptop.
Cybercriminals love to target smart phones and there are many mobile security vulnerabilities. A new popular tactic is ransomware on mobiles which lock the phone until you make a payment. Also prevalent are banking trojans which present a very convincing fake bank app login screen and steal your login credentials in real-time. A report by Verizon found that 85 percent of organizations felt that mobiles posed a risk to their business.
Being Aware of the Cyber Threat
Cybercrime is a growing problem, but it is not insurmountable. We cannot, however, hope it will not affect us because we are a small business. Cybercriminals are in it for the money and the disruption and they look for easy targets. By being aware of what cybersecurity is all about and the types of risks we have to solve, the small business can protect itself.