In the practice of supporting our customers and potential clients, K2 Tech Group, Inc. is publishing this white paper on Cybersecurity and Small Businesses in the effort to educate those in business and that do not have a managed service provider, or their own information technology department.
This recommendation paper will identify some of the basics, in protecting a small business from attack from malware, ransomware or phishing.
As the industry has seen in nation-state attacks and breaches in 2020-2021, the perimeter is no longer the drawbridge into the entity being protected, but against those endpoints within. A successful penetration is not discovered or exposed in data theft or malicious software but used as an intelligence source for the theft of business data, customer information or misdirection of funds. This paper is to highlight some of those
vectors into a business, small or otherwise, and how to protect those employees from opening a cyberattack into that business.
Understand the Threat Landscape
Many small businesses go through their days without thinking about a security breach, physical or Cyber related. Not having an alarm system or Cybersecurity can cost a business money, time and quite possibly, result in lost information, even the business’ reputation (Microsoft). Most small businesses (less than 100 employees) can’t afford a dedicated Information Technology department, and if they have 1 or 2, that company most likely will not be able to afford training or equipment budgets for keeping up with the industry standards or compliance requirements. Having inadequate or non-existent computer and network security, leaves the company’s data at risk, having no infrastructure to alert the company’s principles that a threat has been identified, allows a threat to become an attack. Staff need to be more aware of attack methods that hackers and criminals alike are using to infiltrate into the business network and data.
A list of common cybersecurity threats for small businesses:
• Email and phishing scams use email and text messages to hook victims. Bogus, official-looking information asks targeted recipients to click on a link to a webpage and then enter sensitive financial and/or personal data. Criminals then use that data for illicit purposes.
• Social engineering attacks involve human interactions in order to obtain sensitive information. Phishing and spear phishing but also physical activities. For example, a hacker can leave a USB key loaded with malware in the parking lot, or on the floor in the business. An unsuspecting employee can find the USB and simply insert it into a
logged-on workstation or computer, and now be susceptible to malware and other malicious programs.
• Passwords Cyber criminals can obtain access to passwords through many means, brute-force, bypassing network protections (if any) and looking into servers for unencrypted passwords, or by using email, text or social engineering
• Man-in-the-middle attacks involve hackers intercepting data from a victim on a fake page, one that the victim usually visits. These attacks also use phishing.
• Server Attacks DDOS (Distributed Denial of Service) is one of the most powerful weapons on the Internet. A DDos attack is a focused cyberattack on a targeted server, service, website or a network that floods it with internet traffic. The aim is to overwhelm the website or service with more Internet traffic that the server or network can accommodate.
• Backup Data Plan The lack of a data backup plan can give a ransomware attack, the severe detrimental result of being unable to process business transactions. Ransomware encrypts servers and workstations to make them unusable. Having backups, can and do negate the encryptions of workstations and servers by just restoring a backup, returning the business to normal operations, without paying any ransom. Those businesses who do pay a ransom, have no backup plan, and so to return to normal business, they must pay the ransom to unencrypt those affected
What can be done for protection?
First, training of your employees is essential as they are the direct path into your systems. Training on basic Internet best practices can go a long way in preventing a cyberattack (SBA). The Department of Homeland Security offers free training and other materials through their “Stop.Think.Connect” Campaign.
This training covers the following topics:
• Spotting a phishing email
• Using good browsing practices
• Avoiding suspicious downloads
• Creating strong passwords
• Protecting sensitive customer and vendor information
• Maintaining good cyber hygiene
USE ANTIVIRUS SOFTWARE AND KEEP IT UPDATED
Each workstation and server should be equipped with antivirus and anti-spyware applications and updated regularly. Such software is readily available online and from a variety of vendors. All software vendors regularly provide patches and updates to their products to correct security problems and improve functionality. Configure all software to install updates automatically.
SECURE YOUR NETWORK
Safeguard your Internet connection by using a firewall and encrypting information. If you have a wi-fi network, make sure it is secure and hidden. To hide your Wi-Fi network, set up your wireless access point or router so it does not transmit the network name, known as the Service Set Identifier (SSID). Password-protect access to the router.
USE STRONG PASSWORDS
Using strong passwords is an easy way to improve your cybersecurity. Be sure to use different passwords for your different accounts.
A strong password includes:
• 10 characters or more
• At least one uppercase letter
• At least one lower case letter
• At least one number
• At least one special character (SBA).
Multifactor authentication (MFA) requires additional information (e.g. a security code sent to your phone or an authenticator application (Microsoft, Google). Check with vendors that handle sensitive data, especially financial institutions, see if they offer Multifactor authentication for your account. If your business uses Office 365, MFA can be turned on for added security.
BACK UP YOUR DATA
Having a regular backup of data on all computers and servers is paramount to defeating a ransomware attack, not just once a day, but backups made during the business day. This will decrease the exposure and data loss should a ransomware attack be successful.
Backups of critical data include:
• Financial files
• Human Resources files
• Accounts receivable/payable files
• Store backups off-site, or in the cloud (i.e. Carbonite or iDrive.com)
SECURE PAYMENT PROCESSING
Work with your financial institutions or card processors (PCI) to ensure the most trusted and validated tools and anti-fraud services are being used. There maybe additional security obligations related to agreements with your bank or processor. Isolate payment systems from other less secure programs. DO NOT USE the same computer to process payments and surf the Internet.
CONTROL PHYSICAL ACCESS
Prevent access or use of business computers by unauthorized individuals. Laptops can be particularly easy targets for theft or can be lost, so these devices need to be secured when unattended. Use a separate user account for each employee that uses the device and use strong passwords. Administrative privileges should only be given to trusted IT Staff and key personnel.
Using these protections can be instituted readily easily and can thwart a cyberattack more than using no protection against cyber threats.
Free Training and Resources
There are many free training and resources available for small businesses to fight against cyber attacks and ransomware. This list is not exhaustive but is a good start into learning methods in protecting one’s own business from cyberthreats.
Microsoft Office Outlook Add-in Message Header Analyzer
• In Outlook, in the menu bar, click on “File”
• Under account information section, the last icon
• Click the icon that says “Managed Add-ins”
• This will open Add-Ins for Outlook. Search for “Message Header Analyzer” and click “Add” This will add an icon in your Outlook Ribbon, when an email is received that you are not quite sure about, click on the blue “MHA View Headers” icon. A Message Header Analyzer window will open up, and a Summary window will appear, showing the Subject, the Message ID, the Creation time of the email and from whom the email was actually sent from and the To is also listed.
• A more thorough information is available by clicking the “+” by Original Headers. This is what you will need to send to your IT Department or MSP should you suspect a phishing email.
The cybercrime world today, much larger than any criminal drug cartel, will be responsible for damages and data theft in the trillions. With new threat actors arriving daily on the scene with new forms of malware, cybercriminals, hackers, and cyberespionage attacks will be performed by nation-states and cybercriminals every hour of every day. All the threats mentioned over and above the sheer number of exploitable vulnerabilities already known to popular applications used by businesses and consumers are already too numerous to count. The gravity of this new cybersecurity world requires IT to be right all the time, the cybercriminals only need to be right once.
If you’re concerned about your business’s ability to protect itself against cyber attacks and need help implementing cybersecurity program, check out our Managed IT Services and give us call. We’d love to show you how we can protect your business today!