By Benjamin Yarbrough, CEO, Calyptix Security
Hackers and small businesses share one thing: they rely on email.
Todays’ cybercriminals are organized and business-minded. They make investments and they expect returns. Some invest in big targets, such as Home Depot and Anthem. Others invest in massive attacks, such as ransomware and botnets.
These massive attacks are behind most cybercrime. They can only succeed by exploiting a widespread technology — and what is more widespread than email? Email is one of the top entry points for cyberattacks of all sizes, particularly in small businesses. The reasons are clear:
- Almost every business uses email.
- Email is a gateway into the business network.
- Users who are not tech-savvy receive email. They are forced to determine which emails are safe and which are not.
- Email costs almost nothing to send and is easy to automate.
- Email phishing has proven itself as an easy way to breach a network.
Attackers are improving their tactics. They have learned tailored messages sent to smaller lists can yield better results. Instead of sending millions of emails, they use an approach known as spear phishing to reach narrower targets such as “all attorneys at businesses with 100 or fewer employees” or even “Jennifer Jones, Attorney at Acme Inc.”
The proportion of spear phishing attacks against small businesses has grown every year since 2013. Last year, 43 percent of all spear phishing targeted companies with fewer than 250 employees, according to the Symantec 2016 Internet Security Threat Report (ISTR).
The point is the attackers are using details about their targets to create tailored messages that are harder to detect. These custom phishing emails work. Nearly one-third of all phishing messages reviewed for the Verizon 2016 Data Breach Investigations Report were opened, and a terrifying 12 percent were clicked. This represents a big jump in open rate over previous years. The median time for a new phishing attack to be opened by the first victim is only 100 seconds.
Small businesses may not make headlines when they are hit by a phishing attack, but the results can be devastating nonetheless. Data theft, financial loss, and tarnished reputations can be just the beginning, unless you are prepared. Protect your business and your clients against phishing attacks with these tips:
- Filter spam and malicious email — the majority of dangerous email can be eliminated with effective spam and virus filters. This is not a cure-all, but it will remove a significant portion of the threat.
- Train users — knowing malicious emails will reach inboxes makes it essential to train staff members to spot and delete them. Use periodic handouts, presentations, and simulated attacks to raise awareness.
- Limit access — expect users will fall for phishing attacks. Their machines will be infected with malware or they will share login credentials with an attacker. Knowing this, do not allow them access systems and data they do not need to perform their roles. All users who have access to critical data, such as credit card and customer databases, should receive additional training.
- Back up critical data — ransomware is a growing problem, and there are two types of victims: those with good backups and those without them. Victims who have good copies can easily recover from the attacks. Victims without them will either lose their data or be forced to pay a ransom. So always back up critical data and systems. Do it automatically, and store some of the backups outside the network to keep them safe.
- Segment networks — this is another vital way to limit access. Do not keep critical machines and data on the same network as machines that engage in high-risk activity, such as browsing the internet or opening email. That way, when a high-risk machine is breached (which is inevitable), your business-critical systems will not be affected.
- Filter outbound traffic — also known as egress filtering, this tool can control the systems to which a machine can connect. Say for example a machine is used to process credit card transactions. An outbound filtering rule can allow the machine to send data to only the IP address of the card processor and no other. That way, if the machine is ever breached, the attacker will have no way to remotely exfiltrate the cardholder data.
These tips will put you a long way down the road to a safer network. Other essentials — such as patching systems and using anti-virus — should not be forgotten. Prepare your business and your clients for the inevitable and move forward with confidence.
Benjamin Yarbrough oversees the operations of Calyptix Security, a network security provider for small business. He helps coordinate the sales, support, and development teams to help best serve customers, and also works to maintain the company’s finances and foster its vision.