As recently reported by Information Week; Australia based online clothing retailer, Endless Wardrobe received an e-mail from an ‘Ivan’ in Russia stating “After a few minutes I’ll start a DDoS attack on your site, and it will cease to work,” the message continued, “If you don’t want to lose any profit, you pay me only $3,500.”
Endless Wardrobe refused to pay and as the sender promised; the site buckled under a deluge of with bogus information requests, their site and business were down for a week.
The online retailer “lost customers and at least a few thousand dollars in business,” general manager Andrew Burman revealed to Information Week. This is an example of an alarming number of SMBs who are becoming the target of cyber attacks, once thought to only effect government and corporate level enterprises.
With this in mind we’ve collated a list of 9 cyber threats you should not only be aware of but also must begin to take seriously.
Bank Account Takeover
Cyber-criminals target hundreds of small businesses every year using Trojans that can control a victim’s computer well enough to fool banks. These Trojans can siphon off hundreds of thousands of pounds from a bank account in moments, which, for many SMBs, could be the beginning of the end. So far, the courts have sided with the banks; not yet finding a bank liable for actioning the transfers.
As with the case of Endless Wardrobe, a denial-of-service attack where a business’s website is flooded with illegitimate traffic to the point where the site will crash rendering it inaccessible to legitimate customers.
Employee Generated infections and leaks
As is often the case with cyber security; employees can pose an unintentional but legitimate threat to a business’s security. An example scenario would be letting in attackers by clicking on email links or opening infected attachments. There is also the scenario of a disgruntled employee acting maliciously that shouldn’t be ruled out either.
Information stealing Trojans are sent to businesses in the guise of an official looking attachment via e-mails. When opened, the attachment - usually taking the form of money transfers, business letters or other types of official notice – runs a program that attempts to harvest all sensitive information from the infected computer or network. Good quality anti-virus software can go a long way in curbing this activity but is often enough by itself.
Sites as Malware hubs
The website of a small business, especially if not regularly maintained, can easily be compromised and used to launch attacks, not on the business itself, but against external users. It is often the server the attacker values in these instances, rather than accessing the specific data of the business itself. The site is then used to deliver numerous kinds of malicious malware and other unpleasant activity that could swiftly earn you a negative reputation for not protecting your website visitors.
Staying on top of keeping all of your software patched and updated can be a time consuming endeavour but a strong patching policy will protect you from numerous weaknesses in everything from web browser plugins to flash and java resources. By monitoring software that is installed on your systems and patching anything that is out-of date you’ll be closing a lot of open doors to attackers.
Attacks via Service Providers
The majority of small businesses will use third-party service providers for some or the majority of their technology or services. Anything from website hosting to email providers and online transactions from, say, an online store can be targeted and breached. An e-mail account is often a favourite because it can frequently act as a “skeleton key” to open access to the rest of a business.
As the proliferation of Bring Your Own Device increases, networks are now becoming more technically welcoming to employees devices in the spirit of collaboration and evolving company culture. This is especially prevalent within SMBs however this open access makes networks less secure and external devices coming and going can increase the chances of infection or attack substantially. Employee education and offering the proper connectivity and software to allow additional devices to safely join the company network is vital.
Reputation is often a forgotten factor when compared to the other 8 points above. However, recovering from a damaged reputation - after data or sensitive information is stolen (such as customer card details) or your website infects user’s computers with Malware - can be quite a long road.
What can you do to protect yourself?
You can visit our business security solutions information page and discover ways in which Windows Server 2012, Security Essentials and Forefront Server can offer you protection opportunities for your business. You may not have the budget for an all singing all dancing package but a company actively examining its security can have a positive effect on the culture and behaviour of individual employees.
If you have experienced any of the above; why not share them with us on Twitter @MicrosoftSB