By Jonathan Krause, Owner, Forensic Control
Whilst large scale cyber-attacks are well documented, there is also an increasing number of e-commerce small businesses at threat from targeted attacks. A report released by Verizon showed that approximately 43% of cyber-attacks targeted small and medium enterprises (SMEs). Out of these, only 14% are prepared to defend themselves against cyber threats.
A further study conducted by the Ponemon Institute revealed that there is a rise in the number of attacks. 67% of SMEs experienced a cyber-attack in the form of either phishing, ransomware, or advanced malware, with another 58% also having experienced a data breach.
About half of these victims (47%) confirmed that they did not understand how to protect their organizations against digital attacks. That needs to change.
It’s vital that small business owners educate themselves on the basics of cybersecurity. They need to learn about the different types of attacks that can be launched against them.
Organized criminal gangs conducted 39% of the attacks. The methods used vary as well. Hacking accounted for 52%; Malware for 28%; and unauthorized users for 15% of the attacks.
Small businesses currently seem to lack the resources and knowledge to fight them, with many spending less than £500 annually on Cybersecurity products. This low spend could be linked to the fact that 54% of small enterprises believe that their companies are ‘too small’ to be targeted by cybercriminals.
According to Hiscox it costs on average $200,000 to deal with a cybersecurity incident.
That’s a big cost for a small business. It’s also reported that 60% of the affected companies close down within six months after the incident.
These stats make it clear why small businesses are almost the perfect target. They don’t have the knowledge and they don’t spend enough to protect themselves properly, because they don’t think they will be targeted.
The Most Common Types Of Cyber Attacks Small Businesses Face
There are many different cyber-attack types, but these are the most common that small business owners will face:
- Malware – Also known as malicious software. It’s one of the most prominent digital threats to small and medium-sized enterprises. It is designed to damage and gains access to a specific network and the digital devices connected to it. In most cases, security is breached when a user clicks on a bad link and downloads infected files into their devices. These links are placed on the internet by cybercriminals who have harmful intentions.
- DDoS – Distributed denial of service happens when a group of infected computers attacks a server, website, or any other network device by sending a high volume of messages and connection requests. This group of infected computers is known as Bot Network or simply Botnet. The attacked device slows down or “crashes”, which makes it unavailable to the users.
- Phishing – This is a common scam whereby cybercriminals trick people into clicking a link within a fake email or website. They do this so that they can gain access to a network or digital device. Phishing allows criminals to have access to private passwords, financial records, credit card information, and other data.
Cybercriminals understand that it is easy for employees in an organization to click on interesting links over a particular website or email. This gives them ready access to the organization’s network and computers.
- Inside attacks – There has been an incredible increase in cases of insider attacks. They mostly come from trusted outsiders, employees, and contractors who have authorized access to a particular network. The following may lead to an inside cyber-attack:
- Components of a system are affected by an unintentional mistake
- Intentional attempts to harm or destruct an organization – this is often done by a former or current dissatisfied employee
- An attempt to find specific data that is not accessible by the user
- Checking for weaknesses on the network
- Email initiated attacks – These occur when an individual clicks on a link or attachment in an email, either by mistake or by thinking that the link or attachment is legitimate. The emails are nicely formatted, and the links in these emails are attractive and enticing. However, once you click on the link, it may collect personal data, download a virus to the computer, or open up a file back at the command server asking for further instructions. The majority of small businesses do not have measures to prevent all that from happening. This enhances the spread of malware.
- Password attacks – In this situation, an automated system is used to generate various password combinations in an attempt to try and access a particular network. Consistently changing the users’ passwords, accounts, and admin credentials is one way of fighting this crime. The credentials can be changed in period intervals preferable to the business. It’s easy enough to do this quarterly or even monthly.
- Ransom-ware– This type of attack encrypts a device on a network and locks it down, rendering the device unavailable to the user until there is a payment. Some hackers may remove the encryption and unlock the device after payment. In some extreme cases, the hackers do not remove the encryption, forcing the business to incur more expenses in recovering the device.
- Website hijacking – In this scenario, hackers set up a legitimate website to download viruses and malware to any device that accesses the site. Legitimate sites are often not on the blacklist. Therefore, website hijacking can go unnoticed for quite some time, and this makes it a dangerous cyber-attack
Ways of Preventing Cyber Attacks for Small Businesses
Hackers and other cybercriminals are discovering new ideas every day to access small businesses’ computers, networks, and information.
If you’re in the UK you can benefit from Cyber Essentials. Cyber Essentials helps you to guard against the most common cyber threats and demonstrate your commitment to cybersecurity.
It’s hard to prevent cyber-attacks completely, but small business owners should always strive to educate themselves so they don’t fall victim to one.
Below are some ways of minimizing such attacks:
- Use of anti-virus and firewalls. This is one of the most common methods of dealing with malware. However, the anti-virus and firewall should be regularly updated to counteract any viruses, programs, and network or DDoS attacks. Encryption tools should also be used to scan files and links for malware.
- Minimize the use of removable media, such as USB drives, on the business’s computers. Additionally, it is advisable to routinely monitor and scan every device connected to your network or computer system.
- Make daily back up and duplicates of all files and data. This way, it will be easy to restore your data in the event of a digital attack that compromises the system or network.
- Limit the employees’ access to files, folders, and programs required for critical routine tasks.
- Always remind the employees to stay away from unsolicited links and attachments in emails.
- Carry out regular vulnerability tests and risk assessments on computer systems and networks. This helps to identify and rectify possible entry points into the net.
- Provide staff especially those in the IT department, with training on the current online threats and trends in digital attacks.
- Using multifactor authentication. This adds a layer of security, so there are more hurdles for an attacker to bypass before they get access to sensitive information.
- Invest in Cybersecurity insurance. Cybercriminals are becoming more and more sophisticated, meaning they can strike even the most security-conscious companies. Most of the insurance policies today will cover the cost of any lost data, as well as partly pay for the process of recovering any lost information.
- Protect your hardware that contains essential data such as hard- drives, USB drives, and laptops. Losing such equipment could have severe implications on the security of the company if it landed in criminals’ hands.
Loss of data has been one of the significant challenges that organizations face and fall victim to. Cyber-attacks are on the rise today, with 43% of the attacks targeting small and medium businesses.
Cybercriminals are getting wiser and more cunning by the day. They are continually designing new ways of infecting businesses’ computers with malware with the aim of stealing sensitive data and disrupting the core activities of an organization. Business cybersecurity needs to be a priority, with the whole organization providing a united front.
The options highlighted above can be used to minimize and negate the occurrence of cyber-attacks in small businesses. Regular backups, duplicating files and data, installing updated anti-viruses, and limiting the use of removable media on the business’s computers are some of the best ways to minimize cyber-attacks and improve security. Companies must also train all their staff on cyber-security and establish a robust security strategy.
About the Author
Jonathan Krause, Owner of Forensic Control. He is a leading cybersecurity and digital forensic specialist based in London, UK. After working as a computer forensic specialist in the Hi-Tech Crime Unit for the Metropolitan Police at New Scotland Yard, Jonathan founded Forensic Control in 2008. Since then, Jonathan and his team have advised on hundreds of data breaches for corporate clients of all sizes. Jonathan can be reached online at firstname.lastname@example.org and at our company website https://www.forensiccontrol.com/