A Roadmap for Small Business Owners

Business Continuity

 Business continuity is a structure of policies a company puts forward that includes prevention, processes, and recovery for potential threats or disasters; it’s a roadmap for the company’s response to future disasters that could disrupt core business functions and solutions. 

Disaster Recovery

Disaster recovery is a business continuity process that ensures access to the software, hardware, and data required to resume normal business operations in the event of a natural or human-induced disaster. 

Cybersecurity

Not that they are defined, why is it important to have a Business Continuity and Disaster Recovery plan? According to Juniper Research, cybercriminals accounted for over 2 trillion dollars in business losses in 2019. Over half of these cyber crimes were directed towards small businesses. 

Cybersecurity is not always at the forefront of concerns for small business owners. They may think, “what would they want with my information?” or “my company isn’t big enough to be worth it,” which makes them the perfect target. Cybercriminals bet on small businesses to forgo proper cybersecurity and are able to weasel their way into their networks, stealing company data, customer data, credit card information and account numbers.

On average, a small business will invest around $500 into cybersecurity— if any at all. They simply do not have the money, manpower or the necessary tools needed to combat a cyber-attack which results in them likely paying the average ransom of $200,000. With those risks in mind, one would assume that all small businesses would have a plan in place. However, that is rarely the case.

 A recent survey by Nationwide Insurance shows that nearly  75% of small-business owners don’t have a written disaster recovery plan. Ask yourself, is your business prepared for a disaster? Do you know where to start to develop one?

Start with these 3 questions:   

1. Do we have a plan in place?  
2. What is my recovery time objective (RTO)? How long can our business be down before we're in bigger trouble?  
3. When is the last time we tested our data backup?
    

Now that you know what Business Continuity and Disaster Recovery is and the importance of having a plan in place, what types of cybercrimes are out there? 

There are many types of cybercrimes in the world, including social engineering, email phishing, spear phishing, whaling, malware, and multiple brands of ransomware attacks.  The most common for small businesses are phishing and ransomware.  

Phishing

Phishing is the fraudulent practice of sending out mass emails claiming to be from a reputable company or person to convince individuals to reveal personal information, such as passwords and credit card numbers. Phishing tactics have existed for over 20 years, and every year they become more convincing. The best phishing emails resemble links from sites that users are on every day, like Amazon, Dropbox, and Gmail. The more convincing these attacks become, the greater chance you have of becoming an unsuspecting victim. 

Whaling

A more specific type of phishing attack is “whaling”. Like phishing, a “whaling attack” or “whale phishing” is a form of email trickery that typically targets high-profile employees, such as CFOs, CIOs, and CEOs. Since these individuals hold higher positions within a company, they’re more likely to have access to sensitive information. The goal of a whaling attack is to ultimately manipulate the victim into authorizing a wire transfer to the attacker. It may also include infected hyperlinks or attachments infected with malware to solicit information. These attacks are often more difficult to detect due to their level of personalization in the email and may even appear to come directly from the CEO. 

Now that you are familiar with phishing and whaling attacks, here are 7 best practices to spot them: 

1. Look at the sender’s email address – The email address can be spoofed to look like someone you know. It could also be one that has a different country’s domain on it. 
2. Look at the subject line – Does it create a sense of urgency? These are typically viruses. Does it have 1 word that appears to be a response like “Re: Document”? This is also an obvious sign of a virus. 
3. Look at the body of the message – If the sender is a recognized sender, does it follow their normal emailing criteria? Does it have a salutation? Is it directed to you specifically, or is it generic (Hi vs Hi Adam)? Does it have a signature for the person who sent it? Does it match the name of the person you identified in the email address above? Does it have the company’s contact information and/or graphics that you’ve been accustomed to seeing if you’ve received mail from them before? 
4. Look at the content of the body – Is it just asking you to open a file or go to a website link? Does it have ‘syntax’ gone wrong (for example, does it finish with </html1 – this is a huge giveaway that it’s a virus or worm.) 
5. Look at the direction of the message – Does it ask you to open the attached file? Does it create a sense of urgency? With viruses, the purpose of the body is to entice you to open the attachment. A common cyberattack method is to instill a sense of fear and urgency. 
6. Always check the grammar and spelling of the email – The majority of these emails originate from places other than the U.S. The creators are usually not native English speakers, resulting in misspelling or punctuation errors.  
7. When in doubt, ask- If you are unsure about an email, reach out to the purported sender for clarification. There is no harm in double checking.

Ransomware

Another common type of cyberattack used to target small businesses is ransomware. Ransomware is a type of malicious malware that threatens to publish a victim's data or eternally block access to it unless a ransom is paid.

Cybercriminals have become more strategic and direct in their methods, with creative ransomware attacks on the rise. The most common form of delivery is through some sort of phishing attack. Malware can do many things on your device, but the common action is encrypting user files. After getting access to the victim’s files, the goal is to manipulate them into paying the attacker a ransom, usually through bitcoin, in order to receive their information and data back, decrypted. 

Most importantly— do not under any circumstances—  pay the ransom. There is no guarantee  the attacker will decrypt the files upon receiving payment. They may just take the money and run. Instead, contact your IT provider to stop the malware from spreading and help restore your files. 

