5 Evil Hacks Your Small Business Must Resist
43 percent of all hacks targeted small businesses in 2015, a dramatic increase since 2011. Cyber criminals don’t discriminate — if your security is lacking, you’re an easy target for a global criminal industry worth $120 billion.
Worryingly, the costs are rising and breaches can now cause a 20 percent loss in revenue, according to data from Cisco.
It’s just a matter of time until you’re targeted by these cunning criminals. Here are 5 evil hacks your small business must resist — and how to defend against them. After all, not every business can afford an ethical hacker.
Once access is established, typically by tricking employees into running malicious code on their computers, ransomware holds your business-critical files, systems and data to ransom. Ransomware code then spreads across the company network as it encrypts your files and data.
They’ll be unusable and unrecoverable until a decryption key can be sourced (guess who’s willing to sell you that), or your systems rolled back. Of course, the criminals will charge you a fee (i.e. ransom) for the decryption key.
Without the key, it’s unlikely you’re going to crack the encryption. An average desktop computer would take 6.4 quadrillion years to crack RSA 2048 encryption found on typical ransomware.
In exchange for the key, and to (potentially) get access to your business critical files, you’ll need to pay up — typically in the form of a crypto-currency like Bitcoin.
How to resist: If you’re struck by ransomware, shut down your systems to prevent the contagion spreading to connected machines. Then restore from back-up if you can.
Some security firms advise not destroying your ransomed data, as new tools may be built later on to decrypt these files.
Prevention is key to avoiding ransomware. Antivirus software is obviously essential but must be backed up with an effective ransomware strategy complete with employee education. Regular backups are also crucial as they allow you to recover with minimal losses if your defences fail.
What about paying up? Even businesses that do pay-up are not guaranteed to get their data back. Funding criminal activity is a bad idea, and the attackers could simply strike again.
Baiting — ‘The dropped drive hack’
Physical media devices, like USBs given out as freebies at trade shows, could contain a Pandora’s box of cyber threats. These devices are the Trojan Horses of cybercrime (in keeping with the Greek metaphors) as they bypass your external security defences.
This method of hacking is by no means new but people still fall for this scam. In 2016, Google researcher Elie Bursztein ran a study in which 300 USB drives were dropped on a college campus. 45 percent were picked up and plugged into a computer.
If this were a real test, malware could then easily transfer from the drive and infect an entire organisation’s network.
These hacks should worry every small business, especially employees responsible for IT security, because these devices rarely raise suspicions. If a labelled USB drive appeared on your employee’s desk one morning they might just plug it in.
How to resist: Because this technique preys on ignorance, a drive for cyber education in small businesses is needed to combat these threats. Your employees must be taught the massive risks associated with seemingly inconspicuous forms of physical media.
The Internet of Things (IoT)
The world is on the cusp of an Internet of Things (IoT) revolution as the number of internet-connected devices continues to rise.
But as the IoT creates opportunities, it also creates new targets for cyber criminals. Alongside the benefits of IoT — like connected fridges and self-driving cars — a lack of security investment means these devices are easy targets for hackers.
Hackers now create botnets formed of inconspicuous consumer IoT devices — like fridges and DVRS — to direct overwhelming amounts of traffic at unsuspecting servers. Its success is unrivalled: the Mirai botnet resulted in the largest DDoS attack in history and it’s still out there.
In February, one university reportedly fell victim to 5000 of its own IoT devices, including vending machines. An unknown hacker developed malware to breach each device by brute-forcing the factory-set passwords.
The hack was relatively harmless, but as the Verizon investigator concluded: “It could have shut down the entire university”.
How to resist: SMEs must pay close attention to the network settings of their IoT devices. Remember, this can include anything: from an office router to your new Amazon Echo.
Devices should also be included in regular IT asset inventories, and above all default credentials like passwords must be updated regularly.
Everyone knows not to click a link in a suspect email, but people still fall for phishing scams all the time. The sophistication of phishing techniques has increased dramatically and phishing emails are more authentic than ever.
No business is safe from this ancient hack: the FBI suspects a phishing email is how cyber criminals got inside Sony Pictures in 2014.
How to resist: There is no silver bullet, but cyber security precautions will help. Enable multi-factor authentication on your business accounts, use a password manager and backup your data.
Phishers are great marketers by necessity. So, most importantly, SMEs must educate their employees to be discerning when it comes to emails that play to their emotions or sense of trust.
Not every hack is high-tech. ‘Visual hacking’, involving snooping over shoulders or taking photographs of logins, is rarely discussed but the dangers are very real.
One Ponemon Institute experiment tasked an undercover operative to pose as a contractor in an office. The operative was able to obtain sensitive info — like passwords — 88 percent of the time. Incredibly, employees did nothing to stop the operative.
How to resist: Once again, cyber security education is king. If you’re in a busy office and concerned about low-tech hacking, teach your staff the three R’s:
1. Refrain from sharing key customer or business information with others
2. Remove this information from business documents where possible
3. Redact (obscure) sensitive information that can’t be removed
The more public the workspace, the more vigilant you should be. Daniel Burks, Senior VP for U.S. Bank recommends using password-protected screensavers, securing shredders and even checking if security cameras can see confidential information.
Alex is a technical writer for Firebrand Training. Working at the forefront of the IT training industry, Alex uses his insider knowledge to write regularly on IT security, networking and cloud technology.