First of all, let’s discuss why education is important. All too often we hear about prominent corporations and groups that are targeted for cyber-attacks. There are many major incidences which have occurred and have resulted in data breaches, ransomware, and phishing scams.
What we typically don’t hear about are the attacks that are executed against small businesses. According to Small Business Trends, attacks against small businesses accounted for 43 percent of all cyber attacks in 2015.
While the vast majority of these were phishing and vishing attacks, there are other forms of attacks that target unsuspecting employees and can put your business in jeopardy.
Employees need to be educated on the attacks that are typically used against small businesses and how to recognize the threat. Below are the predominate attacks used by cybercriminals and how they can be prevented.
The attacks and how to prevent them
Phishing and vishing are attacks used to steal personal information or credentials. Phishing is typically email based in which the attacker impersonates a legitimate company or trusted individual to acquire private information. The emails commonly use threats or a sense of urgency in an attempt to frighten the user into revealing information. The successfulness of the phishing scam is contingent on how authentic the email appears. A vishing attack is similar to phishing, but taking place over the phone. The attack will typically take the form of an automated call that will appear to be from a legitimate organization.
Users should be periodically trained on how to inspect URLs cautiously to see if they redirect the user to an unknown website. They should also look for other telltale signs such as grammatical mistakes, spelling errors, and generic salutations. When in doubt, verify the request by contacting the company directly using contact information found independently, not from the email.
Ransomware is one of the most devastating cyber attacks. If successful, the attack prevents you from accessing and using data on your computers. It holds your computer or files for “ransom” requiring you to do something to regain use of your computer. Typically, this is some form of payment, but other forms of ransomware require the user to take surveys to unlock the system.
Ransomware is on the rise and due to the sheer number of incidents and sophistication of the attacks, an assistant special agent with the FBI recommended at the 2015 Cyber Security Summit that companies may want to give into the cyber criminal’s demands.
Training your employees on how to spot potential ransomware attacks is imperative. The training should include the dangers of visiting suspicious or fake websites, opening email attachments unless you absolutely trust the source, clicking on bad links in emails, Facebook, and other social media sites, as well as instant messenger applications. Using pop-up blockers can also help. The key is to always be skeptical, and if you’re ever unsure, just don’t click on it.
Malware is a term used to describe a variety of cyber threats that include viruses, trojans, and worms. Just like ransomware, malware is typically introduced into your system through email attachments and clicking links or through software downloads. It’s typically designed to steal or destroy data on the system.
The best way to prevent malware is to avoid clicking on links or downloading email attachments from any unknown, untrusted senders. This can be done by deploying strong and updated firewalls, which prevent the transfer of large data files over the network in a hope to weed out attachments that may contain malware. However, educating your employees on what to look for and how to deal with the threat, is your first line of defense.
Another danger facing small businesses (and large) are employees bringing in personal devices such as phones, thumb drives, and other devices that can be connected to your computers and potentially harbor some of the threats described above.
The best way to prevent this threat is to communicate your policies and expectations to your employees regarding these devices. The best course of action is to not allow any personal devices to be connected to your systems. Ensure that your people understand the risks of doing so.
While it may sound unpleasant, people will always be your weakest link when it comes to your cybersecurity. One of the best ways to mitigate the risk is to provide regular education on cyber security best practices. They need to understand the significance of protecting customer and business information and their role in keeping it safe. They need to have a basic understanding of the risks and how to use good judgment when using email and while online. Finally, they need to know the practices they are expected to follow in the office environment in order to keep your business as safe as possible.
There are also some low-cost and free training resources that can be used to educate your staff. Websites such as Phishme.com and WombatSecurity.com and others offer free classes and resources that help in your quest to become cyber-secure.
Ron Smith is an Infusionsoft Sr. Quality/Security Engineer. Having served in the USAF as a security specialist, he became passionate about security. During his 20 year career, he has worked for very large companies such as Microsoft, Intel, and Pearson, but his love for small business carried him to Infusionsoft. He is also the father of five boys and an avid Harley Davidson rider and home brewer.