Is Your Business a Sitting Duck?


Feature | By Charles Swihart –

You see the news stories. Hospital and municipal computer networks breached. Countless small business computers attacked every day.  Daily, 250,000 new malware threats are released.  If your company hasn’t been breached in some fashion, you probably know one that has, and you feel like a sitting duck.

You might ask, “So what?  What are the real consequences of my business being hacked?” Here are two of the most common types of cybersecurity breaches perpetrated on small businesses and how they cause severe financial damage:

Ransomware

Sally, the office manager, innocently clicks on an email attachment.  The attachment is a virus that was just released this morning, so your security software doesn’t know about it yet and allows it to open.  This nasty virus does nothing at first.  It waits until Friday night when it knows your employees are likely gone, and it spends the weekend encrypting the contents of all of the files on your network.  You then receive an anonymous email telling you to pay up to have the data restored. Even if your data is backed up, your business may be offline for a day or two while you frantically work to restore your servers. This is often the time when enterprises find out their backups have not been working or that a critical project folder was somehow excluded. If you do have to pay the ransom, you will be going to your bank to get cash to take to Western Union to purchase bitcoin from some guy in South America.  Then you will send the bitcoin to your friendly, anonymous foreign hacker and twiddle your thumbs waiting for him to send you a program you can use to decrypt your files.  It will take you more than a day to figure out the bitcoin process, typically a few weeks to repair all of your data and it may not even work.  During all of this, your employees sit idle, and your clients sit not-so-patiently waiting on you to resume business.  When you sum up the lost billable time, lost productivity and angry customers, it gets costly very quickly.

Email Compromise

Your accountant receives an email that looks like it’s from a vendor.  The email has a link to an invoice or another essential document, but your accountant must log in to Office 365 to see the material. Without knowing it, he has just shared his email account with a hacker.  Now the hacker is free to log in to the compromised email account from far away while no one knows they are there.  A few inbox searches for “wire,” “check,” “invoice,” “ACH” and “deposit” will reveal contact information for vendors, customers, the CEO and maybe even some bank account information.  They also have access to your accountant’s Outlook Calendar.  Now they can carefully craft emails to your accountant that look very real because they have access to all of the signatures, font settings, logos and other things they need.  The accountant may get an email from the CEO that looks just like any other.  It says to wire that usual amount of money to that usual vendor on that usual day, but it indicates new banking information from the vendor. Everything looks legitimate and reasonable, so he does what he usually does when the boss emails and in minutes, tens of thousands of dollars vanish.  A day later, when the vendor is calling about not being paid, it’s too late.  The bank account you wired is now closed.

How Can I Protect My Business?

There is no one single vulnerable door to your network that you must protect.  There are many ways in and all must be protected. Most business networks need nine areas of protection:

1. Security Assessment

Companies should have an IT audit conducted periodically. This process will generate an assessment that will explain where your cybersecurity weaknesses are and how to strengthen them.

2. Email Security

Most cybersecurity attacks originate in an email.  Implement a service that scans all emails before they get to your inboxes. Relying on Office 365 or Google Mail to protect you is not enough.

3. Passwords

Your server should enforce periodic network password changes and complex passwords.  Demand that users have unique passwords for the business network, LinkedIn, email and other resources.  A password utility such as Keeper or Last Pass can help you track many complex passwords.

4. Security Awareness

Your users are the weakest entry point into your network.  This is why attacks via email are so prevalent.  Security Awareness training can be conducted as a lunch and learn in your company conference room.  Your users will come away knowing how to spot fraudulent emails and be a lot safer online.

5. Firewall

Your firewall device is the gateway to your network.  Be sure you have a knowledgeable IT professional managing it and that no ports are open to the outside world.

6. Next-Gen Endpoint Security

If your computers are running an Antivirus software that was available three years ago, it is obsolete. There has been a significant leap ahead in Antivirus technology, and many of the traditional security software companies have been left behind.  Run a Next-Gen solution that can recognize Ransomware by its behavior, stop it in its tracks and reverse the damage.

7. Dark Web Monitoring

If I wanted to hack your business, a Dark Web Scan is where I would start. This would reveal your email addresses and passwords that have been hacked from online sources.  Those passwords can then be used to try to gain access to company email accounts.  When users have the same password in multiple places and rarely change them, this can be very dangerous.  Implement a system that regularly monitors the Dark Web and alerts you when your employee’s credentials show up there.  You will know which user and password show up so the user can be aware they should never use that password again for any resource.

8. Computer Updates

Breaking news: Microsoft and Apple Operating Systems are NOT completely bug-free.  From time to time, new vulnerabilities are found, and security patches are published.  When these weaknesses are found, the bad guys are quick to build malware that exploits them.  Your best protection is to have a Managed and Monitored Patching System to ensure your computers stay up to date.  The same applies to third-party applications such as Java, Firefox, Google Chrome and Adobe Reader.

9. Backup

A sufficient backup system is actively monitored for failures, copied offsite every day and tested weekly.  It allows a server to be restored in minutes rather than hours and does not include using an external USB hard drive.  If backups are not tested, you cannot count on them when you need them.  It is common to successfully write backups to a failing hard drive then not be able to restore them when you need them.

Where Do You Begin?

Talk to your IT Manager.  If you don’t have one, then contact a Managed IT Service Provider.  They keep your IT costs down by providing services to multiple companies like yours.  Sit with them and a conversation about these nine protections and have a security assessment conducted.  This will let you know where you stand and map out a plan for getting where you need to be.