Cyber Security in SMB- Full 2022 Guide for Small Business Owners
The 2019 Verizon report stated that 43% of all cyberattacks were directed at small businesses. This figure is even more daunting when one considers that these breaches can be the final blow for some, according to the NSA estimation that 60% of small businesses go bankrupt within six months of the cyberattack.
Importance of Cyber Security In SMBs
Why are small businesses the target of cyberattacks?
Unlike giant corporations, most small businesses do not have the resources to invest in advanced cyber security, making them a target for hackers who are not looking to bring down giant corporations.
But that’s not all. By hacking into third-party providers, hackers can gain unauthorized access to global organizations. This is why many of these corporations require small and medium-sized partners with whom they work to meet cyber security compliances, such as HIPAA and SOC2.
5 Cyber Threats Every SMB Owner Should Know
This method is, without a doubt, the most common of all the attacks against small and medium-sized companies, and it accounts for 90% of all information security breaches. Small businesses are significantly more vulnerable to social engineering, due to the lack of security measures such as two-step verification, and the absence of awareness. This usually manifests in weak cyber security protocols that leave many organizations exposed and vulnerable.
These attacks use emails, text messages, and calls that appear to have been sent from a legitimate source, but are actually from a hacker intending to install malware or steal sensitive data. By creating a sense of urgency, the message usually entices the recipient to click a link or download a file.
There are many types of phishing attacks, with the most sophisticated and difficult to detect being Spear Phishing. However, there are many ways to reduce the risk, such as a strong email gateway that monitors sent and received emails, or training employees to raise awareness. To read more about all types of phishing attacks and identification methods, go to our phishing article.
Example of a phishing email:
Types of phishing attacks:
Email Phishing -Emails that seem to have come from a reliable source (generally Facebook, eBay, etc.) like professional organizations, institutions, and service providers, but were sent from a malicious hacker. These emails use corporate language, company logo, and even the original typography – methods that raise the credibility and persuade us to believe in the legitimacy of these emails.
Spear phishing- similar to email phishing, only in this case the hackers target a small group of people, sometimes for a single purpose. The attacker collects information about employee names in a particular department and impersonates a known entity, such as a service provider working with them or an IT team. In this case, the email is personalized.
MITM- occurs when a hacker inserts himself between the user and the service provider, whether as a bystander listening or as an imposter of one party. The purpose of the attack is to steal personal information – credit card details, passwords, and account information – most often occurs in communications between users and financial companies, SaaS, online stores, and sites that require login to an account.
This attack has become more common, not only against small businesses but also against private individuals, who are more vulnerable and tend to believe they have no choice but to comply with the hacker’s demands. This method includes encrypting the data on the user’s computer, whether it is organizational data or personal data, and denying access from the owner until the payment of the ransom is made. Denial of access leaves the business unable to provide its services to customers for an unknown period, as data is usually not backed up. This can be fatal for small and medium-sized businesses, due to a lack of financial stability.
To reduce the chance of holding the data hostage, steps must be taken to keep the device and the organization’s operating systems up to date. Verify the source of downloaded software and media, and make sure to use advanced antivirus software.
To minimize the consequences of a ransomware attack, one needs to back up the organization’s data and consider moving to a cloud-based infrastructure that allows for the restoration of old versions if necessary.
Type of ransomware:
Encryption – This type of malware locates files that seem essential to the user – texts, documents, images, PDFs, and more. It encrypts the information, thus preventing access to it. When the victim is an individual, the ransom usually amounts to several hundred dollars, and the requirement includes a payment transfer for up to 72 hours, otherwise, the data is permanently deleted.
Lock– When the user is locked out of the device, and the ransom message appears on the screen.
Scareware – Perhaps the most cynical of them all, this attack mimics software that scans for security issues, such as antiviruses, and alerts us of critical findings. The error messages that appear to detect faults mimic legitimate antivirus software, and give a sense of reliable source by providing the IP address and geographic location information, or using the names of reputable and trusted companies. Afterward, access is denied until the victim allows the malware to repair these issues, for an additional fee.
DoxWare – Ransomware that threatens to leak victim’s data to sites on the Dark Web. the attacker might sell this information or leak it to sites for free.
How Does Ransomware Infect Devices?
Victims of ransomware can be individuals or corporations with vulnerabilities in their defense systems, such as hospitals. This malware usually reaches our devices in one of three ways:
Tail as old as time, attack as successful as ever, this method has proven itself time after time. Emails and SMSs appear to have been sent from a legitimate source, and their purpose is to get users to open links and download infected files.
For further reading on how to identify a phishing attack and defend yourself, continue to our full phishing article.
Incorrect configuration of the RDP
The remote desktop protocol, or RDP for short, might be the favorite feature for those of us who still use the “turn off, turn on” method. However, this protocol can be a major vulnerability and an opportunity for hackers to install ransomware if the settings are not properly configured. This usually happens when:
A company is setting up its network for the first time
The IT team is inexperienced and hasn’t closed the ports properly
Outsourced IT team leaves ports open for remote monitoring.
Lack of two-stage identification
What criminal doesn’t need his toolkit, and hackers are no different. These kits include a collection of malware and codes, which scan for known vulnerabilities in the victim’s device defense systems. These kits make initial contact with the victim’s device through Malvertising- websites or advertisements that contain malicious codes and collect data regarding the user identity. The kit then scans for known vulnerabilities in the site, network, and browser protection protocols. Following the installation into the device, the ransomware can spread to the corporate network and lock access to work documents.
