Late nights, early mornings, and working over weekends; familiar phrases for the small business owner, solo operator, and freelancer. So why should such a busy person cut into their limited time to improve their cyber security?
Because businesses across Australia experiencing every day how a business email compromise or ransomware cyber attack can unravel those countless hours in a fell swoop.
You cannot entirely outsource cyber security. The fundamental defences that spell the difference between a failed attack and a ruined business are the responsibility of everyone.
Fortunately, the tools and methods to achieving great cyber defence have never been easier. And you don’t need to spend a cent. Below are your greatest threats and the defences you can implement to knock them out.
Business email compromise
Small business owners often wait on invoices. Clear deadlines, gentle reminders, and terser emails are standard fare for getting paid. So they may not sweat it when funds fail to materialise after a client’s promise to pay. But business owners and now individual consumers are finding their payments funnelled into the bank accounts of cyber criminals.
These attacks, known as business email compromise (BEC), work in different ways but are typically centred on your email inbox.
How it works: The method of accessing inboxes varies but a common starting point for crims is to try to log in with stolen email and password logins that are found in massive databases compiled from security breaches.
Logging in like this works when people reuse passwords across apps and services. A business owner who reuses the same password for their business email account and their indoor plant fancier’s forum is in peril should the forum be hacked and the password copied into an online database.
Cyber criminals could search the database for a business’ email address and, if they find a hit, use the corresponding password to try to log into the business’ email account.
Criminals engaged in BEC have a few options once inside an inbox. A common tactic is to manipulate invoices by setting various mail rules that can redirect incoming and outgoing emails that contain invoices to folders. Setting rules against incoming invoices means they never show in the main inbox. Setting them against outbound mail catches invoices before they leave.
Criminals then can log in and change the BSB and account number before allowing the email to either appear unread in the main inbox or to send on to its original destination.
It often takes days for the account manipulation to be noticed by which time stolen funds have often left their fraudulent intermediate Australian bank accounts and been funnelled overseas where recuperation is difficult or impossible.
1. Use a password manager: Set unique passwords for business-critical accounts including email, banking, marketing and email services, cloud, and social media and websites. To do this, use a password manager. Managers set and store very complex passwords in a vault which you can access with a single master password.
There are many password managers available, paid and free, but large and popular tech companies are good choices as they generally have the resources needed to secure their managers and respond to new threats.
Password managers are much safer than setting passwords from memory which encourages people to reuse and set and weak combinations.
Set your master password and any other you choose to set yourself using a passphrase. This modern tweak makes it easier to set and remember unique passwords by replacing the series of capital letters and numbers with a phrase. A phrase, like Sunday lunch at mums! is much easier to remember than Summ3r2021! and harder for machines to crack. Just ensure your phrase is unique and isn’t a popular movie quote or reused anywhere else.
2. Set multifactor authentication: Multifactor authentication (MFA), also commonly called two-step or two-factor authentication, is most often a code or a notification message generated on your phone when you log into an app or service.
You’ll most often be asked to copy the code from an MFA app on your phone or to tap ‘approve’ on a notification.
This code and notification appear on your device and nowhere else. It stops someone who has stolen your password from accessing your account because they do not have your phone and is too complex to defeat for most financially-driven cybercriminals, including those engaged in BEC.
You usually need only go through the MFA process once for device you use to log into a service making this huge security boost very low touch.
Ransomware is taking the world by storm. The largest organisations are seeing hackers steal then encrypt their critical data and threaten to leak it on the internet unless multi-million-dollar ransoms are paid to have the data decrypted.
The most professional ransomware groups use encryption that cannot be reversed without the necessary decryption key. This restricts a business’ options to either paying the criminal ransom and hoping criminals honour the payment with the necessary key, or to restore from a backup and prepare for the fallout from leaked data.
How it works: Cyber criminals break into organisations using a variety of different methods from guessing logins to remote access services to phishing and even pirate downloads laced with malware.
The biggest ransomware criminal groups and their associates will encrypt any data they can find inside a target computer or network after stealing a copy to threaten to leak online to pressure victims into paying.
Small businesses are more likely to encounter ransomware that demands a smaller ransom that still costs tens of thousands of dollars.
Criminals usually leave a note on ransomed computers stating that an attack has occurred and how a ransom can be paid.
3. Harden remote access services: Log ins for remote access services such as RDP and commercials services like TeamViewer must be secured with strong and unique passwords and not left protected with default passwords. These services are often used to log into a laptop (say, at an office) from a remote laptop (say, at home). Set a good password with a password manager or a good passphrase and enable MFA when possible to protect these services. The open source HardenTools security suite developed by two respected security professionals can automatically disable remote services on Windows machines if they are not needed. Also log into your router (check underneath the router for instructions) to see if remote access services are active.
4. Backup: Back up your critical and important data on a regular basis and test to ensure you can restore it. You should consider backing it up to a cloud service and an external storage device that is not connected to your computer. How often you back up depends on how much data you are prepared to lose should your data be encrypted or destroyed. Free and paid services exist. If you’re backing up your data to a cloud service, make sure it’s secure, with a unique password, two-factor authentication and that any sharing settings are set up correctly.
5. Apply updates: Log into your website administration console, your router, and any other system and check for updates. Ensure they are set to be automatically applied or set reminders to check. These updates remove known security flaws that criminals could use to hack into those services. Turn on automatic updates whenever available or set regular reminders to check and apply new updates.