If cybercriminals were lions, small business would be a herd of antelope. Rarely are they individually targeted; the lioness simply takes down the weakest one. So, it’s all about survival of the fittest: follow a few safety rules that the rest of the herd doesn’t know, and your business could remain breach-free for another year.
Successful new tactics from cybercriminals force us to provide new advice every six months. In a widely quoted study, the National Cybersecurity Alliance states that 77% of small businesses think they are adequately protected, but one in five is successfully breached every year. And unfortunately, 60% of those will go out of business because of the attack. Since the single most devastating cybersecurity event in the life of a small business is loss of money, this problem deserves special attention.
“One in five small businesses is breached every year.” – @cjonsecurityTweet
For several years now, a majority of businesses have been using online banking. This makes business bank accounts a key target for cybercriminals, who have had plenty of time to sophisticate attack tools and tactics. Adding insult to injury, banks rarely accept responsibility for such losses, which tally hundreds of millions every year. Fortunately, it turns out to be relatively easy to make dramatic improvements towards securing your accounts. Here are the steps:
- Pick a computer that can be dedicated to the singular task of banking. It must be able to access the internet and support the Chrome browser.
- Duct tape this message to the system: “Under penalty of death or imprisonment, this computer will never be used to browse the web or check email.”
- Delete all unused software on the system.
- When it comes time to connect to the bank, ensure this system is the only one on the network.
- One easy way to do this: turn on the Wi-Fi hub you use while out of the office (never trust public Wi-Fi!), and make sure no other devices have the password.
- Alternatively, do your banking at a time when most employee devices aren’t connected.
- Change the bank login password every quarter, and share it with no one for any reason. Do not share the password over the phone or email. The password should be unique and only ever be used to log into the account from the clean system.
If you allow anyone else in the company to engage in online banking, ask them to take a quick primer about cybercrime safety first. This will make them much more likely to follow the rules you have mandated.
Here is a deeper dive on some of the suggestions above:
Eliminating both email and browsing on the dedicated device effectively kills the two top methods of malware infection. With regard to email, recent studies have suggested over 50% of email now is phishing. Phishing is email sent by cybercriminals attempting to persuade the receiver that they are a legitimate entity (bank, hotel, social website, etc.) and that the victim should divulge sensitive information or open an attached (malicious) file.
Software needs to be patched religiously – or axed from the system.Tweet
Cybercriminals love unpatched software. By pinging a system from an infected web server, cybercriminals can ascertain exactly what software is being used. The criminal can then serve up malware to attack application vulnerabilities. Patch software religiously or remove it from the system.
Keeping other devices off the network while banking eliminates the possibility that an infected device (which may be a cell phone) is “sniffing sideways” to see what else is on the network. As devices are detected, it will attempt to infect them. We can’t control what employees do with their devices at home, but we can keep them temporarily off the business network, when necessary.
Of course nothing is an absolute guarantee that your company won’t be compromised. Cybercriminals are making too much money to stop: conservatively speaking, over $100 billion a year. They also have incredible resources at their disposal (some of the best malware in the world sells for as little as $2,000), so every sector of the economy is under constant attack. But, if you are even a little bit better protected than the small business next door, your chances of staying safe improve radically. Unfortunately for the rest of the herd, cybercriminals bent on breaching SMBs rarely have to work very hard to do it.
Cynthia James is Director of Business Development, CISSP, for Kaspersky Lab’s technology integration group. Her career in IT spans 25 years with eight years spent in the anti-cybercrime arena. James speaks often on cybersecurity topics and is the author of Stop Cybercrime from Ruining Your Life! Sixty Secrets to Keep You Safe.