This year, Cybercrime Support Network (CSN) was honored to collaborate with Verizon on their annual Data Breach Investigation Report (DBIR). For the past 15 years, Verizon has analyzed data from their security incident response teams, as well as data submitted by other partners, and published it in the DBIR. The DBIR is one of the most well-respected, de facto industry standard reports to provide a yearly overview of data breach and cybercrime trends. CSN contributed information about cybercrime affecting small businesses and how they can better protect themselves.
DBIR At First Glance
Data from the Verizon DBIR proves that small businesses face cyber threats just like large businesses do. Out of the 23,896 security incidents analyzed, small businesses—those with up to 1,000 employees—experienced more security incidents than businesses with over 1,000 employees (2,065 incidents versus 636). Very small businesses—those with less than 10 employees—experienced 832 security incidents, which is more than 40% of all small business incidents. Why? Mainly because very small businesses do not have the cybersecurity resources that larger businesses do, and cybercriminals are aware of this.
The data shows that small businesses have to protect themselves from cybercriminals, just like large businesses do. So, let’s delve a little deeper into the DBIR data, because if we know cybercriminals’ motivations and tactics, we can then better our defenses against them.
Why and How Cybercriminals Target Small Businesses
Not surprisingly, according to the DBIR, 100% of cybercriminals targeting small businesses are financially motivated, and ransomware is the top way criminals are attacking them. To infect small businesses with ransomware, cybercriminals almost always use one of three techniques:
- Using stolen credentials (username and password) to access systems,
- Tricking employees into clicking on malicious email links or attachments, or…
- Taking advantage of system vulnerabilities.
This year, 82% of breaches in the DBIR involved the human element, which means everyone needs to beware of social engineering. Social engineering is an attempt to manipulate a person into providing information or money or taking an action, like clicking on a link or opening an email attachment. These attacks may come through email, text or a phone call. (Yes, some cyberattacks start with phone calls now!)
Phishing scams, such as emails that falsely urge you to reset your password immediately or to click on a link to dispute a charge to your credit card, are also examples of social engineering. Another type of related attack mentioned in the DBIR is a business email compromise (BEC) scam. These are scams that often attempt to manipulate employees into making a wire transfer or buying gift cards and providing their details. BEC scammers may even trick employees into changing a vendor’s payment information to a financial account controlled by the criminal.
How to Protect Your Business
The good news is that many of the same safeguards protect against both ransomware and social engineering. Here are some of the CSN’s suggestions, including ones that Verizon listed in the DBIR.
Start by protecting system accounts:
- Create strong, unique passwords. “Unique” means do not reuse passwords between accounts. For instance, your work password should be different than your social media password, which should be different than your online banking password, which should be different than your personal email password… A password manager can help you remember them.
- Use multi-factor authentication (MFA). MFA (sometimes called two-factor authentication, 2FA, or strong authentication) is the technical name for when you have to enter more than a password to sign into your account — like when you also have to enter a code sent to your smartphone.
Learn how to spot and stop social engineering and phishing attempts:
- Verify unusual requests for information or money using a different technique or communication method than the original request came through. For example, verify emailed requests by talking in person or using a known telephone number. Never use the telephone number provided by the email/document that you are trying to confirm.
- Do not reply to emails or text messages that appear unusual, sensational or suspicious.
- Do not click on unexpected links or attachments in emails or text messages.
Prevent cybercriminals from exploiting system vulnerabilities:
- Install security updates to your systems and mobile devices promptly.
- Activate automatic updates, which are a set of changes to an app, software or operating system that are automatically pushed by the developer to fix or improve its security and functionality.
- Backup your information regularly and store the backups offline. In case your systems are infected with ransomware, the backups will help you restore your information.
Reinforce your security:
- Be alert for anything strange or out of the ordinary. Look for these warning signs that something malicious might be happening:
- Charges on your phone bill, bank or credit card statements.
- Phone calls asking for your password or credit card number.
- Requests to change the account number or how you pay a regular vendor or client.
- Develop a plan for what steps to take if your organization experiences a security incident.
- As the DBIR says, do this ahead of time instead of waiting until your company’s “hair” is on fire.
- A good place to start is with a document that contains the contact information for all of your vendors and your bank’s fraud department. Add other critical information as you see fit—such as software license keys and bank account information.
- Have a printed and very securely stored copy of this information to speed up any recovery process. Don’t just keep it on your computer or phone — it might be unavailable as part of the attack.
- If your car suddenly won’t start, runs slower, or makes a weird noise, you have an expert take a look. Same thing goes for your devices. If you find an issue, it’s best to contact a professional to help you mitigate the issue.
While ransomware and social engineering attacks are the most common cyber threats to small businesses, they are not the only ones. Review the DBIR to familiarize yourself with available resources to reinforce your cybersecurity, like the ones on FightCybercrime.org, and implement the suggested safeguards. This is the cyber equivalent of locking your car doors to prevent thieves from stealing your valuables.