There used to be a time when cybercriminals were only focusing on large businesses. They were easier targets because their information was likely listed publicly and there were more entry points due to their networks’ larger size and complexity. Attackers used to have to manually engage their targets, so there had to be a good return on their time investment. That meant avoiding the smaller fish. Besides, what good was the customer list of some small lawn care company in the middle of Oklahoma to an attacker? It doesn’t really have any value to anybody else, so why would they steal it?
The game changed when ransomware was created. Now it wasn’t a matter of the data being valuable to somebody else. The question became, “How valuable is your data to your business?” How badly would your operations be impacted if suddenly you lost access to all of your customer email addresses, phone numbers and days of service?
Hopefully, this is not the first time that you are hearing about ransomware. If it is, here’s a real quick rundown. Ransomware is a form of malware that utilizes encryption to render your data unusable. Files, databases and applications all get locked up so you can’t use them. If your end user’s machine is connected to a company network, all of those files across the entire network will get locked up too. Once encrypted, your files can never be used or recovered without the decryption key. Attackers will ask you to pay a fee, usually in bitcoin, to recover your files. Sometimes even paying doesn’t unlock your files.
The other game-changer was automation. When attackers found ways to automate their attempts, it suddenly turned the tables on their ROI. If they can attack people while not even sitting in front of their computers, then why would it matter if only one in a million attempts is actually successful?
So how does this even get on your machine? Automation is a huge help. Attackers can send automated emails that have attachments that will try to install malicious code or viruses or links to send you to a website to get you to download a file that will try to install them. A lot of times end users are not educated enough and will unknowingly click “accept” when prompted for administrative rights to install a program.
Ransomware isn’t the only vector attackers use. Another common attack is phishing. Phishing is when an attacker crafts an email to look legitimate but either has malicious attachments or leads to sites trying to harvest login credentials. These emails can be highly effective when used paired with spoofing, which is when a sender obscures their actual email address to make it look like it was sent from somebody else. This can be useful in marketing campaigns when sending out e-blasts, but the same technology can work against you if somebody spoofs the boss’s email and requests a bank transfer.
Another very common form of attack is called Business Email Compromise. The FBI’s website states that BEC “is one of the most financially damaging online crimes.” This type of attack is often very successful because it relies on the end user making a mistake. BEC can be carried out in a variety of ways. For example, an attacker could start by sending a link to the company administrator that is spoofed to look like it is from a commonly used vendor. The email claims to have an invoice that is shared through a cloud service and the user must sign in to see it. When the administrator enters login credentials, the attacker is able to gain control over the email account.
Not all attacks originate from outside the company, and the internal ones are very hard to prevent. An example of an internal attack is an employee who is downloading company data or personal information of employees (such as Social Security numbers or bank account information from your HR system). The value of your jobs or your production algorithms might be something that gives you an edge in your market and something you don’t want to be shared with other companies. It is fairly easy in most cases for an employee to download or email sensitive data. Don’t forget about cell phones either. If you give employees company-provided phones that have access to company data and programs, or if you allow employees to access company data and programs using their own phones, that opens up another vector.
Ready to unplug all your devices and move back to paper? No need to be rash. There is some good news: You are probably more protected than you think. Next month, we will talk about what you can do to protect yourself and take a look at protections you probably don’t know you have.