Startups & SMBs are not targets of cyber attacks, isn’t it?
Cybersecurity breaches are becoming alarmingly frequent. Yahoo’s systems were infiltrated twice in 2013 & 2014 respectively, resulting in 500 million and 1 billion user accounts being comprised and their personal data leaked. This revelation in 2016 resulted in a drop of $350m in the final price Verizon paid for acquiring Yahoo earlier this year.
Last month we saw one of the biggest heists in the history of cryptocurrency. Ethereum, the platform that runs smart contracts, was broken into and ethers worth $31m were wiped off, a timely intervention by few white-hat hackers prevented a further loss of about $150m.
As I’m writing this piece, HBO is still assessing its losses from the 1.5 terabytes of data theft which includes much more than just the upcoming episodes of ‘Game of Thrones’. No ransom calls have yet been made, but from the looks of it seems to be the handiwork of a politically motivated hacktivist.
As a Startup or Small & Medium Business (SMB), witnessing all such stories of cyberattacks on big corporations being splashed across media, might not mean much. After all, SMBs won’t be attacked, they don’t offer any significant financial incentive or perhaps even the fame that some hackers are after. Well, maybe it’s time for a major rethink!
Large corporations have been upping their fight against cyber criminals and now regularly upgrade their security apparatus making it difficult to break in. Given these developments, hackers are now finding it very attractive to target SMBs because usually SMBs don’t have strong security protocols in place. As per Symantec, SMBs are now targets of 43% of all cyberattacks, making them not just attractive targets but rather the primary ones.
As a small business getting attacked that often still might not sound alarming, after all being attacked doesn’t mean being a victim. Fortinet, a major security vendor, says that an average SMB is compromised by 4 pieces of malware. Given the sophistication of these malware, detection on average takes about 170 days, during this intervening exposure period hackers continue to drain all sorts of sensitive organization data.
As an SMB, it can be reasoned that the company doesn’t have any sensitive data that it needs to worry about. However, a careful review will usually inform SMBs that they have client billing, shipping, credit card, and other financial & personal details stored on their systems, which is all too valuable for hackers.
In fact, a SMB servicing a big corporation is a bigger risk. The SMB might be carrying corporation’s sensitive information and due to its less than adequate security standards, the SMB can easily become an entryway into corporation’s network for the hackers.
That is how Target’s 110 million customers’ information was stolen. A hacker managed to breach Target’s HVAC contractor’s computer and through it navigated to the Point of Sales (POS) machines and collected customers’ Personally Identifiable Information (PII) and card details.
Breaches like these, arising out of lax security standards can be costly to SMBs as they can be sued. Additionally, industries that comply with the Health Insurance Portability and Accountability (HIPAA) or the Payment Card Industry Data Security Standard (PCI DSS), have strong data security standards.
SMBs servicing such corporations have very stringent standards and legal responsibilities to protect data. Overall, the impact of a breach on a SMB in most cases has been found to be really massive. As per the National Cyber Security Alliance (NCSA), of those SMBs that suffer a successful attack, sadly nearly 60% shut down their businesses within 6 months.
State of security
Securing the cyberspace is getting tougher by the day. Those day are long gone, when a lone hacker sitting remotely somewhere would break into a system just for the thrill of it. Nowadays, cyber-attacks are orchestrated like organized crimes, very similar to other underground criminal activities.
Criminals meet over the darknet, which is an overlay network that remains anonymous, and has its own communication protocols and access rights. Content and discussions carried over the darknet don’t appear in online searches and can’t be indexed, even though they are stored over the common world wide web.
It is on this darknet that hackers and organized criminal organizations actively work, discuss, prepare, and plot the next attack and identify new vulnerabilities. These criminals collaborate on a massive scale and use the latest technologies to develop the next-generation of sophisticated malware that are hard to detect or stop.
From the days of first virus creation to today’s malware the attack landscape has changed a lot. The malware itself now includes a collection of infectious software: viruses, worms, Trojan horses, ransomware, spyware, keyloggers (secretly record every keystroke on a file), scareware, rootkit, and many more.
The things these malware unleash are as scary as their names. Starting from, hijacking or altering computing functions and monitoring users, to deleting, encrypting, or stealing data, these software are capable of large scale damage.
