The times they are changing: 'How cybercrime is hitting the smaller company'

You can’t help but notice all the recent news events on hacked identities and financial information stolen by cybercriminals; News about some major company being breached and millions of customer credit card details stolen. These breaches seem to be more regular and it’s true, they are. The latest research by Price Waterhouse Cooper (PWC) in their Global State of Information Security Survey shows that there were 42.8 million cybersecurity incidents in 2014, an increase of 48% from the previous year.

As a smaller business, it’s easy to brush cyber threats off as being a problem for the ‘big boys’. That was certainly the case, 10 years ago, but not now. Now cybercriminals are turning their bready eyes on you – the small business.

Analysis of the situation has borne this out. A number of analysts and companies have quantified the threat to smaller organizations from cybercrime. A report by Verizon found that almost 62% of breaches were against SMB’s. And according to IBM and the Ponemon Institute, smaller companies feel the pain of a breach more too, with a higher per capita cost than an enterprise. 

It seems that cybercriminals want to expand their portfolio and they are doing it at the cost of the smaller organization. In the security report by PWC mentioned above they describe the situation like this:

“Small firms often consider themselves too insignificant to attract threat actors—a dangerous misperception.”

Why are Smaller Companies a Target?

There are three main reasons why cybercriminals are targeting the SMB:

1.     You seem like easy prey. Smaller organizations don’t have the time, money or internal knowledge base to cope with cyber threats

2.     You are often part of a bigger chain. Cybercriminals are targeting smaller organizations as a way of getting at the ‘big boys’ through the supply chain

3.     It is becoming easier to hack. Malware can be bought, sometimes for a few dollars from the dark web. Legitimate devices used by penetration testers can be bought for less than $100 and can be used to intercept internet traffic and steal login credentials.

Types of SMB Focused Cyber Threats

Let’s look at some of the ways that smaller companies are being targeted.

Phishing emails: Phishing and its partner in crime, spear phishing, is the weapon of choice for infecting a small company with malware. Phishing emails are emails that look like they’ve come in from a legitimate company like PayPal or Amazon and they ask you to click on a link. The link takes you to a site that looks just like the real one. There, you are asked to log in. If you do, the phisher takes your login credentials and hey presto can now access your real account.

Phishing is quite widely understood, but its counterpart, spear phishing is more sinister and is on the rise as a means of attack against the smaller business. It originally was the preserve of large enterprises such as Microsoft who suffered at the hands of spear phishers. But a 2015 report by Symantec on the levels of spear-phishing experienced by different size companies has shown that firms with 1-250 employees suffer spear-phishing attacks almost as much as those with 2500+ employees, seeing 31.5% and 37.6% of spear-phishing attacks respectively.

A spear-phishing email is targeted. They find a company, pick a high-level employee, typically a business owner, director, or IT administrator and send out a phishing email to that person. The email will be highly personalized; it will use their name and often masquerade as an internal email, perhaps from a superior, asking the user to login to the network. The type of person they target will invariably have privileged access to their company resources. Again, the link in the email will be to a spoof site. Once login credentials are entered the cybercriminal has your login details and can access whatever business resources you can.

Spear phishing emails have been behind some of the largest cyber-breaches in recent years. In many cases the email is sent to a supply chain member – a small vendor who services a much larger company. Often supply chain members are given privileged access to network resources. This was the case in the Target breach, which saw the loss of 70 million personal records. In this breach, a spear phishing email was sent to an HVAC company in the supply chain. Once phished, the login credentials were used to hack Target – I doubt that Target employ that company now.

Business email compromise: Hackers are going after small business bank accounts big time. The FBI began tracking these types of attacks in 2013 and has seen losses of $740 million in the U.S. alone. This type of scam uses social engineering, or computer intrusion techniques, to gain access to the email accounts of senior executives or spoof emails. There are several variants of this attack but all involve some sort of reconnaissance on their targets, which can be small or large companies across all sectors. Sometimes email accounts of executives are hacked, sometimes, it is a phishing email, but the results are a wire transfer to a ‘trusted supplier’ or ‘law firm’ into a hackers account.

Ransomware: one of the most scary and nasty pieces of malware is the infamous ransomware. A variant of this is Cryptowall. Ransomware is a type of malware. If you become infected it will encrypt data on your local machine, network drives and even cloud storage. Once encrypted it then opens a screen on your computer which says if you pay up (usually $500-$1000, but sometimes as much as $10,000) in 7 days, your data will be decrypted. Of course we’re dealing with cybercriminals here so there’s no guarantee decryption will happen. The FBI has said that Cryptowall is the largest ransomware threat to small business. In the 2nd quarter of 2015 Cryptowall extorted $18 million from U.S. businesses.

Data losses: IBM x-Force in conjunction with Ponemon Institute has shown that 2014 was the year of the leaked record. 2014 saw more than 1 billion pieces of Personally Identifiable Information (PII) stolen, up 25% on 2013, which in itself was a record year. Cyber thieves are after data. If you hold customer records, have intellectual property or proprietary information, cybercriminals are after it. There are a number of ways that data can be stolen – phishing emails that grab login credentials, malware that sits and slowly steals data, and insiders, simply stealing information they have access to.

What Can a Small Business Do To Thwart Cybercrime?

There are some basic actions you can take to help mitigate the threats of cybercrime against you, your business and your customer.

1.     Keep software patched. Malware is usually successfully installed because it finds a hole in your software. Make sure you have the latest versions of software such as, operating systems, browsers and Adobe Flash installed. Also check with your web hosting company that web servers and third party plug-ins are secure and patched.

2.     Have robust sign in credentials. If you only have the choice of a username/password, then make sure they are both not easily guessed and are strong. If you have a choice to use second factor, such as a text message pin number, do so, this is especially important for server and website administration access.

3.     Backup critical data. Make sure you have redundancy in your backups too.

4.     Train your employees. About phishing and especially spear phishing; be guarded.

5.     Think about security. Put a strategy in place to handle security threats, incidents and breaches.

6.     Cyber insurance. Look into putting some sort of insurance plan in place.

Small businesses are as much of a target as a large enterprise, but often don’t have the resources to manage cyber threat levels. Being aware of the methods that cybercriminals use to target your company and knowing what you can do to lower those risks, may start to waken the world of cybercrime up and show them that small doesn’t mean an easy target.