“Hey Mike, I know you’ve been busy, but this invoice is a little late. Mind reviewing the attachment and sending payment when you can? Thanks.”
Oh my! How could I forget? Better click in and see…
But something made me pause. I realized then I didn’t recognize the sender. Or the company. Something seemed… fishy.
Before opening the file, I sent the email and attachment to my cybersecurity firm to check it out. Turns out, it was a hacker attempting to access my network. I was milliseconds away from opening the PDF. What would have happened if I did?
Cybersecurity attacks can cripple your firm, cost you (tens of) thousands of dollars, and damage your relationships with vendors and clients. Taking the proper preventative actions today, and continually refining your methods, can save your business assets from abuse. You make sure your office is locked before you leave; why not do the same with your digital presence?
Common Cybersecurity Attacks
Hoping to get by with antiquated antivirus software (and using password123 as your login credentials)? That’s simply not enough — there’s too much to watch out for when protecting your digital assets.
Unfortunately, hackers can employ a near limitless number of ways to access your business. Below, we’ve outlined some of the common attacks used today. Keep in mind, though, these attacks are constantly evolving so this list will expand over time.
Phishing and Spear-Phishing
The email I described above was an example of a phishing attack (I did say something seemed fishy — there’s my bad dad joke for this blog post).
Phishing attacks are by far the most common type, accounting for over 70 percent of all attacks. Their ubiquity stems from this basic fact: people continually click on malicious links and attachments in emails.
The links used in phishing emails either download malware, with or without the user’s knowledge, or direct the user to a fake landing page in order to steal their login info.
Spear phishing is an even more “authentic” version of this bait-and-switch tactic. Hackers research their target to make the email highly targeted and personal. They can make the email appear to come from someone the user trusts (like their manager) or pass off a clone of a page the user frequently uses in order to intercept their login information.
The online version of a bank heist, ransomware locks down your ability to operate your business electronically until you submit payment to the attackers. While some simple computer ransomware can lock the system in a way that is not difficult for a security expert to reverse, more advanced malware uses a technique called cryptoviral extortion, which encrypts the victim’s files in a way that makes them nearly impossible to recover without the decryption key.
Malware attacks, which install unwanted software on your system without your consent, come in many insidious flavors.
Macro viruses infect applications (like your Microsoft Office suite) and attach to the app’s initialization sequence. So, when you open up Microsoft Word, the virus then executes instructions, replicates itself, and attaches to other code on your system. File infectors are a smaller version of the macro virus and target executable code (like .exe files).
Boot-record infectors attach to the master boot record on your hard disk. When your system starts up, the boot-record virus will load into memory and propagate to other disks and networks.
Polymorphic viruses are akin to a fast-mutating flu. An encrypted virus and an associated mutation engine are initially decrypted by a decryption program. The virus proceeds to infect an area of code on your computer. The mutation engine then develops a new decryption routine and the virus encrypts the mutation engine and a copy of the virus with an algorithm corresponding to the new decryption routine. This new package then attaches to new code, and the process begins again.
Trojan horses differ from viruses in that they don’t self-replicate, but they have different features that hackers can utilize. For instance, Trojan horses can establish a back door to be exploited later by hackers.
Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) attacks
While the methods described above are used to provide direct benefits (including network access) to the attackers, denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks are used to bring down a system. There are several different types of DoS and DDoS attacks, the most common of which are colorfully named: TCP SYN flood attack, teardrop attack, smurf attack, ping-of-death attack, and botnets.
Man-In-The-Middle (MitM) Attacks
A MitM attack is when a hacker inserts themselves, unknowingly, between you and a server. There are many different versions of MitM attacks, ranging from session hijacking, IP spoofing, and replay attacks.
SQL Injection Attack
SQL injection attacks are becoming more common as websites incorporate dynamic databases into their structure. The hacker will modify a query on a website to gain access to the full dataset, or even modify and delete data.
Thankfully, using stored procedures and prepared statements (parameterized queries) can reduce the risk of nefarious database attacks.
Ways to Protect Your Business from Cybersecurity Attacks
Now that we have a better understanding of what we are facing — and to be clear, there are many other types of attacks I didn’t list — let’s discuss ways to proactive reduce our risk of exposure and loss.
Develop a Security Plan
Ad hoc strategies to protect your network won’t suffice. Just like we espouse the benefits of a comprehensive financial plan, developing a broad security plan will help decrease the chances of a cyberattack.
First, you should decide who in your firm will be responsible for developing, implementing, and enforcing the cybersecurity policy. If you don’t have the expertise in house, consider outsourcing to a managed-services provider that understands the unique needs and considerations of your industry. For example, we partner with RightSize Solutions to protect our firm and our clients’ sensitive personal and financial data.
Outsourcing doesn’t mean abdication, though. Define how each role in the company (from CEO to entry-level) is responsible for adhering to cyber policy. And document your plan! The more comprehensive, the better. This way, your employees will be better prepared in the event of a breach or cyberattack.
Use Appropriate Security Programs
A simple first step to secure your firm’s digital assets is to use up-to-date security and antivirus software. Software developers are constantly adjusting their code and improving the security of the system against the latest malware. If you don’t stay on top of it, you put your business’s security under risk.
When you have the basics covered, you can add in additional protective measures, such as a secure sockets layer (SSL) and a web application firewall. SSL is a tool that protects information sent from your website and a database (see SQL injection attack above). A web application firewall is essentially protection between your website service and the data connection, scouring through all of the data that passes between these two systems.
Implement Proper Password Protocols
Nearly every website we visit requires a login and password. Rather than use a set of easy-to-remember passwords by site or a single random password for all sites, which open you up to identity theft and can compromise your clients’ information, consider using a password manager.
With a password manager, you don't have to remember that strong, unique password for every website. A password manager stores your generated passwords for you and can even help generate new, random ones. Further, you should set up two-factor authentication (2FA) to secure your password manager account. There are several 2FA options: biometric, SMS-based, or via time-based one-time passwords (TOTPs) stored in an authenticator app such as Google Authenticator or Microsoft Authenticator.
Sound password policy, both for your employees and your clients, is important as well. Require passwords of at least twelve characters, consisting of lowercase and uppercase letters, numbers, and symbols. Further, set up periodic password reset requests to minimize the chance of a stolen password affecting your system.
Educate Employees Regularly
Educating your employees on company protocols and security risks will help to protect your business from an intrusion. One single session about cybersecurity during the onboarding process is not enough for your employees. They need to be kept updated about the latest threats, understand why they have to follow certain precautions, and know what steps to take to protect themselves and the company.
Along with having regular training sessions about internet use and data security with your staff, make sure they all have individual accounts, update their passwords frequently, and consider limiting how much information they can access. The fewer people that can access sensitive data, the better.
Secure, Encrypt, and Back Up Data
Just as you should make copies of other relevant documents, your digital document storage should have a backup in case of primary data failure, which can occur from software failure, hardware malfunction, a cyberattack, or simple human error, such as an employee accidentally deleting important data.
Having a backup (and storing the copy safely) will allow you to restore the data available before the unexpected event occurred, allowing you to quickly solve the issue and get your site back up and running.
Financial Security with Harbor Crest Wealth Advisors
A full 43 percent of online attacks are now aimed at small businesses. Unfortunately, only 14 percent of small businesses are prepared to defend themselves. Digital incidents cost businesses of all sizes $200,000 on average, according to insurance carrier Hiscox. Sadly, sixty percent go out of business within six months of being victimized.
Taking the proper preventative actions today, and continually refining your methods, can save your business assets from abuse.
If you would like to learn more on how to protect your business assets, sign up for our newsletter.