If you run a small- to medium-sized business (SMB), chances are that you’re already aware that cybersecurity should be a concern. In fact, a recent survey from AppRiver found that more than half (58%) of SMBs in the U.S. are more worried about getting hacked than they are about a flood, a fire, a transit strike, or even a physical break-in of their offices.
The question is, what are you going to do about it? Staying secure on a budget can be a challenge for SMBs – a problem that’s often exacerbated by a lack of in-house security expertise. Turning to cost-effective managed services is a good solution – but there are also plenty of tactics that you can implement to minimize your risk.
Understand the Hacker Tricks of the Trade
Cyberattackers are savvy and adaptable, but there are a few common techniques that they use on a regular basis. Understanding what these are can help you protect your business.
Far and away, the most common way an attacker infiltrates networks and harvests sensitive data is through phishing.
Phishing works like this: A victim will receive an email claiming to be from someone they know, or from an organization they recognize or perhaps even deal with often. These emails sometimes clearly stand out as spam, but in other cases, the impersonation will be hard to spot: the adversary will take great pains to make it look and sound like a legitimate email, complete with authentic-looking logos.
Within that phishing email will be a malicious link, attached document, or an app. When a user clicks on a link, it will take them to what looks like a legitimate page with a log-in screen. That page is actually fake (or “spoofed”), and when the victim puts in his or her credentials, the hacker is able to grab them and gain unauthorized access to the victim’s account. In the case of an attachment or app, opening it usually results in malware being installed on the victim’s machine. That virus or a trojan gives hackers access to the data on the victim’s computer or phone (for instance, it could be a keylogger, which captures what the victim types to uncover user names and passwords), and also allows them to gain a foothold on the company network.
There are also watering-hole attacks to worry about. Here, an attacker might create a fake website that offers information that a specific target might be interested in – industry-specific articles or “how-to” blogs, for instance – while in the background it is executing malware on the visitor’s computer. In a variation of this, adversaries create fake mobile apps that appear to do something useful; but when installed, they turn out to be malware.
A third common attack method is via malicious Wi-Fi networks in public places. A hacker can use software to set up a wireless access point (with an innocuous or attractive name like “free public Wi-Fi”) – and once someone has connected to it, a hacker can intercept and eavesdrop on any traffic that flows through it.
There are other techniques out there as well, but these are common tricks to watch out for.
Employee Training: A Crucial Line of Defense
All three of these attack types require the user to take some kind of action – click on a link, download an attachment, visit a dodgy website, download a rogue app, or connect to an untrusted Wi-Fi network. And that means that the attacks can be prevented with good security hygiene.
Training your employees is a critical first line of defense against these opportunistic kinds of attacks. For starters, implement the doctrine of verification: Before clicking on a link or downloading an attachment in an email, send a separate email to the supposed sender to make sure the person did indeed send the message – especially for anything unsolicited. Better yet, pick up the phone and call the person.
Another training tactic is to learn to always hover over a link to make sure it’s the legitimate address. Malicious links won’t have the proper URL – however, they may have similar-sounding URLs. If the message claims to be from the Bank of Peter, the malicious link may read something like www.bankof.peter.com or www.bankofpeeter.com instead of www.bankofpeter.com.
In a similar vein, employees should be trained to never download an app from a third-party app store. Even if they do download something from Google Play or the Apple App Store, advise them to read the reviews to make sure all is on the up-and-up; sometimes bad apps do get through.
And finally, on-the-go employees should be wary of public Wi-Fi, and should always verify the legitimate SSID with the airport, café, or other operator of the space. It’s also a good idea to use a VPN – there are plenty of free offerings.
Require Best Practices
Along with basic security training, SMBs should always ensure that best practices are being carried out. For instance, all software should be kept up-to-date. Most of the time, a malicious attachment or watering-hole attack will only be successful if there are unpatched software vulnerabilities on the target machines.
For any cloud services, employees should be required to enable two-factor authentication (2FA), which will make it necessary to enter a one-time password that’s sent to a mobile phone before the user can log in. That way, even if hackers somehow gain a user’s credentials, they still won’t be able to log in because they don’t have access to that user’s mobile device.
Speaking of which, password hygiene is critical as well. Businesses should be thinking about complex passwords which include a combination of letters, numbers, and special characters. SMBs should require that their users change these often, are unique and not used anywhere else. In a similar vein, users should make sure that their website security questions are difficult – not information that could be gleaned from social media or elsewhere, such as your mother’s maiden name or the city where you were born – and consider making up the answers to thwart hackers even further.
Simple Administrative Fixes
Beyond user actions, there are simple actions that SMB network administrators can take to help their companies get out of the “low-hanging fruit” camp. Most hackers are looking for an easy score. Anything that raises the bar of effort for them – even a little bit – will cause them to move onto the next potential victim rather than expend any more time and effort on something that isn’t easy.
To start, enable firewalls and traffic encryption – you can easily enable the basic tools that come with your networking gear. Secondly, make sure that all default passwords on devices connected to the network are changed to unique combinations, and keep the software and firmware up-to-date. Next, replace any systems with outdated operating systems like Windows 7 – Microsoft no longer supports these, and there are known vulnerabilities that hackers can easily exploit to gain access.
And finally, think about permissions. Take steps to manage and limit access to data, drives, and systems for those employees that don’t need it. Also, don’t forget to deactivate access for those who don’t need it anymore – ex-employees are a leading cause of data theft.
The bottom line: as a small business, you are a primary target for hackers. Make time for these easy steps today to avoid difficult situations in the future. Need help securing your business or want to learn more? Visit www.tpx.com/managedIT or call 888-407-9594.
About the Author
Erik Nordquist is the Senior Product Manager for TPx Communications’ managed security services. He’s led a broad range of critical activities, including Field Operations and the Hostmaster team where he built TPx’s anycast DNS network to service its 55,000 customer locations. His work on the Network Integrity team made him the resident expert for mitigating Denial of Service (DoS) attacks. After interfacing with customers for years, Erik is bringing his customer-focused approach to his Product Manager role, helping to deliver first-in-class security services to TPx clients with unsurpassed customer support.