Open an email, open a door for cyberattack: Here’s what your company should watch for
More than most, small businesses may have more to lose and are often less prepared that others when it comes to cyberattacks, more than 90% of which penetrate a company originate through emails.
According to Accenture’s Cost of Cybercrime Study, 43% of cyberattacks are aimed at small businesses, but only 14% are prepared to defend themselves.
More broadly, 45% of small- to medium-sized businesses worldwide say their security measures are insufficient and ineffective at mitigating attacks, a Ponemon Institute State of Cybersecurity Report revealed. Some 66% have experienced a cyberattack in the past 12 months, and 69% said their cyberattacks are becoming more targeted. Ponemon is a research center advancing responsible information management.
Discovering a breach that does not shutdown a computer network can take up to half a year. IBM found that it takes a company 197 days on average to discover a breach and 69 days to contain it, but that companies that contained a breach in less than 30 days saved more than $1 million.
And when it comes to how the attacks begins, the finger points to a ubiquitous source.
“Email has become the No. 1 point of entry for injecting malware into a personal computer and through it to a corporate network,” said Robert Boles, founder and president of Blokworx Inc., a Larkspur-based cybersecurity firm for managed service providers.
Cyberattacks can also occur by enabling macros in a Word document, updating a password, responding to a social media connection request or investigating a new WiFi hot spot.
New cybersecurity playing field
John Comfort, president of Linked MSP in Santa Rosa, a managed service provider specializing in outsourced IT and cybersecurity advises clients to always “stop, look and evaluate” incoming emails before clicking on them.
Comfort identified six steps businesses can take to reduce or prevent email-based fraud:
1. Be cautious when opening unexpected emails. Verify the domain (after the @ mark) and the username. If there are links within the email, “hover” the cursor over them to verify. Comfort asks his clients to send suspicious emails to him for analysis. “Not even Goggle would use @gmail.com as its domain.”
2. Be vigilant opening expected emails. Expected emails may be malicious if the sender is real but his or her computer is compromised; if the sender is real but is actually a look-alike, or if there are links within the email. Again, hover to verify. Contact the user via phone or through a separate email to verify or ask an IT professional to review it.
3. Use strong passwords with two-factor authentication. This protects against account compromise that can be configured as forwarders. The two-factor option uses a password-less approval prompt. In addition, use protected emails with end-to-end encryption. Without this, third parties may read a private or company proprietary conversation.
4. Implement an email phishing training platform for employees to increases awareness of email content and aid in preventing unwanted clicks.
5. Utilize a web content filtering platform. This prevents access to known bad websites and can stop an attack if a malicious link is accidentally clicked. Filtering algorithms using high-level email authentication standards (such as Sender Policy Framework (SPF) or Domain Keys Identified Mail (DKIM) should be used before sending/forwarding emails.
6. Deploy an endpoint security platform. This is the “last catch” for malicious content, but it may not catch everything. It does provide protection when malicious websites are not blocked and reduces the capability of the attack.
“In a recent Small Business Administration study, 88% of business owners felt their companies were vulnerable to a cyberattack. According to the FBI, the cost of cybercrimes reached $2.7 billion in 2020,” Comfort added.
“So, what can a small business owner do? Since most owners wear so many different hats and simply don’t have the time or resources to devote to reducing cybersecurity threats and often don’t know where to begin.”
He said the path to prevention begins with awareness, training and constant vigilance. Comfort also recommends hiring consulting firms, getting cyber liability insurance and developing a security plan as a “good way to begin” to prepare.
Cyber schemes revealed
The most common types of cyberattacks include phishing, viruses, malware and ransomware.
Some 91% of cyberattacks begin with phishing emails. These attacks involve the use of fraudulent emails appearing to come from reputable sources that deceive people into doing the wrong thing, such as clicking on a malicious link or attachment, or responding to an email that allows malware or ransomware to block access, take control and shutdown a computer system — or illegally harvest information from a hard drive.