Small Business IT Strategies

Phishing is the biggest threat to small businesses. The hacker tries to trick targets into providing their personal information or installing malicious software. The US Department of Justice believes that $5 billion in financial loss is attributed to such scams each year.

The dramatization of cybercrime in the media leads us to believe that most breaches involve a sophisticated hacker, furiously typing on his laptop in a darkroom to break through a company's network. First, few hackers are that good; second, why not just trick a human into opening the door?

Opponents who use phishing techniques effectively are generally very persuasive and have a more social than technical sense. They are very good at convincing employees to just hand over the 'keys'. Unfortunately, they also understand that small business employees tend to be much more vulnerable than their corporate counterparts who are trained to avoid such traps.

What are the phishing methods?

The most common form of phishing to which companies are exposed are 'spray and Pray' campaigns. It is the least advanced technique whereby a generic message is emailed to millions of users asking them to provide information or click a link that then downloads malicious software. This method is easy to spot, but a duped employee can have serious consequences for a small business. That single click would ransomware can install, shutting down business systems unless a hefty payment is made.

E-mail is not the only platform where small business employees are vulnerable to phishing attempts. Opponents also try to connect with victims through websites, text messages and social media. In fact, 1,3 million fake web pages are created every month with the sole purpose of tricking users into entering their personal information. These fake login portals are pretty well done, and can fool even the most discerning eye during a busy day.

The most effective form of phishing is “spear phishing”, where the adversary engages a particular individual to develop trust and maximize their ability to make them do what they want. Often this involves pretending to be someone within the organization, usually someone in management, and more often than not, the CEO. The criminal collects enough information about the target company, the department and the person in advance to appear authentic. Usually, all you need to do is quickly comb through social media to get a sense of the target's interests and hobbies to build trust.

Spearphishing can be a very effective way to give an employee access to unauthorized users. The ultimate goal is to break the employer's network and gain access to money or intellectual property instead of exploiting the target user himself. One of the most common tactics that these criminals use are malicious “payloads” hidden in forwarded documents. Once the employee opens the documents, he is prompted to download macros to view the file properly. These macros then turn out to be malware or ransomware to be.

Defending against phishing? Here are some tips

So what's the best defense against Phishing? Here are 4 strategic steps that small and medium businesses should implement.

1. Train employees to detect phishing attempts

   The first step is to make employees aware of the threat. Security guidelines must be established and enforced – don't be afraid to be strict and set consequences for non-compliance.

   Next, it is critical that all employees are trained to distinguish between genuine correspondence and phishing. They also need to know the basic trends. Mass phishing attempts often have grammatical errors, attackers often use high-profile events as a lure, and low-ranking employees in finance and human resources departments are usually the most targeted.

2. Keep all software and systems up to date

   Phishing attacks, like most other forms of cybercrime, try to exploit outdated software. In a perfect world, employees would detect phishing before they fall victim to it, and malware wouldn't even be downloaded. But by ensuring that all software is patched and updated, your chances of exploits from successful phishing are drastically reduced.

3. Mailbox Security

   Intelligent users are the best line of defense against phishing attempts, but software can help too. Anti-spam and anti-malware products, such as BitDefender GravityZone Security for Exchange, can flag suspicious correspondence. Powerful security products provide multi-layered protection against spam and phishing without overloading email servers with security processes.

4. Antivirus software

   The above steps, if followed fully, should protect a small business. However, it is still necessary to make plans to mitigate the damage if a phishing attack penetrates a company's network. All small businesses should use proven antivirus software, such as the bitdefender product line. Feel free and without obligation contact us for more information.