WannaCry? As a small business owner you just don’t have time, both literally and technologically. For those that have yet to be hit by a cyber attack, there is a “blind faith” that since I haven’t yet been stung by a virus, then my system or information must be safe.
But if you’re a business owner, the last thing you can afford to do, is do business by “blind faith” since unprecedented number of cyber attacks continue to leave small and big businesses around the world reeling.
For those that love to watch, you can see a type of cyber attack known as Distributed Denial of Service or DDoS attacks happening live around the world. It is quite sobering to see how frequently attacks occur and from where they are coming from.
Another type of cyber attack is ransomware. This is a type of malicious software designed to block access to a computer system and its data until a sum of money (ransom) is paid.
In May 2017, the ransomware dubbed WannaCry infected victims computers through spam emails that appeared to contain legitimate invoices, job offers and security warnings. WannaCry encrypted data on the infected computer and demanded payment to restore access. It did this by exploiting a Microsoft Windows vulnerability. The attack affected over 230,000 computers in factories, health care services, telecommunications networks and government institutions of more than 150 countries.
Less than a week later, in mid-May, the Adylkuzz targeted the same Windows vulnerability. Unlike WannaCry, Adylkuzz made no demands for money, rather it wanted to literally make money. Infected computers became a large-scale network to mine the digital currency Monero. It stealthily drained their computing resources as it ran its software in its attempts to work out the equations to be rewarded with the currency.
Users only suspected an infection when their Windows machine began running slowly and they weren’t able to access shared Windows resources.
On the coat tails of Adylkuzz came Petya (renamed “NotPetya” as it was only camouflaged to look like the infamous Petya ransomware). This ransomware took over computers by exploiting the vulnerabilities in Windows using 3 different infection vectors:
- Harvested password hashes
“Petya” demanded $300, paid in Bitcoin to restore access. It caused serious disruptions at large firms across Europe and the US, hitting the likes of advertising firm WPP, French company Saint-Gobain, Evraz (Russian steel firm) and Rosneft (Russian oil firm). The legal firm DLA Piper, food company Mondelez, Danish shipping and transport giant AP Moller-Maersk and even Pittsburgh’s Heritage Valley Health System.
Although the majority of cyber security related incidents being reported by the media involve large organisations, cyber attacks aren’t just a ‘big end of town’ problem. Big and small businesses, sole traders and home users across the world can fall victim to the latest cyber security attack.
As an information security professional of over twenty years, I know that staying on top of all the latest cyber threats and risks is no easy feat for a large organisation. Even more so if you’re a small business owner or entrepreneur whose core business is not cyber security.
For most non-geeks information security speak is gobble-de-gook… NIST 800-53, Rootkit, IPSec, ISO/EIC – 27002, SIEM, IDS, IPS and as he acronyms go on, little wonder that many of us would switch off.
There are, thankfully, some simple things you can do to minimise a cyber attack against your business:
1. Keep your operating system up-to-date
Windows updates always install at the most inconvenient times, right? The WannaCry and Adylkuzz attacks all targeted known Windows vulnerabilities. Many of the infections could have easily defended themselves from infection by staying on top of security updates pushed out by Microsoft.
Mac users are not off the hook. One human flaw cyber attackers and hackers count on is complacency. Hackers are constantly evolving malware (short for malicious software) to find cracks or weak links in whatever device you’re using.
2. Install antivirus software
Sounds obvious, but many people would rather take the risk of infection and possible loss of sensitive personal information than spend as little as $40 per year on a advanced antivirus software like Kaspersky. Antivirus software can prevent the latest malware from infecting your computer.
Of course, as important as it is to install antivirus software in the first place, you have to keep it up-to-date. If you don’t, you’re leaving yourself open to a cyber attack since cyber criminals are constantly exploiting vulnerabilities and discovering new infection vectors.
If you really are on a tight budget (what small business isn’t!) you can download a free quality product called AVG, which I have used for many years.
3. Think before you ‘click’
WannaCry, Adylkuzz and Petya predicate high rates of infection on computer users being complacent and gullible. What is the lesson? Avoid clicking links and attachments from emails you have no reason to expect or senders you don’t know.
Just like you wouldn’t open an gift wrapped present from some stranger you happened to knock on your front door asking for your credit card PIN.
This fraudulaent practice of sending emails pretending to be a reputable company or individual in order to induce personal or financial information and passwords is known as “phishing.”
One obvious way you can spot these suspicious emails is by looking at the sender’s email address to see if it’s legitimate. An email from purporting to be from http://www.wearetrustybank.com wouldn’t originate from email@example.com (did you spot scam?). Your bank or credit provider shouldn’t ask for passwords or sensitive information over email.
Also look for typos and grammatical errors in the body of the email itself.
Before you click, “Mouse-over” or hover over links in an email to see where the web address (URL) is attempting to send you before clicking. An email from weartrustybank.com would not have link pointing to http://www.cheapandfastwebsite.net.ru.
If do receive an email from your financial institution, make it a habit to type in their URL into your web browser, rather than click on the link in the email to get to their website. This, not only, will ensure you hit the legitimate webpage but also load their latest webpage (and any recent security measures they have implemented).
4. Create data backups
In the event a you are hit by a virus or ransomware, all won’t bet lost if you have a backup of your data. You will be able to restore or at least access your data without too much disruption to your business.
The “cloud” is making online data backup ( SOS Online Backup, Carbonite, SpiderOakONE, etc) popular with many businesses. Since you don’t have to purchase specific hardware or software it allows small businesses to squeeze a 24 hour redundant backup solution into the budget.
(One side note: Ensure you are aware of Australian regulations regarding the storage of customer financial information in cloud providers based outside of Australia. The ASD is a good place to start as well as APRA if you’re in a regulated industry)
If you choose to go down the path of purchasing your own backup solution don’t forget to test your backups – after all, a backup is not “backing you up” if you can’t restore your data correctly.
Small businesses that are victims of cyber attacks usually don’t make the news. But the impact of these breaches can be felt as heavily, if not even more so, by the small to medium business, sole traders and entrepreneurs who need to be operational to make a dollar.
When it comes to your business experiencing a data breach, the 2017 Cost of Data Breach Study shows the odds are as high as 1 in 4 that a business will experience a data breach. It’s dangerous for your business and reputation to be complacent and adopt an “it will never happen to me” attitude.
Australia’s love of technology and our relative wealth makes us an attractive target for cyber criminals. How serious you take cyber attacks will determine how you operate your business and minimise the chance of falling victim to a cyber attack and suffer the ramifications of financial and intellectual property loss, reputational damage and business disruption.
by TuiSiong Hie
Digital Media Strategist & Founder at Cross+word
About the author