Very few small businesses guard against security threats. In fact, only 31% do so. They’re the smart ones, as 70% of attacks this year will be against SMBs. So what kinds of threat can you expect?
The Business Email Compromise (BEC) Scam
What It Is: You get an urgent email from someone in the C-Suite asking for a wire transfer. You go ahead and do it, but it turns out that scammers managed to spoof the email address they used and the money sent is long gone. The FBI says that this particular scam is on the riseand victims can expect to lose anywhere from $25,000 to $75,000.
How To Prevent It: Have an internal policy where transfer of money over a certain amount is confirmed in person, over the phone, or by any other method than email. Scammers are counting on employees relying on email only.
Ransomware
What It Is: Ransomware is malware that locks your files and computers systems and doesn’t allow you entry until you pay a ransom to the cybercriminals who created the ransomware. The major security attack earlier this year, WannaCry, is an example of ransomware. Anyone can be hit with ransomware—private individuals, schools, hospitals, governments, and more. But if you’re an SMB, understand that you’re the most desirable target. SMBs tend to think that they’re low profile, but the reality is that they tend to be a rich target for scammers without the IT security of bigger companies.
How To Prevent It: You can fight ransomware in two ways. First is employee education. Most ransomware is downloaded by unwitting employees. Second, ensure you have regular off-site backups of everything. That way, if the worst happens, you can wipe everything and start over without too much trouble.
Employee Access to Sensitive Information
What It Is: Most “hacks” are really just hackers taking advantage of the fact that low-level employees and sometimes even contractors have access to sensitive company information. Alternatively, the bad actor isn’t a hacker but an employee. A couple of years ago, the information of 2,200 GM customers was accessed by a staffer linked to an identity theft scheme.
How To Prevent It: The information employees can access needs to be carefully considered. Set up a policy that designates certain information as sensitive and create a policy about who can access it and under what circumstances. Furthermore, you need to be confident in the third parties that have access to your information, and more importantly, your customer’s information. Understand their policies on access to information and address concerns as soon as possible.
The Dropped Drive Hack
What It Is: You find a thumb drive in your company parking lot. It even has your corporate logo on it. So you plug it in to a computer to maybe figure out to whom the drive belongs. Then it uploads malware to your system, probably without you realising. Surprise!
How To Prevent It: Lots of people think that the dropped drive hack is too dumb or improbable to work. That’s one of the reasons it works all the time. One group of security researchers who sprinkled a parking lot with drives found that 98% of drives were picked up and 45% were plugged in. The trick has even worked in major espionage, with the US attacking Iran’s uranium enrichment centrifuges this way. There’s a simple way to prevent the dropped drive hack though: don’t plug in found thumb drives. Employees should be banned from plugging in found drives. In fact, on a sensitive machine, it should be a fireable offence. If necessary, employees can always turn in lost thumb drives to IT, who can then safely look inside.
The Bottom Line
60% of SMBs go out of business within six months of a cyberattack or data breach. It’s important to take IT security seriously to prevent such attacks. After all, it may be impossible to recover from an attack.
