The cyber-security stakes have gotten higher for enterprises with the recent news that a hospital in Los Angeles had to fork out $17,000 to pay cyber criminals after they crippled its network.
The ransomware that infected Hollywood Presbyterian Medical Center and the ransom they had to pay the hackers to unlock their system reflect the newest danger facing any organization that has a computer network.
The hospital’s case is not an isolated one, and experts are warning that cyber criminals have increasingly switched their targets from big companies to small and mid-sized businesses as their networks are easier to infiltrate, largely because they cannot afford the same sophisticated network security as large companies can.
The “Symantec 2015 Internet Security Threat Report” found that more than half of all cyber attacks were directed at small and mid-sized business, with hackers using an array of attack methods.
The “2015 U.K. Government Security Breaches Survey” found that 74% of small organizations had reported a security breach in the last year.
According to the Symantec report, 52% of spear phishing attacks – which are carried out using fake e-mails that contain links to malicious code – were targeted against SMEs.
The issue of cyber security for small businesses is made even more pressing by state laws that can result in fines for organizations that fail to notify authorities and anybody whose personal data or credit card information may have been breached in an attack.
The most common types of attacks on SMEs include:
• Ransomware – This is a piece of malicious software, typically received via a phishing e-mail, that encrypts all of the data on a company’s network, with the perpetrators requesting a ransom (typically $1,000 to $2,000) in order to provide the decryption key.
• Hack attack – A hacker manages to gain access to a company’s network, typically by exploiting an unpatched vulnerability within the software, allowing them access to the company data. The target will generally be personally identifiable information on a company’s customers, especially credit card information, or employees whose Social Security numbers and other identifiable information may be exposed for the purposes of identity theft.
• Denial of Service attack – This is when a company’s website is overwhelmed by a volume of data pushed to its servers in a malicious manner. These attacks are increasingly easy and cheap to carry out, with some online tools costing as little as $30 per hour.
• Human error – People are generally the weakest link in any security chain, and many breaches are the result of information being lost, or distributed to the wrong person. Even the seemingly mundane can have far-reaching consequences, particularly where sensitive personally identifiable information is involved.
• CEO fraud – This is where a criminal poses as a senior person within a firm, either by hacking or “spoofing” their e-mail account, and convinces someone with financial authority to make a payment.
What you can do
There are several simple steps you can take to reduce your chances of being attacked:
• Use secure passwords that contain a combination of lower- and upper-case letters, digits and other symbols.
• Install antivirus and malware software on all company devices, including any mobile devices. You should also install such apps on any of your employees’ mobile devices if they are using them for company business, particularly if they connect to your VPN or access your network.
• Conduct regular software updates that contain vital security upgrades and educating staff on cyber risks. If you have software and are notified that it needs to be updated, don’t hesitate to do so.
• Develop and implement e-mail, Internet and social media policies for your employees to follow. The policy should include the requirement that your employees don’t click on suspicious links and that they report any suspicious e-mails.