A security expert explains how to combat the new types of attacks threatening small businesses.
Ransomware, spear-phishing, targeted attacks – new cyber threats are on the rise, although most use familiar tricks like persuading people to open malware-laden email attachments.
That makes it “more critical than ever" for small businesses to focus on the fundamentals of cyber security, Symantec's Pacific region information protection business manager Nick Savvides told BIT.
These fundamentals include:
- Installing reputable, frequently-updated endpoint security software (what most of us still call anti-virus)
- Using strong passwords, and taking advantage of two-factor authentication (such as codes sent to your mobile phone) where it is available
- Implementing a strict back-up regime
- Being cautious about opening emails and attachments.
"A big chunk of the targeted attacks" are aimed at small businesses, Savvides said. For example, Symantec’s latest Internet Security Threat Report found that 43 percent of spear-phishing attacks – fraudulent emails that appear to be from an individual or business you know – specifically targeted small businesses in 2015. That’s up from 34 percent in 2014.
Professional services firms targeted
Ransomware – malware that encrypts files, making them useless until a ransom is paid – is also on the rise.
“In fact, Australia is the number one target for ransomware targets in the Southern Hemisphere with the average number of ransomware attacks per day increasing 141 percent from the year before,” Savvides said. “The country was also ranked as one of the top ten targets globally for social media scams and targeted attacks.”
He said that professional services firms – accountants, lawyers, medical practices and so on – are "highly targeted right now" by the criminal elements behind ransomware, as they present lucrative targets. The high value of the data stored by such businesses means they are highly likely to pay the ransom if they can't recover it from backups.
The top method for spreading ransomware is via email, he said. Cyber criminals are now producing well-crafted and more targeted messages that get through the filters used by mail services.
"People expect the filters will take care of this, but they don't," said Savvides. "They only need to suspend the victim's suspicion for a few minutes."
The prevalence of ransomware makes good backup practices "super-critical", he said, using a “multi-tier” strategy to back up to more than one device, such as an external hard drive, NAS device and a cloud storage service. It’s also important to store multiple versions of each file; otherwise the ransomware-encrypted versions could overwrite the only remaining good copy.
Savvides warned that not all small business service providers are well informed about security issues.
Some, for example, set up remote access to their clients' computers and servers to avoid the need to attend the premises every time a system needs attention. There's nothing inherently wrong with that, but it must be done correctly and securely as cyber criminals are looking for insecure systems to exploit.
This point was underscored by a recent warning from the Federal Government's Stay Smart Online that small businesses are being attacked via servers configured to allow remote access via the Windows Remote Desktop Protocol (RDP).
Once they discover an exposed server, "Criminals use 'brute force' attacks targeting weak passwords to guess the server logon password," according to Stay Smart Online. "Brute force is where an automated tool is used to work through all possible passwords until it finds the correct one. Once logged on, criminals can manually encrypt business files, including databases in some examples. They then leave a ransom notice on the server or send the business owner an email demanding they pay a ransom for the 'key', or code, to unlock the files. Ransom amounts have been known to reach up to AUD$8,000."
Servers allowing Virtual Network Computing (VNC) access are similarly vulnerable to such attacks. Remote access via a virtual private network (VPN) with strong passwords and two-factor authentication is more secure.
Targeting customer data
Another issue is that service providers don't always correctly value their clients' data, Savvides said. Attacks on small businesses aren't generally after the organisation's own data, but rather the information they hold about their customers or clients. That's especially true about information that can be used in identity theft, so accounting firms are "a juicy target for the bad guys".
Also, medical records – which often contain name, address, date of birth, Medicare number and more – sell for around $40 each on the black market. That's a lot more than the 25c paid for stolen Netflix account credentials.
Savvides suggested that small businesses should ask their service providers whether they read Symantec's Internet Security Threat Reports and similar publications from other security companies.
Although small businesses don't have access to the training courses used by bigger enterprises, there are plenty of online resources from law enforcement and security vendors that can help.
So warn your staff that your business is likely to be attacked and that they are the last line of defence, and give them an hour or two to work through some of those training materials.