Cyber Scare - Part 2

by

About a month ago I published Cyber Scare – Part 1 that introduced part of the concepts I presented by my Cyber Security for You and Your Clients course at Scaling New Heights (2018).  Part 1 outlined concepts related to ‘Understanding that You are a Target’ when it comes to cyber-crime, teaching you a little about the various ‘Cyber-threat Vectors’ and some principles for securing them, and addressed the fact that ‘Cloud-computing/Hosted-solutions’ are not a panacea in preventing cyber security threats.

In this Part 2 article of our mini-series we will address just two of today’s biggest cyber threats, ‘phishing’ and ‘ransomware’, both of which are increasing at the rate of several hundred percent each quarter.  Cyber experts believe this trend will continue for the next 2 or 3 years at best, and much longer at worst.

Phishing and ransomware are cyber threats aimed at stealing or disabling access to your computerized information including financial data, employee information, sensitive customer data (like credit card numbers), and even intellectual property (trade secrets).  Ransomware costs were only $24+ Million in 2015, but more than $260 Million in 2017, and the FBI estimates that Ransomware cost more than $200 Million in just the first three-months of 2018.

Phishing, and its variants including spear-phishing and whaling (aka: CEO Fraud) are becoming even more prevalent forms of cyber attack upon small to medium businesses, whereas previously they were primarily aimed at larger corporations.  The FBI believes that a majority of U.S. businesses of all sizes have been impacted by phishing attacks during the past 12-months even if many of those businesses may not yet be aware of such an attack upon their company data.

One form of threat, ‘whaling’, also known as CEO Fraud, has seen losses exceed $2-billion in just the last 2 years. In these cases, unsuspecting business employees receive an email from what appears to be their boss advising them to make a wire transfer to what seems to be a vendor with whom they normally do business.  Of course, both the email and vendor bank instructions are fictious, but the money lost is very real.

The graphic above shows the majority of all phishing attacks occur within the United States.

Cyber criminals are accelerating their attacks upon unsuspecting small and medium sized businesses because larger corporations are taking extra efforts to enhance their cyber security and response.  Knowing that a single cyber threat can impact tens, if not hundreds, of thousands of individuals simply by accessing a relatively small number of SMBs each with customer and employee information within their data, these criminals are targeting smaller entities from which to either demand ransoms or steal information.

Most small-to-medium businesses have assumed the attitude that “nobody wants my data”, or “I am too small for anyone to worry about targeting my company for data theft.”  As a result, they fail to take essential steps to prevent cyber attack or to minimize the impact of such threats in the event that they are attacked. 

Many SMBs have failed to deploy even the most rudimentary cyber security solutions other than anti-virus software and simplistic software firewalls.  Many SMBs rely upon either ‘included solutions’ that come with their hardware or operating systems or choose to download ‘free’ software from the internet rather than spend resources to protect their valuable data.

The reality is that many of these simplistic solutions are not significantly improving their protection capabilities, and even those that do, may not have had their most recent updates implemented by SMBs because many of these SMBs don’t have internal personnel responsible for insuring that cyber security solutions are up-to-date or even running.  Most cyber security experts estimate that only 2 out of 5 SMBs are properly protected with the solutions that they have installed.

While there are a variety of best practices that SMBs should use in attempting to minimize the potential for becoming victims of ransomware or phishing attacks, one of the most important is ‘security awareness training.’ Security awareness training is critical in protecting an SMB from cyber attack because almost all cyber-criminals are fishers of men,’ they rely upon human behavior and vulnerability using something known as ‘social engineering.’

Human behavior impacts threat potential, and unaware personnel are the biggest single cause of vulnerability within any organization (of any size).  The graphic below illustrates some of the risky human behaviors that put organizations at risk of cyber-attack.

Typically, SMBs may focus on new anti-virus software, or turning-on firewall security, or even buying some new security hardware, long before they turn their interests to their own personnel.  But, while ‘the human factor’ is one of the most overlooked area of cyber security protection, it is one of the most, if not ‘the most’ important because personnel are often the weakest link in the security environment.

When is the last time you jotted down a password on a sticky-note, only to throw it in the trash?  That’s an all too often security breach that comes from a lack of ‘human best practices’ for cyber threat prevention.  While it is important to create a plan and implement methodologies for securing your data, it is critical to educate your personnel on the best practices to keep the data safe. One of the essentials of such education is ‘awareness on the principal risks’ related to cyber threats. 

Be honest now, if you were to receive an email similar to the one below, but from one of your own vendors, would you click on the green button to download the attached invoice?

Studies show that the majority of SMB personnel would in fact open the attachment. 

In this case a cyber criminal has used highly targeted data mining to gain key facts on myself as the owner of my own small company.  The attacker then created a well-crafted email to try to trick me into clicking the link that hid a malicious payload.  In this case the payload involved a form of ransomware which if I had opened the attachment would have been delivered allowing the malware to encrypt by entire computer.  Fortunately for me, the cyber-security mechanisms we have in place prevented a successful attack.

If our internal security mechanisms had not caught this email, I would have hoped that I would have been ‘cyber security aware’ enough to have recognized that the email was suspicious and taken steps to isolate it myself. 

As with the above example the attacker used verbiage and names designed to persuade me to open the email. But there are several things that need to be highlighted when training your personnel as to identification of suspicious emails that might not get ‘caught’ by the cyber-security system.  This include:

  1. Do you know the sender of the email? If yes, continue to be cautious and consider the remaining questions below before clicking any link. If no, do not click any links.
  2. Have you checked the link? Mouse over the link and check the URL. Does it look legitimate or does it look like it will take you to a different website?
  3. Does the email contain grammatical errors? If so, be suspicious.
  4. Are there any attachments in the email? If so, do not click on the attachment before contacting the sender to verify its contents.
  5. Does the email request personal information? If so, do not reply.
  6. If you have a relationship with the company, are they addressing you by name?

Beyond training, every SMB should also conduct ‘cyber-security’ tests. To do this, you may need the assistance of a local cyber-security expert.  I suggest you first contact the supplier of your internet service who maybe your cable provider or telephone (DSL) provider.  Many of these companies have staff who will either assist you with available information and consultation, or who can provide the name of local experts who can consult with you.

If you remember when you were in school the teacher would teach you how to respond in case of a fire. Line you up and march you out to a designated area on the playground, or adjacent to the parking area.  Then one day the school held a ‘fire drill’ and you had to respond exactly as if there was a real fire.  The reason that schools conduct fire safety training and fire drills is fire fatality prevention, the same applies to ‘tornado safety’.  And the same also applies to ‘cyber security.’

When is the last time your SMB had a cyber-security drill?  Well, that's been too long!

In Part 3 of this mini-series we will explore some of the Cyber-security principles for threat mitigation.