As per AV-TEST, the German IT security institute, it registers over 390,000 new malicious programs every day and 143 million each year. At this pace of new virus introduction, it seems obvious that their production is now being carried out on an automated industrial scale.
Added to this, there has been a huge upsurge in polymorphic (constantly form changing, e.g., worm to virus) malware. As per Webroot, the leader in endpoint security, 97% of malware morphs to become unique to a specific endpoint, thereby rendering signature-based security virtually useless. This, might explain why last year there was an attack every 39 seconds and why a billion records and accounts were compromised.
The attacks are only getting more advanced and incisive. Today most attacks involve automated vulnerability scanners and sophisticated computer worms. This, is fast evolving as well. The evolution and wider use of Machine Learning (ML)/Artificial Intelligence (AI) while very useful has also opened up and exposed new attack surfaces.
New attack vectors coupled with new attack surfaces make for a potent combination to defend against. In security industry, it is now clear that to fight these new threats they have to use ML/AI and gather threat intelligence. The way things are progressing, seems soon it will be algorithms (ML/AI) fighting algorithms (ML/AI).
What are the attack vectors?
For the level of sophistication and complexity that this subject presents, the points of attack are sometimes laughably simple. The most common method to attack even to this day is a phishing email. Of course, phishing is not what it used to be years ago.
Back in the days, a mass email was usually sent out to hundreds of unsuspecting targets, now of course hackers send out customized spear phishing emails to each target. It should therefore come as no surprise that (as per SANS Institute) spear phishing accounts for 95% of all attacks on enterprise networks.
Another big cause of breach are employees themselves. Breaches occur when less than careful employees fail to take enough measures to protect themselves and their systems. Their small negligence, such as leaving their system unattended, can inadvertently end up exposing the organization to vulnerabilities.
Another group of employees that might cause a breach are employees with malicious intent or disgruntled current or ex-employees. This group is really dangerous as they have access privileges and can easily go undetected, while they are causing major harm to the enterprise.
The growing usage of public cloud while makes for improved business efficiency is also a cause for worry. Public clouds don’t have the same level of security as an enterprise would have.
For SMBs clouds provide an attractive advantage. Clouds have made starting a business much easier. With no major infrastructure investment, most services can now be accessed over the cloud, however this exposes the company to cyberattacks originating from weak cloud security.
Next are two related concepts. First, is Bring Your Own Device (BYOD) which refers to the phenomenon of letting employees bring their own phones, laptops etc., and allow them to connect to the secure enterprise network and do their work.
This throws a whole set of challenges and security risks. It is easy to breach a relatively less protected device when it is out of a secure office network, and once the device returns to enterprise network it can become a launching pad for hackers to enter and attack the entire network.
Second, is Bring Your Own Cloud (BYOC) which refers to the phenomenon of employees using personal cloud services such as google drive or Dropbox to perform their work. This involves unsafe transfer and storage of data on employee’s personal cloud and sometimes storing back the data on company cloud, which raises the risk of attack on the enterprise.
Internet-of-things (IoT) is another point of attack. Connected devices exchange information over the internet and even a single compromised device can bring down the entire system.
A scenario could play out like this, one compromised system lets a hacker take control of all other devices. All controlled devices can be used to launch a deadly Distributed denial-of-services (DDoS) attack, which is basically sending thousands of queries to a system simultaneously, leading its collapse.
One of the highly publicized case was that of a research hacker remotely taking control of a Tesla Model S from a 12 miles distance and interfering with its navigation, thus exposing the vulnerability in the system.
However, it is not just connected vehicles, even the fast-growing use of connected drones pose the risk of Dronejacking (hijacking of drones). As per Gartner, there are 6.3 billion connected devices and this number will be 20 billion by 2020. Given this backdrop, it will be extremely important to secure this new connected world.
Securing through human intervention
As per Ponemon Institute, malicious or criminal attacks account for 49% of data breaches, employee negligence 19%, and system glitches 32%. Of all these, employee negligence is probably the easiest to fix. In a SMB, employees are gatekeepers of the business’s security, so training them on an ongoing basis is vital.
