Special thanks to the author of this post – Scott Birmingham who has over 25 years of experience in the technology sector and is the founder of Birmingham Consulting Inc., an IT consulting firm serving southern Ontario.
Just what is “cybersecurity”? Wikipedia has this definition:
“Cybersecurity…is the protection of computer systems from the theft and damage to their hardware, software or information, as well as from disruption or misdirection of the services they provide.”
That’s a pretty broad definition. As a business owner, how are you supposed to understand how to ensure that you are secure? And because it’s such a broad topic, it can be daunting to even think about dealing with it.
In fact, many business owners don’t even give it a second thought. When discussing security with business owners, I’ve heard statements such as:
“We’re a small fish. Nobody cares about any information we have. So what if we get hacked?”
“As long as we can run our production equipment, I don’t care what happens.”
“We have extra copies of our important information. If we get hacked, we won’t lose anything.”
The rise of threats like ransomware have put statements like these to the test. In fact, a recent security report from IBM found that for the first time, people are prioritizing security over convenience.
Given that cybersecurity is a field unto it’s own within IT; it’s not possible for an article like this to cover everything a business owner needs to consider. Instead, here are three common ways that businesses are compromised and some practical steps to protect yourself.
Phishing is an attempt to trick someone into doing something that will reveal or compromise information – usually by email.
Back in the early days of computers (before email), similar attempts would be made by phone or even traditional mail; and was called “social engineering”. In fact, when one of the greatest hackers of all time was caught by the FBI, Kevin Mitnick revealed that he was only able to do what he did because he was able to socially engineer information out of people.
I’m sure you’ve all received emails announcing that you have a parcel waiting – just click on the link to have it delivered. The link might take you to a fake page simply to record the information you enter; or it could trigger your computer to install some kind of virus. Often, an attachment is included; and by opening the attachment, your computer is compromised.
Sometimes these things exploit vulnerability on your computer; so you should always ensure that the latest security updates are installed. However, many times, the criminal is simply relying on a person to click through the steps; so being up to date doesn’t help.
Security software such as Defender, Norton, Avast, etc., will sometimes catch a bad link or attachment; but more often than not, it gets missed. Criminals are always coming up with new ways to trick people so by default, security software is always one step behind and has to play catch-up.
In other words, no matter how well protected you are from a technology standpoint, the best defence is you and your staff constantly being on guard against malicious messages. A quick Internet search will reveal numerous online training courses that you and your staff can participate in; but here are a few simple “rules of thumb”:
- If you receive an unsolicited email from someone or somewhere you don’t recognize, the “safe bet” is to treat it as fraudulent and delete it.
- If you receive an unsolicited email from a company you recognize but it contains spelling, grammatical, or formatting errors, chances are it’s fake and can be deleted.
- If you receive an email from someone you know but it only contains a link, possibly with a subject along the lines of “Check this out”, chances are that person’s email account has been compromised and the link is malicious. Best course of action is to delete the message and contact the person by phone to let them know.
- Anything requesting information from a government agency or bank has a very high chance of being fraudulent.
Here are a couple of other ways to check the validity of emails or links:
- Look at the actual sender’s email address, not just the name displayed.Example from an actual fraudulent email:
The display name showed “Microsoft Office 365” but the actual sender’s address was firstname.lastname@example.org. The actual source is alart.com, not Microsoft.
- Hover your mouse over a link BUT DON’T CLICK ON IT. Hovering over it will reveal the actual address of the link.Example of another actual fraudulent email:
The link in the body of the email was https://appleid.apple.com and looks completely legitimate. However, hovering over the link revealed that it actually pointed to https://qool-ecommerce.fr – definitely not an Apple site.
The last two examples above, show a type of impersonation that falls under the category of brand impersonation. There are many forms; but the essence of brand impersonation is that someone is trying to make it appear that they represent a legitimate company. In our experience, brand impersonation is usually in the form of generic mass phishing emails and are relatively easy to identify.
The other form of impersonation we often see is the business owner being impersonated, or someone in authority within the company, a vendor, or a client. Usually, the email is for a request of payment or transfer of funds.
Sometimes, such impersonations are relatively easy to spot. Just like the phishing examples above, the display name might match the business owner or vendor’s name; but the actual sender address is completely different.
Usually, these low-grade impersonations are sent to group addresses at your company rather than someone specific. Addresses like accounting@ or payables@ or email@example.com are susceptible to these types of impersonations.
The fraudster may even go a step further and created a free Gmail or Outlook.com address with the legitimate name in the actual address. People mistakenly think that the person sent the email from a personal address instead of the work address; so they go ahead and follow the instructions in the email.
The most professional impersonations involve the fraudster going to the effort of learning who key individuals are within your company, the format of your email addresses, and registering a domain that looks almost identical to yours. Consider the following example:
Company name and domain: Your Company, yourcompany.com
President’s name & email: John Smith, firstname.lastname@example.org
Controller’s name & email: Frank Jones, email@example.com
Fraudster knows who the president and controller are and purchases a domain called “yourconpany.com”. Note that the only difference is the “m” replaced by “n”. He also creates an email address for a fictitious John Smith: firstname.lastname@example.org.
