Cybersecurity is a pretty big deal if you own a business.
It’s no big revelation that strong cybersecurity measures are a necessity, for a lot of reasons. We’re all familiar with hackers and viruses and high-profile attacks generally speaking. But we also assume “Hey, of course they’re going to target the CIA or a massive billion-dollar enterprise. But why would they bother targeting my coffee shop in Cornwall?” Here’s the real deal though: companies with fewer than 250 employees comprise almost a third of those targeted by cyber attacks. Attackers go for the targets who have the weakest defenses, so they look at smaller businesses, knowing they might not be taking security as seriously as they should. Which means your business needs to be prepared. And the best way to start preparing is to actually understand the types of threats out there.
So, to help you get started, let’s do a rundown of common threats small and medium businesses frequently come up against, as well as the weaknesses that attackers tend to exploit with businesses like yours.
Be malware aware
Let’s start by looking at the term “malware”: it’s a broad term, used to refer to any piece of software or firmware that is used to harm a device or system. Here’s a closer look at some of the more specific kinds of malware your business might have to face.
What is it? No doubt, you’re familiar with this term. Simply put, this category of malware is a piece of code that inserts itself into a program. The affects can range from minor annoyances—like a program slowing down or freezing up—to major security breaches.
What does this mean for my business? While any virus can affect the day-to-day operations of your business’s computer systems and programs, there’s a specific type of virus that is especially significant if your business runs on a network of computers, known as a Worm: a self-replicating virus. They don’t just affect one computer because they’re capable of making their way through an entire network, which means your whole business can slow to a halt if the virus is damaging enough.
What is it? Here’s the deal with scrapers and dumpers: they essentially access a device’s memory and copy it over to the attacker, giving them access to any information stored on it.
What does this mean for my business? Scrapers and dumpers are major players in a lot of cyber attacks against businesses. Every business has sensitive information. Even if you’re thinking “hey, I’m not a law office or a financial institution, what ‘sensitive information’ could possibly draw an attacker to me?” Well, for identity theft, your employee’s personal information, for instance. And if you’re a retailer, your point-of-sale terminal is pretty appealing, filled with valuable credit card information stored in them. Which means your customers are also put at risk if you don’t have proper (and frequently updated) firewalls set up on your POS system. This is a huge liability for your business that could result in legal consequences for you as the owner.
What is it? You would think that anything with the word “spy” in it would at least be a little bit cool. Turns out, great film genre, but a terrible malware problem to encounter. An attacker uses spyware to monitor activity on a device or network, so they can see everything from your online activity, to log-in credentials, and even keystrokes. There are also remote administrative tools, or RATs2. While spyware lets attackers monitor your system, RATs fully hand over control of the device to the attacker, as if they were sitting right at your desk.
What does this mean for my business? It’s easy to brush off spyware by thinking “who would want to spy on little ol’ me and my business? It’s not THAT interesting.” The reality is, whether or not you think your business is “worth” hacking is beside the point. (P.S.: of course your business is interesting! And we don’t just mean to hackers!).
What it really comes back to is what we mentioned before: you probably have more sensitive information stored in your business’s network than you realize that spyware could access: employee information, customer payment details, your financial information and more.
What is it? Like the name implies, ransomware is like a hostage situation. An attacker encrypts their target’s files so they are unable to be accessed until a ransom is paid—usually some form of cryptocurrency sent to an untraceable account. These have been in the news a lot recently, like when the city of Atlanta had to pay over $2.6 million in response to ransomware attacks that infected the city’s municipal systems3. To look at the big picture here, one study actually showed that the downtime from ransomware alone could be costing businesses more than $8,500 per hour4.
What does this mean for my business? This is a little more direct of a threat than someone trying to get a hold of your sensitive information. It skips the middleman, basically, and gets straight to turning a profit for the attacker, who can block a business’s access to files—such as your customer list, projects you’re working on, etc.—programs like crucial software or email services, or networks until their demands are met. So, whether you’re a multi-billion-dollar company or our old friends at that coffee shop in Cornwall, you could be a target.
How’d you get in there?
We know what kinds of attacks are commonly used against small and medium businesses now, but how do they even get into our systems in the first place? Let’s take a look at some of the techniques hackers use to give you an idea of what you need to be cautious of.
What is it? You’ve probably heard these referred to as Trojans, like the big ol’ wooden horse in the story. Same idea here: hide something dangerous in something that looks totally harmless.
How could my business be targeted? Malware is hidden within folders that might contain actual files you do need, making them appear perfectly safe. For example, folders containing programs, apps, media or documents you found online that seem like they could be useful. That’s why you should always make sure you trust the source that you’re downloading folders from, and always make sure your antivirus software is regularly updated to scan for these kinds of hidden files.
What is it? Phishing is becoming one of the most common techniques used against businesses, because on the surface, it can seem like a perfectly legitimate business inquiry or—even more anxiety-inducing—an urgent notice. And that’s where the bait-and-switch happens: a link or download contained in the email contains malware.
How could my business be targeted? Some attackers go beyond just the typical random email that seems, well, phishy. More and more, attackers are using a technique known as “social engineering” to increase the likelihood of success, gathering information off of company websites, or even over the phone to get employee names, job titles, and other relevant information to make the eventual phishing email, text or call seem more legitimate. No matter how much you trust your employees and know you’ve hired smart and cautious people, good phishing schemes can be hard to identify when they get to this point. That’s why company-wide training in security is so important. You and your employees should all be armed with knowledge that can help you identify suspicious calls from unknown people looking for company information that attackers will later use for a phishing scheme.
What is it? A distributed denial of service attack (DDoS) targets a company’s website, overwhelming the site from multiple attack hosts to the point of blocking any other visitors to access the site.
How could my business be targeted? Say you have a potential customer who’s looking for whatever product or service you offer. Or maybe their neighbour recommended your shop or restaurant. Where’s the first place they’re likely to go to find out more? You guessed it: your website. But that’s only if they can access it. Without proper up-to-date network and web application firewalls, your site could get attacked. And here’s the thing: DDoS attacks are cheap on the black market for attackers to acquire, so it’s an easy way for them to get to you. While they have your site locked up, you could lose potential customers or clients to a competitor whose site is working. Hackers believe you’ll pay to avoid that kind of potential loss of business.
Exploiting personnel oversights
What is it? You may have the greatest employees in the world. But… when it comes to digital security, people are always going to be one of the weakest links. Only 1 in 5 businesses use regular employee training as a method of preventing online security breaches.
How could my business be targeted? Let’s go the opposite direction this time and ask: How can your business avoid being targeted? Company-wide policies, processes, and training can be the difference between an attack being stopped before it even begins, and a huge security breach. You can give yourself a huge advantage by keeping everyone in your organization on the ball. Everything from educating employees on having strong passwords, implementing policies to flag suspicious calls or emails, or setting procedures for what to do if a device containing company information is lost or stolen. They say that teamwork makes the dream work, but it can also prevent a security nightmare.
You’re off to a great start by keeping yourself informed on the types of cyber threats your business might face. Spreading this knowledge to your team and letting it inform how you handle your business’s cybersecurity procedures is the next step to ensuring that you, your staff, and even your customers can be confident that your private information is safe.
This article appeared on businessblog.cogeco.ca and was reprinted with permission.