Small businesses have been in the cross-hairs of cyber attacks for years, but the methods continue to evolve. Email phishing was (and remains) the common method for hackers to infiltrate computers, compromise user accounts and gain access to money, sensitive information, personal data or all of the above.
So why are small businesses targeted, and why those specific businesses?
1 – Why Small Businesses – because the expectation is that a small business doesn’t have the IT resources (dedicated IT professionals, firewalls, adaptive spam filtering, antivirus, malware protection, backup monitoring, user education, etc.) that larger companies regularly employ. And given that probability, launching an attack may prove fruitful for a ransomware group or individual hacker.
2 – Which Small Businesses – This part is interesting, but concerning. I’ll break this into two parts:
- Random – this is the one where everyone in the company gets the same email, instructing the user to click on the link (i.e. update their password, claim a prize, download their paycheck stub, etc.). The cyberattack is preying on, or praying for an un/under-educated user to click the bait. It’s not overly sophisticated, but gets results when launched against less vigilant targets.
- Targeted – this is the scarier variant (to me). In this scenario, the hacker or group are using publicly available information to research the target business. An example of what they are using:
- Websites – they will use the information to create a map of the organization if possible (does your site have a Meet Our Team or a Who We Are list of people and positions)?
- Facebook / Social Media – how much information are you putting out on social media? Could someone use that information to gather additional data about the company, the hierarchy and internal structure?
And with that information they’re finding out who the important players are in the organization; determining who the Controller / CFO is, possibly figuring out who reports to them (and maybe writes checks?). Using Facebook to find out things like age, personal wealth, address details – all with the expectation to target anyone that might fall for their tricks. It’s basically social engineering.
So what should a business owner do? From an IT perspective you need to make sure your computer and network infrastructure is sound (proper antivirus software, an updated firewall, etc.). Equally important is making sure your staff and co-workers are properly trained on how to deal with questionable IT requests, and how to report them. We can help develop testing and training strategies to ensure that your end-users are not a weak link to your IT hardening.
If any of the above strikes a chord, please reach out to us. We are always willing to discuss ideas and options to strengthen security and help businesses stay on the secure side of this battle.
Chris Hopkins – Member of the Moebius Team