Ransomware attacks come in many different shapes and forms.  Provided are a few of the most common attacks and how they infiltrate your network:  

• WannaCry-This type of ransomware is spread through the Internet using an exploit vector named EternalBlue, which was leaked from the U.S. National Security Agency. 
• Locky- A common attack that is spread via an email message disguised as an invoice. 
• Cerebr- This brand of attack targets cloud-based Office 365 users and uses an elaborate phishing campaign. 
• Jaff- A Jaff attack is spread using malicious PDF or WSF files that have an embedded doc file, which downloads an encoded executable file or program. 
• Cryrar/ACCDISA- This unique ransomware attack uses a legitimate executable RAR archiver file to place the victim’s files in password-encrypted RAR-sfx archive. 
• Spora- USB drives are used to spread this attack while simultaneously encrypting files. 
• Purgen/Globelmposter- This ransomware attack starts by encrypting various files and appends any number of various extensions to the name of each encrypted file. 
• Shade- When a device is infected with Shade ransomware, its desktop background announces the infection and instructs the victim to access a .txt file for details. The .txt files generally includes an email address and instructions on how to send a ransom payment.
  
• Crysis- This cyberattack can encrypt files on fixed, removable, and network drives by using strong encryption algorithms and a scheme that makes it difficult to crack within a reasonable amount of time. 

Social Engineering

It’s not just email, phone calls, and links you should worry about; social media has become the perfect hunting ground for cybercriminals looking for vulnerable targets. Phishing and scams run rampant on social media; experts estimate that 600,000 Facebook accounts are compromised every single day. By securing your passwords and setting up security settings like two-factor authentication, you can be one step ahead of the game.  

Cloud Backup and Security 

Most people think about ransomware as a security issue, but that’s not entirely accurate. Ransomware makes backup and security inseparable. It won’t matter if you’re a victim of ransomware if you’ve lost all your data. It is important to move to a digital cloud service for storing business-critical data and documents. Moving your information into the cloud may seem complex, but it’s quite simple and secure. 

 Besides the obvious security reasons, digital access to files allows for seamless collaboration between departments, interconnecting devices, and improving remote work capabilities. Making this switch now may mean you can maintain basic operations and reduce downtime in the event of a disaster. Cloud backup services also allow you to keep your records digitized and offsite, which ensures access and keeps backups safe and secure. 

 The traditional practice of storing physical hard copies has become antiquated, not only due to the amount of space needed to store them but also the possibility of destruction. In the event of a natural disaster like a flood, fire, or tornado, those files would be lost forever.

Switching to cloud backup services eliminates the risk of losing important data permanently and allows you to plan for data recovery in the event of a disaster. It’s important to proactively create a recovery time objective (RTO).

After a disaster or disturbance, a company will experience a period of downtime. It’s important to know how long your company can be down to avoid a break in business continuity and resume operations. With a cloud-based storage system, the digitized files can reduce the risk for small businesses. 

 However, simply switching to a cloud backup service is not the answer to everything. You are only as protected as the safeguards put in place by your provider. 

When you analyze your Managed Services Agreement, ask yourself these questions: 

• Will your data be protected if it gets deleted, damaged, or destroyed? 
• Is your service covering all your compliance needs?  
• Does this service protect against ransomware? 
• Is there flexibility if migration is needed down the road? 

 1. Education 

• • It is important to run education courses on cybersecurity for new and existing employees.  
  • These courses should train employees the appropriate ways to limit an attacker’s access & ability to move around laterally in the company’s internal network. This should include the first steps they should take individually and exactly who to contact.  
  • The company should provide specific examples of a phishing email- how to identify, signs to look for, and who to ask if they’re not sure. 
  • Once an attack has been identified, keep lines of communication open between leadership, vendors, employees and customers.  

2. Security

• • Implement a system for detection, analysis, & escalation.
  • Every device should have anti-virus software, firewalls, and some sort of web filtering. Employees will be responsible for running all software updates as needed. The software is only as effective as the update it is running on. 
  • Consider installing a multi-layered approach to protect against ransomware. There is no such thing as too much network or data protection. It is better to take the extra steps now to save your company thousands, if not millions, of dollars in the long run.  
  • Implement two-factor authentication for all accounts, which grants access only after successfully presenting two or more pieces of evidence to an authentication mechanism. For example, a user will be asked to confirm their login by providing a code sent to their phone or answering security questions specific to that account. This decreases the probability of an attacker impersonating an account to gain access to sensitive information.  
  • Install a company-wide early detection software. The sooner you know there is a security breach, the better. Cyberattacks happen quickly. However, if an attacker knows they’re not being watched, they may lay in wait collecting as much information as possible.  
  • Establish a Disaster Recovery team with specific roles and expectations for each team member. Just like the fire drills, every employee should know exactly who to call in the event of a security breach or data leak. The longer it takes to figure out who to call, the deeper the attack will go. Wasting valuable time during a security breach can cost you money and data that may never be retrieved.  

3. Backup

• • Activate data backups to an external drive or cloud. Schedule incremental backups for as frequent as 5-minute intervals to ensure the stored data is up-to-date.
  • After any breach in network security, whether it is a company test or an actual cyberattack, it is important to always evaluate how your company performed. The company should identify every strength and weakness throughout the process and use the lessons learned to make the appropriate adjustments. These changes should be made to improve the company’s execution of the plan and the ability to reduce downtime.  
  • Lastly, make sure you have 2-3 copies of your data in different places. Backing up your data is crucial, but there is always the risk of system failures and the risk of losing it all. As the saying goes, don’t put all your eggs in one basket.