WyzGuys Tech Talk

The title may see a little harsh, but  a recent survey according to Keeper Security’s 2019 SMB Cyberthreat Study is that 66% of SMB business leaders do not believe they will be victimized by at cyber-attack.  That’s two out of three business owners.  I would love to say I’m shocked, but my experience with my own clientele would confirm it.

According to the Poneman Institute, the reality is that two-thirds of all SMB have experienced a cyberattack in the last year.  I have helped clients recover from the aftermath of crypto-ransomware attacks, business email compromise and hijacking, fraudulent wire-transfers and invoices, website hijacking, and of course tons of phishing emails and related social engineering exploits.  Or they succumb to an insider threat such as embezzlement.  Most of the victims take the hit, shrug their shoulders, and just keep on doing what they have always done.

The harsh reality is that cyber-attackers know that small and medium sized businesses are sweet, ripe, and juicy targets that are easy pickings.  Because they rarely have security options in place beyond anti-malware software their networks are easy to breach.  There is little in the way of IT staff and nothing in the way of a cybersecurity staff.  They rely almost exclusively on endpoint security software because it is the only solution they understand and feel they can afford.

The absence of any cybersecurity awareness training for their staff means that phishing and social engineering often works with relative ease.  The staff uses easily guessable passwords.  These small companies pay fake invoices that seem to come from real vendors, who may have been breached themselves.  They open attachments in emails that appear to come from shippers such as FedEx and UPS.  They click on links in phishing emails at appear to come from their banks or suppliers.  They believe emails saying that there is a problem with their email account, or they are over their storage quota, and login to a fake email support page, giving their attacker their email credentials.  They respond to bogus requests for quotes.  They are storing stolen identity documents, pornography, and other illegal documents on their own file servers that have been compromised by an attacker. Their computers are mining Bit Coin for an unknown attacker.  In many cases, they have had a cyber-attacker living on their network for months without knowing it has already happened.

What can a small business owner do?  Here’s my short list:

• Cybersecurity awareness training is the best bang for your buck.
• Start using longer and stronger passwords, and a password manager to keep them straight and easy to use.
• Start using two-factor authentication, at least with your financial accounts and email.
• Secure your website, and protect it behind a web-application firewall.
• Use an Internet security and DNS proxy service such as Cisco Umbrella, or Quad 9.
• Install a next-gen firewall with intrusion detection and prevention capabilities and pay for the annual security subscriptions.

These solutions may add several thousand dollars a year of additional expense to your operations, but one fraudulent wire-transfer can cost a lot more.  At the end of the day this is an inexpensive way to add the security controls you need to really protect your business from an expensive cyber-attack.