Cyber-security is a topic that few people think of beyond meeting the qualifications for a strong password. Cyber security is becoming more and more of a concern. Large companies have already put serious resources towards protecting their data, so hackers are moving on to easier targets. Nearly 70% of small businesses experienced a successful or attempted cyber-attack in 2017. Even more worrisome is that 60% of small companies who succumb to a cyber-attack go out of business within 6 months.
Attacks on small businesses can be devastating for both the individuals affected and for the national economy. The US economy loses up to $109 Billion each year to cyber-attacks. The economy will continue to suffer if small businesses do not protect their data. But, what can they do? Data protections seem complicated and inaccessible for small businesses. Louisville Geek wants to make it as easy as possible with our new initiative. We sat down with Josh Parker, our Senior Security Analyst, to learn more about the cyber threats facing small businesses and what they can do to prevent a breach.
Louisville Geek has a new security program called PASS. Can you explain what it stands for and how you came up with the name?
PASS is the Practical Affordable Security Solution. The idea was already thought up before I got here but what I have done for it is to help define what it looks like for the client and what we’re actually going to do for them. A lot of the high-level stuff has already been picked like consulting, risk management, and on-going services and I’ve been brought in to help define what those tasks actually look like for us to provide them as services.
Most of the security breaches we read about in the news happen to large, well-known companies. Does this mean SMB’s are not being targeted?
Not at all, so we hear about the big ones in the news. Recently, some of the big antivirus companies got hacked. Those are millions and billions of dollars at stake so that’s what they want to hear about in the news. But absolutely SMBs are being targeted even more so, a lot of attackers and know that they do carry insurance and they can get in and get a ransom for thousands to tens of thousands of dollars with relative ease. It doesn’t make the news, it doesn’t have a lot of forensics attached to it, and it’s easier to get.
Why do you think we’re starting to see that trend? Because they are the easier target?
Yes, much easier, they don’t have the budget or the staff to maintain those systems and even more so, SMBs are required to be more connected and have more cloud-based solutions with more connected services these days. Which only exposes them further.
What are some examples of how small businesses can do a better job of protecting themselves against cyber-attacks?
Well the first thing we do with the pass service is an assessment. We go in and if they are subject to a regulatory requirement we go in and audit them internally to see how they stack up against those regulations. Otherwise set up and familiarize our clients with best practices and frameworks to help their cybersecurity. We see how much risk they are presenting their data to. Then we go on to suggestions for mediation, and one of the biggest things we’re seeing is phishing emails, so we go in and implement things like two-factor authentication and other controls to help reduce that risk.
What is typically included in a Risk Assessment?
A client comes to us and says “what is our risk of being subject to an attack or a breach”. Then what we do is we analyze that regulatory requirement if the client’s industry is subject to one, and if not, we use controls and standards that we have developed. Such as are you using two-factor authentication or are you encrypting your data. If not, these both produce risks. We assessed against tens and sometimes hundreds of controls and determine where they are in the process of implementing protections and that will increase or decrease their risk based on the maturity of their controls. The more risk they have, the more likely they are to get attacked and have data breached. Knowing this level of risk allows us to do our job properly.
We’ve read that a large percentage of hacks, particularly in the SMB space, could not have been prevented by firewalls or antivirus software. Is this true? Are we entering an age when these security tools are becoming obsolete?
They’re always going to be useful, but they need to be used in a layered approach. That’s what the new thing is, we have to layer security. Again, a good example of that is phishing. What is happening is people are putting links in emails, or malicious macros in Word Documents and sending those and people who unknowingly click them because they don’t have filters or technology set up to catch them. A hacker might spoof a CEO’s email and say ‘I need you to go buy 5 gift cards at Home Depot and scratch off the numbers’ and there is a good chance someone will fall for that if they think they are talking to the CEO. No firewall is going to catch that because firewalls inspect traffic, but they also operate based on the rules that you set so if an email comes in and you click it that means you are allowing it in. So that’s how it circumvents those controls but with proper controls and as part of a layered approached a firewall is absolutely necessary.
How do the majority of cyber-attacks in SMB’s start?
That’s the main point of entry that I’m seeing. Ransomware is very popular right now and that’s coming in Via those emails. But of course, another method is penetrating those firewalls that are not configured well. Then your traditional virus injections. But by far the biggest avenue I’m seeing is through emails.
How long before cyber attackers start targeting mobile phones as a way to steal and/or ransom individual or company data?
I don’t see that nearly as often. Apple and Google both have very good app security. What I’m seeing on mobile phones is the downloading of those phishing emails and replicating once they are plugged into the computer. This doesn’t happen often, but it is increasing because they are acting as a mobile storage device.
Walk us through a ransom attack. How are the victims notified that someone has penetrated their network? How do they communicate with the hackers? What’s typically required in order to get data back?
Ransomware will come in very silently and then it will pop-up a window that is very instructional and very detailed that will actually help you out with the process. The window will say your files are encrypted and you have 24 hours to pay a certain ransom amount. It will tell you to get this type of card and send it to this address, sometimes they use bitcoin. Usually they will use the gift card method. It will even say if you have trouble you can call us. They actually have a support number to help you through paying the ransom and as soon as you do it will decrypt the data. It’s actually very well thought out with a lot of organization.
The government makes it a high priority to secure our borders, air travel and our economy, are they doing anything to help secure the digital environments of US-owned businesses?
So what they’re implementing is more regulations. There are already things in place like the criminal justice system falls under a very stringent system because you don’t want that type of data to get out. The SEC is at the local government level and deals with financial institutions, but it’s not very stringent. Then they have the HIPAA security rule that has been taken up by HITRUST as a private entity. But yes, they are starting to spread awareness and making resources available. A lot of the regulatory Industries are still being pushed by private regulations and a lot of the industries simply don’t have a regulation in place, more of a baseline that people should follow but don’t have to. What I’m seeing is that HITRUST and PCI (private-run security frameworks) are starting to expand their reach to enforce their regulations.
What’s the worst example of a cyber-attack that you have encountered or heard about?
I worked with a Healthcare Company that had phishing attacks coming in frequently. They had a very complex exchange environment with locations all over the country added over the years to where they could not get all of their emails through one avenue. What happened was they were slowly getting phishing attacks and they got Trojans downloaded which were bringing in things like iceid, a really bad Malware. They finally got breached, and their email got compromised and rerouted. All of their data was being sent unencrypted to an attacker.
I’ve also seen countless examples of the Gift card scam. An executive assistant thinks they are dealing with the CEO and buys hundreds of dollars worth of gift cards. This is a direct monetary loss that is always felt throughout the company.
To learn more about what your company to do to protect from cyber-attacks, contact us. Josh Parker and the Louisville Geek team have spent a lot of time developing the PASS system and have proven its effectiveness. Companies have their day-to-day activities to worry about and no time to protect their data. The Geeks are happy to step in and help.