Sensitizing employees about safe practices, identifying signs of an attack, and responding to cyber-attack, should all be a part of regular training. Special emphasis must be given on tackling spear phishing emails and social engineering attacks. Overall, cybersecurity should be part of organization’s DNA, and this is the best way of protecting itself.
Another relatively simple way of securing a company over the cyberspace is by having its employees frequently change their passwords and making them long and difficult to guess. Further, employees must be required to apply all new software patches as soon as they become available.
New patches not only have functionality enhancements but also have security fixes that are meant to quickly cover up previously unidentified vulnerabilities before they become known and exploited by hackers.
For improved protection on the employee front, SMBs should implement strong identity and access management (IAM) systems. This, will prevent unauthorized data access and breaches. If possible and feasible, a better approach is to let employees have separate personal and work devices.
However, if that’s not feasible then there must be clear policies on securing BOYD and BOYC and these must be strictly enforced without exception. Kaspersky Lab identified 8.5 million new mobile malware installations and it also found that mobile attacks tripled between 2015 and 2016.
Finally, to protect against financial losses, organizations must ensure that there are separate computers for carrying out financial transactions only and no one other than the authorized employees have access to it.
Securing through technology intervention
Securing cloud requires upfront research on choosing the right service provider and reviewing their: security infrastructure, incident response systems, and previous track record. Despite, improving security levels of cloud services, most providers have clauses of joint responsibility in securing data.
Understand your part of the joint responsibility and ensure that is implemented and followed at all levels within the organization. For some SMBs a hybrid cloud, i.e., a combination of public and private cloud, provides the required security and business continuity and is therefore preferred.
In a hybrid cloud, usually sensitive information is stored on company’s private cloud, whereas the remaining applications are on a public cloud. Hybrid systems create virtual private networks (VPNs) and allow back-and-forth information transfer between private and public cloud.
This, information transfer must be secured by way of strong encryption and authentication both during storage as well as during transfer. Frequently, Application program interface (APIs) are used to access cloud services, proper care must be taken to prevent application-layer threats and securing back-and-forth API traffic.
Now, to tackle direct attacks companies must have multi-layered protection systems and strategies in place. Beginning with perimeter protection, companies should have the latest firewalls and anti-malware. Furthermore, due care must be given to put adequate Endpoint protection platforms (EPPs) in place.
At the network stage, Intrusion Prevention System (IPS) and strong access control must be put in place. A better approach for an SMB might be to have a Unified threat management (UTM) system, which combines the features of IPS/Firewall, web filtering, and message security.
Further, depending on the stage of an SMB, it might be critical to have a Security information and event management (SIEM) system. SIEM combines inputs from boundary, network, host, application, & data levels and provides comprehensive insights on threats from various places on the network.
Having a multi-layered security in place, doesn’t provide all the protections. Securing network Wi-Fi through encrypted Wi-Fi Protected Access 2 (WPA2) is a good first measure. Additionally, having a separate Guest Wi-Fi for visitors & guests is critical, and such a Wi-Fi must be completely separated from the main Wi-Fi through strong firewalls.
Often mature businesses have on premise Security Operations Center (SOC) where information security specialists continuously monitor and analyze the network for threats, and when an incident happens they respond against the attack.
For SMBs having a SOC isn’t an option due to cost reasons, but using solutions such as SOC-as-a-Service can be a good option. This way SMBs can get access to security specialists and round-the-clock protection and response, at a fraction of traditional SOC cost.
Another protection option that SMBs should consider is cyber insurance. Though, cyber insurance doesn’t directly contribute to security but it surely helps with business continuity. This, is a fast-emerging field and covers business liability in case of breaches and data leakages.
Cybersecurity is no more a fancy term that won’t affect SMBs. In fact, one harsh reality for businesses — big or small — is that there is no such thing as 100% security from cyber attacks.
Statistically, even the most safe and impenetrable organization would be affected by an attack at some point. However, the extent of damage that a successful attack does will depend on the cybersecurity preparedness of the organization.
SMBs must always consider cybersecurity as part of system design, in fact, it should be part of the initial architecture and setup in such a way that it is scalable as the organization scales.
If you enjoyed reading the post, please don’t forget to press the ♡ icon below. There is no better encouragement for a writer than getting the appreciate and recommendation of readers.