[BreachExchange] Hackers are targeting SMEs - here's what you can do about it

[Audrey McNeil]

https://www.scmagazineuk.com/hackers-are-targeting-smes--
heres-what-you-can-do-about-it/article/668920/

Earlier this year, a new report from the National Cyber Security Centre
(NCSC) and the National Crime Agency (NCA) revealed that 2016 had “been
punctuated by cyber-attacks on a scale and boldness not seen before.”
Despite the headlines being dominated by cyber-attacks on high profile
companies, such as Talk Talk and Tesco Bank, the reality is that SMEs are
targeted more often than what large enterprises are.

UK SMEs were targeted 230,000 times each by cyber-criminals in 2016,
totalling around £7 million cyber-attacks against SMEs. This costs the UK
economy an extortinate £5.3 billion annually.

At one time there was some degree of security consensus that being a small
player meant that you didn't matter to cyber-criminals. This notion was
quickly debunked by the overwhelming wave of attacks against organisations
of all sizes last year.

Hacking is a very real threat to SMEs. The big concern is why are hackers
targeting SMEs and what can they do to protect themselves from this growing
spectre of cyber-crime?

1. SMEs are perceived as easy prey – toughen up with UTM

Smaller enterprises have traditionally been more complacent about security
than their larger peers. Historically, these companies have fallen into the
trap of believing that because they are not turning over billions of pounds
every year, they won't attract criminals' attention. Unfortunately, hackers
are aware of this false sense of security, and increasingly exploit smaller
businesses' lack of preparedness and security expertise to their own ends.
A recent report by Barclaycard revealed that only 20 percent of small
organisations believe cyber-security to be a top business priority, making
them the perfect prey for hackers.

Don't be complacent. Smaller businesses are more at risk of successful
cyber-attacks than larger ones. SMEs need to ensure that they remain one
step ahead of cyber-criminals, and should seek expert advice from
cyber-security professionals who can help design and deploy security
strategies and policies.

Unified Threat Management (UTM) solutions are a cost-effective choice for
smaller organisations looking to protect themselves against cyber-attacks.
UTM offers protection against the growing number of threat vectors, and it
consolidates threat management under a single-pane-of-glass.

2. Don't be the back door to your partner's network – SIEM can help

Large enterprises often have stronger security in place, including several
layers of defence that make it extremely difficult for hackers to breach
their networks. However, partners connected to their IT systems may not
have the same level of protection; and become the weak link in the chain,
allowing hackers to have access to the big player through a “back door”.
SMEs may not hold the data the criminals are after, but often they are
connected to the big players who do. Targeting and breaching the smaller
organisation allows cyber-criminals to steal the valuable data of the large
enterprise they're partners with. Should they be successful, not only will
the SME's reputation be severely damaged but they risk losing a valuable
partner.

Using a Security Information and Event Management (SIEM) strategy, gives
SMEs a birds-eye view of their entire IT network. It also allows businesses
to mitigate threats as they develop, and provides information that can help
strengthen future strategies. More importantly, SIEM solutions prevent SMEs
from being the “weak link” in the larger network.

3. Ransom requests can cripple SMEs – strengthen your defences and train
your staff

The US' National Cyber Security Alliance found that 60 percent of SMEs go
out of businesses within six months of a cyber-attack. SMEs are vulnerable,
as they don't reserve large amounts of cash in order to deal with such
crisis situations. A ransom request can easily put a small organisation out
of business, as they can't afford to maintain significant amounts of
downtime without income. According to a conservative estimate from Gartner,
downtime can cost firms around £29,829 per hour. It is not surprising that
SMEs would rather pay £1,000 for a hacker to release their systems, rather
than incur losses potentially running into the hundreds of thousands.

Unfortunately, SMEs are the ones at fault in these situations. The lack of
training for staff can cause widespread unawareness of security concerns,
leaving the entire company vulnerable to fraud, including email phishing.
Recent Node4 research revealed that the biggest internal threat to a
business is the human element. Errors made by employees are often the “way
in” for criminals. It is crucial that firms invest time and resources in
educating their staff regarding the evolving threat landscape and the
potential threats of, e.g. opening unsolicited email attachments.

4. Beware of CEO fraud – adopt two-factor authorisation

Fraudsters are constantly developing new ways of getting hold of sensitive
information. As security measures on payment methods become more
sophisticated, they have migrated towards alternative fraud schemes.
Recently, there's been a rise in CEO fraud, and according to Symantec,
almost 40 percent of targets of CEO fraud work for SME companies.

The way CEO fraud works is simple. A hacker designs a very
authentic-looking email, pretending to be from the CEO of the company, and
sending it to a more junior employee requesting sensitive company
information or a money transfer. Typically, fraudsters will have researched
the company thoroughly, and will use a domain name that appears almost
identical to the target's.

By introducing two factor authorisation procedures SMEs can detect CEO
fraud quickly and easily, and can protect their organisation from such
attacks. For example, if two senior people always have to authorise a
transfer, be it of money or of data, there's a lower chance that the
“pretend” CEO will get away with the scam.

Educating staff is also key. If everyone knows to double check via a method
other than email before completing a specific type of request, it is far
more likely that any potential fraud will be identified and avoided. A
simple phone call or direct message will verify if the CEO did indeed make
the request.

5. “BYOD” creates added vulnerabilities – use Mobile Device Management

“Bring Your Own Device” (BYOD) polices are becoming hugely popular.
Arguably they can be a good way of bringing costs down and encouraging more
agile and flexible working. While these policies save money when it comes
to equipment investment, they can also put additional strain on security.
Monitoring the use and sharing of sensitive data on employee's personal
devices can be extremely challenging. If valuable data ends up on a
personal device, they can potentially provide a back door into the company
that is easier and cheaper for hackers to exploit than core systems.

To avoid such breaches, SMEs should have Mobile Device Management (MDM)
policies to accompany their BYOD ones. Once a device is connected to MDM
software, the organisation can enforce security and compliance policies,
grant or deny the device's access to sensitive data and wipe clean a device
that has been lost or stolen.

An increasing number of SMEs are becoming victims of cyber-crime as they
are being viewed as “easy targets” by cyber-criminals. As there are a lack
of adequate and sophisticated security defences in place, a certain number
of those reading this article will find themselves and their business the
victims of expensive (or potentially ruinous) cyber-attacks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170710/651d3245/attachment.html>