Now he sends an email from the fictitious John Smith to the real Frank Jones, addresses him by name, and requests a transfer of funds to an account identified in the email.
Frank receives the email; but during his busy day he doesn’t notice that the domain name is slightly different, so he performs the transfer and replies to the fake address to confirm that it’s complete.
The same kind of scheme can be used to impersonate a vendor to request payment.
This example may sound far-fetched; but it wasn’t made-up. It’s actually happened to more than one business in the greater Toronto area. Some businesses identified the scam just in time to abort the payment; but others have lost tens of thousands of dollars to this kind of scam.
If this type of scam does happen to your company, be sure to report it to law enforcement.
As with phishing, the best defence is employee awareness. Providing training for employees to explain the risks and the importance of being diligent could save your business thousands of dollars.
In addition to employee training, a good preventative practice is to update your financial policies to include multiple approvals before any payment takes place.
Confidential Information Leakage
As mentioned above, some business owners don’t think their information is valuable enough for someone to make an effort to obtain it. But what if your client list, client agreements, payroll information, or vendor agreements were made available to people who shouldn’t have it?
Any one of these examples would harm the business in some way; and some would even carry criminal charges. What if your competition knew your exact cost and pricing? Or what if your clients became aware of your profit margins? What if your employee or client personal information was disclosed?
Aside from the large information breaches that you hear about in the news, most leaks of confidential information from small and mid-sized businesses does not occur due to hacking activities. The vast majority occur either accidentally in the normal course of business, or intentionally by a trusted individual.
Let’s look at ways that confidential information can be accidentally leaked.
One of the most obvious ways is through the loss or theft of a physical device such as a smart phone, laptop, USB stick, or external hard drive.
But here’s a not-so-obvious way that is much more commonplace than device loss: Employees using personal email or personal cloud file sharing services like Dropbox, OneDrive, G-Drive, etc.
When an employee is unable to transfer a file using company means, they may resort to using their personal cloud file sharing service to do it. Most times, it’s perfectly innocent – the employee simply wants to do their job, encountered a problem, and figured out how to solve it.
But once a file has been uploaded to the employee’s personal account, the employer loses all ability to control or track what happens with that file. Who knows who has access to that information? Employee family members or friends? From there, friends of friends?
Password protecting files can help; but experience has shown that the majority of files within an organization are not password-protected. In IT parlance, this is part of the world of “Shadow IT” – technology implemented by employees to make their job easier; not necessarily considering the risks to the organization.
In terms of protecting your business, your network can be completely locked down to prevent such occurrences; but this can be expensive and create other issues that make it more difficult for people to do their jobs – which in turn, leads to more ways to “beat the system” and therefore more ways for information loss to occur.
The best defence is having solid IT usage policies in place, having employees commit to following them, and having appropriate measures in place to enforce adherence. Work with your HR department and employment legal counsel to create appropriate policies. Many employment law firms are not familiar with the risk associated with these types of usage cases; so be sure to research a firm that is familiar.
We’ve discussed three ways that your business could be compromised but what if, despite your best efforts, something bad does happen? There are many things to consider if your information is compromised; but one of the most important is to have a solid backup strategy.
This is probably old news to most business owners. However, in our experience, over 90% of businesses are not properly backed up. Of that 90%, half think they’re backed up. Unfortunately, many of them found out the hard way after a cybersecurity incident occurred, that even though they thought they were backed up, the reality was that they weren’t.
A solid backup strategy includes the following:
- Having at least 3 copies of your data:
- “Live” data
- Local backup
- Offsite backup
- Backups are performed automatically (no human intervention required)
- You have an archive of your data to enable you to restore to any point in time, not just a copy of current information or yesterday’s or last week’s.
Here are two things that backup is NOT:
- Sync’ing your files to the cloud using a service like Dropbox, OneDrive or G-Drive. If you accidentally delete a file or get infected with ransomware, those changes get sync’d everywhere. You’re OK if the cloud service provides some form of retention; but if it takes a few weeks for the missing file to be noticed, you’re out of luck.
- Copying data to a USB stick or external hard drive every day. If data gets corrupted today and gets copied to the device, now you’re “backup” is also corrupted.
When considering your cybersecurity, here are some words of wisdom from the security community:
- It’s not a matter of IF you’ll be compromised, but WHEN.
- Assume that you’ve already been compromised.
With these sobering words in mind, have contingency and recovery plans in place before it happens. For example, having answers to questions like the ones below before an incident occurs will help when it actually does happen. By no means is this an exhaustive list; but hopefully you get the idea:
- What should be, or needs to be, communicated to clients and vendors?
- When does law enforcement need to be informed?
- How fast do we need to be functional again? How long can we afford to be down?
- What steps are involved in getting the business functional again?
- Do we test our plans on an annual basis to make sure they work as expected?
Regardless of the business you’re in; IT systems and the information they contain are one of your most important assets and should be protected as such.
Copyright : Maksym Yemelyanov | 123rf