Putting your own data at risk by clicking on a phishing link is bad enough. Risking the well-being of your employees or coworkers is so much worse. It’s a wonder that SMBs, who have so much more to lose, aren’t more careful.
Case in point:
New Zealand plumber Pete Satterhwaite was losing clients ever since Nigerian hackers began sending bogus invoices to his clients. They’d gotten into his cloud-based outlook account, after obtaining his password, and were redirecting his mails to their own. To cover their tracks, they’d even used the bank accounts of two women they’d encountered on a dating website as intermediary accounts before transferring the money to Istanbul.
Threats Rising in 2023
According to the European Union’s Cybersecurity agency’s (ENISA) 2021 report (and things have gotten much worse since—especially in the US), 85% of SMBs believe hacking to be a major problem, and 57% believe an attack would put them out of business. 36% reported an attack in the past 5 years; and the vast majority of attacks are from phishing!
Frighteningly, critical infrastructures are decidedly unprepared. Even following this past year’s multiple attacks on hospitals, Cyber Defense Magazine estimates that “only 10-20% of American hospitals have a meaningful cybersecurity program” in place. The good news is that income from ransomware attacks is falling as more and more clients reuse to pay up; however, according to Chainanalysis, that the number of attacks are rising thanks to automation.
Last week, Kaskersky indicated that the major threats this coming year will be personal data links, corporate email attacks, cloud tech attacks on aaS providers, and—a new flavor-of-the-month: MEDIA BLACKMAIL, ransomware accompanied by a well publicized (through social media, for example) countdown to denouement. The other side of the aaS formula, of course, are the cybercrime services offered online to the budding entrepreneur, such as Malware-as-a-Service.
Especially following lock-down, more and more small and medium-sized enterprises have found themselves operating online to a greater extent than before: client relations, subcontractor dealings, sales, and even internal operations have migrated to cyberspace; workers are working from home; people fear direct contact.
And the support institutions are not keeping up. New guidelines are still being smoothed out, and management is slow on the uptake. Until actually attacked, the awareness of cyberthreats is still at the hidden back of the average entrepreneur’s mind, and budgets are not yet being earmarked for what is, in many cases, a costly cybersecurity outlay. Securing on-staff specialists is almost impossible to justify to the bottom line, and outsourcing is expensive.
As a result, sensitive and often critical information can be easily accessed and manipulated.
Insofar as phishing is concerned, most of the above is immaterial. Here, the best technical cybercrime infrastructures would be immaterial, since phishing relies on human engineering, not technological prowess: fooling someone into clicking on a link.
Clearly, if as a result of phishing, malware is downloaded into a system, one would hope for the benefits of good detection and remedial tools to minimize the damage. But by then, the damage has been done, and only training and awareness can prevent the infiltration of an agent in the first place.
Phishing out the threat
Training employees not to click on links or divulge access codes is paramount. Begging suppliers and clients to be wary of suspicious company communiques is another human interface that won’t break the bank. But there are many other steps that should be taken before hiring the services of the top hack-fighting corporations, including:
Antivirus and firewalls: These are nowadays included in most operating systems, network and even cloud providers—make sure they’re updated. Add to that anti-malware software when not included.
Password cycling: Yes, it’s a pain, but just as an employees are expected to clock in and out, limit coffee and lunch breaks to a certain time span, and be courteous to their colleagues, it’s not too much to ask them to update and change passwords every so often.
Multi-factor identification: There are so many options here, it’s surprising that some companies have not yet adopted MFI for each and every entry—client or employee—into a company’s system.
Back up everything you can: Place backups on isolated media/cloud channels, so that if ransomware DOES hit, you can at least recover what you’ve lost.
Mobile awareness: Remember that a large part of your transactions will be executed through mobile devices—treat them with the same care as you do your desktop.
Educate and document: Staff members are on the clock. Use that time wisely to repeat the words of caution often, and document whatever security policies you adopt so that nobody has an excuse for forgetting. It might not stand up in court, but it WILL make them think twice.
Geoff Lottenberg in Cyberdefense also suggests hiring outside consultants to assess security dangers and conditions, and even vetting potential employees for loyalty and caution awareness.
In 2020, the EU published a set of tips for SMEs going online. Bottom line: when it comes to human engineering, it pays to strengthen the medium—you and the people you work with! To stay secure, arm them with whatever tools keep them safe.