Weaknesses in the cloud infrastructure
While this may sound absurd to those of us who still believe that the cloud is God’s gift to mankind, hacker attacks on cloud infrastructures have increased by 230% since 2019. The most common ways to break into the cloud servers are:
Account hijacking, meaning the theft of user information to the cloud account by phishing, XSS attack, systematic password guessing, and more.
Data theft and leakage from cloud servers. The most common victims are small businesses that unlike global corporations don’t deploy sophisticated defense systems
An unsecured API provides an entry point for hackers who exploit this vulnerability to execute attacks such as DDoS.
Cloud infrastructure can be protected by monitoring user access lists and suspicious activity, placing WAF, encryption, and many other tools.
An attempt to make an Internet service – like a website – unavailable to its users, usually by temporarily disrupting the server on which the site is located. There are many types of DDoS, but the essence is flooding the site and its server with malicious traffic that will cause it to shut down due to overload, sometimes by using many devices that were once hacked and exploited without the knowledge of the device owner. Hackers have been perfecting these attacks by using AI (artificial intelligence). But not all is bleak in our future, and artificial intelligence can be used to look for the vulnerabilities of the systems, especially if there is a large amount of information.
Third-party service providers
Third-party software is a computer system developed or created by another company from the one that developed the operating system.
Third-party attacks use the supplier’s systems to steal sensitive data from the customer. If you’re not convinced of the severity of this attack, just ask SolarWinds, a company that provides business management software “Orion”. Hackers broke into Orion’s construction phase and installed malicious code that opens a backdoor for hackers. This backdoor allowed hackers to spy on organizations that applied updates to the Orion software, sent by Solarwinds following March 2020.
Since the code had been dormant for months, we will probably never grasp the exact number of companies harmed. Nevertheless, SolarWinds has estimated that approximately 18,000 of their customers were vulnerable to hackers following the updates, including the US security agency and Microsoft.
With SolarWinds being the third-party software provider, its reputation has been tainted ever since- just type in the company’s name in Google, and one of the first search results is related to this hack. Like Red wine on a white dress, there are some stains you just can’t remove.
Cyber Security In SMBs
Create a cyber-oriented organizational culture
Employees can be your biggest security risk or your strongest defense.
Small businesses are significantly vulnerable to social engineering – research shows that about a third of all cyber attacks involved social engineering in one way or another. There are several ways to perform social engineering, and the most popular way among them is phishing. These attacks account for 90% of all social engineering, with phishing emails using emails and text messages that appear to have been sent from a legitimate source to get users to open links and download files.
It is advisable to pay attention to recent phishing attacks and inform employees about them, in addition to regular employee seminars regarding the cyber security threats your organization faces.
Examine employee awareness with the help of phishing tests, which simulate a phishing attack on the company’s employees in the form of email phishing, spear-phishing, and phishing by phone by impersonating the company’s IT employee.
The team will usually purchase a domain, and sometimes an SSL certificate in order not to arouse suspicion. A message is then sent to the company’s employees (using one of the phishing methods listed), from an address that is supposedly known. The message is usually accompanied by a link with a request to enter personal information (password, username, account information, etc.)
Once employees’ awareness of this issue increases through phishing tests, employee caution will increase and thus prevent the next attack.
Back up sensitive information
Examine your organization’s sensitive and vital documents – financial documents, human resources, protocols, customer information – and create protocols for automatic backup in forming these documents. Invest in backing up secure servers, which are protected by advanced information security systems.
Strong passwords and multi-step verification
Perhaps the biggest cyber-security sin of all, the re-cycle of passwords is a security vulnerability easily fixed. Create a password with a sequence of letters and random digits, ensure strong passwords for financial accounts, and use protected software for storing passwords and not cell phone notes.
However strong passwords are not sufficient. Organizations must implement two-step verification using another device as an authentication requirement.
Keep Your Systems Up-to-Date
Software developers regularly release updates aimed to prevent the exploitation of software vulnerabilities.
Pay attention to these updates even if they are highly frequent -Facebook and Microsoft release updates on a daily basis given the importance of their systems.
Even systems that seem marginal to you, such as your CMS system or even IoT systems from printers to building maintenance, need updates, but less frequently.
In addition, there are so-called Legacy Products, which are basically systems that manufacturers have decided have run their course and have stopped releasing updates and supporting them.
For example, the Microsoft 7 operating system is no longer supported by Microsoft, and systems running Microsoft 7 after the EOL date pose a cyber threat to the corporate network.
Restrict physical access
Sometimes it seems that cyber-attacks only happen in the virtual world, but the importance of restricting physical access to the organization’s facilities should not be underestimated. External attackers often try to infiltrate facilities precisely because of the complacency of organizations in this aspect, sometimes impersonating technical professionals such as representatives of telecom companies who lay network infrastructure, IEC, and more.
Restricting internal access is also necessary, with the steady rise in cyber hacks involving employees of the organization, whether consciously or not.
Cyber security companies offer Red Teaming services, a full-layer, multi-layered attack simulation designed to measure how much your people, networks, applications, and physical security controls can withstand an attack from an opponent in real life.