Open an email, open a door for cyberattack: Here’s what your company should watch for

More than most, small businesses may have more to lose and are often less prepared that others when it comes to cyberattacks, more than 90% of which penetrate a company originate through emails.

According to Accenture’s Cost of Cybercrime Study, 43% of cyberattacks are aimed at small businesses, but only 14% are prepared to defend themselves.

More broadly, 45% of small- to medium-sized businesses worldwide say their security measures are insufficient and ineffective at mitigating attacks, a Ponemon Institute State of Cybersecurity Report revealed. Some 66% have experienced a cyberattack in the past 12 months, and 69% said their cyberattacks are becoming more targeted. Ponemon is a research center advancing responsible information management.

Discovering a breach that does not shutdown a computer network can take up to half a year. IBM found that it takes a company 197 days on average to discover a breach and 69 days to contain it, but that companies that contained a breach in less than 30 days saved more than $1 million.

And when it comes to how the attacks begins, the finger points to a ubiquitous source.

“Email has become the No. 1 point of entry for injecting malware into a personal computer and through it to a corporate network,” said Robert Boles, founder and president of Blokworx Inc., a Larkspur-based cybersecurity firm for managed service providers.

Cyberattacks can also occur by enabling macros in a Word document, updating a password, responding to a social media connection request or investigating a new WiFi hot spot.

New cybersecurity playing field

John Comfort, president of Linked MSP in Santa Rosa, a managed service provider specializing in outsourced IT and cybersecurity advises clients to always “stop, look and evaluate” incoming emails before clicking on them.

Comfort identified six steps businesses can take to reduce or prevent email-based fraud:

1. Be cautious when opening unexpected emails. Verify the domain (after the @ mark) and the username. If there are links within the email, “hover” the cursor over them to verify. Comfort asks his clients to send suspicious emails to him for analysis. “Not even Goggle would use as its domain.”

2. Be vigilant opening expected emails. Expected emails may be malicious if the sender is real but his or her computer is compromised; if the sender is real but is actually a look-alike, or if there are links within the email. Again, hover to verify. Contact the user via phone or through a separate email to verify or ask an IT professional to review it.

3. Use strong passwords with two-factor authentication. This protects against account compromise that can be configured as forwarders. The two-factor option uses a password-less approval prompt. In addition, use protected emails with end-to-end encryption. Without this, third parties may read a private or company proprietary conversation.

4. Implement an email phishing training platform for employees to increases awareness of email content and aid in preventing unwanted clicks.

5. Utilize a web content filtering platform. This prevents access to known bad websites and can stop an attack if a malicious link is accidentally clicked. Filtering algorithms using high-level email authentication standards (such as Sender Policy Framework (SPF) or Domain Keys Identified Mail (DKIM) should be used before sending/forwarding emails.

6. Deploy an endpoint security platform. This is the “last catch” for malicious content, but it may not catch everything. It does provide protection when malicious websites are not blocked and reduces the capability of the attack.

“In a recent Small Business Administration study, 88% of business owners felt their companies were vulnerable to a cyberattack. According to the FBI, the cost of cybercrimes reached $2.7 billion in 2020,” Comfort added.

“So, what can a small business owner do? Since most owners wear so many different hats and simply don’t have the time or resources to devote to reducing cybersecurity threats and often don’t know where to begin.”

He said the path to prevention begins with awareness, training and constant vigilance. Comfort also recommends hiring consulting firms, getting cyber liability insurance and developing a security plan as a “good way to begin” to prepare.

Cyber schemes revealed

The most common types of cyberattacks include phishing, viruses, malware and ransomware.

Some 91% of cyberattacks begin with phishing emails. These attacks involve the use of fraudulent emails appearing to come from reputable sources that deceive people into doing the wrong thing, such as clicking on a malicious link or attachment, or responding to an email that allows malware or ransomware to block access, take control and shutdown a computer system — or illegally harvest information from a hard drive.

Vishing is phishing that uses voice communications.

Once personal facts are obtained by the attacker, private details are used for what is known as spear phishing, a more targeted attack based on having specific information about recipients. Key details are a victim’s date of birth, social security, phone and credit card numbers, home address and password information (possibly obtained via requests to reset passwords).

Whaling is phishing aimed at high-ranking and high-profile victims.

Lateral phishing occurs when a cybercriminal takes over a user’s company account to phish other users within the organization.

Viruses are programs designed to “infect” and spread to devices connected within a network. The main purpose of a virus is to cause temporary damage to software and give cybercriminals access to valuable data about clients, the business or other professional or personal data.

Malware is software that is internationally designed to cause damage to a computer system (servers, computers, networks and clients). According to, provider of IT security services and consulting, 92% of malware is primarily delivered by email. Dataprot reports over 500,000 new pieces of malware are detected every day. Dataprot is a website that educates people about information privacy and offers cyber security advice.

Ransomware is a type of malware that “highjacks” computers, networks and mobile devices shutting them down and denying access to the business owner and/or staff until a ransom demanded by cybercriminals is paid. Ransomware cost the world $20 billion in 2021, a figure expected to reach $265 billion by 2031 according to Cyberesecurity Ventures, a research firm and publisher covering the global cyber economy.

IT services provider Sophos reported that in 2021, 37% of all businesses were hit by ransomware; recovery cost businesses an average of $1.85 million that year. While 32% of businesses paid the ransom, they only received 65% of their data back. Only about 57% of businesses are successful in recovering their data, even when using a backup system.

Cyber tips to help turn away attacks

• Have adequate data breach liability insurance.

• Reduce data transfers, do not keep sensitive data on personal devices

• Avoid unnecessary downloads (if from unverified sources

• Update software and regularly install the latest updates

• Monitor for data leaks, quickly detect, respond and stop any activity with software

• Develop formal breach/cyberattack risk management response and recovery plans

• Assess core IT infrastructure for remote working

• Embed cybersecurity into business continuity plans, update access/security measures

• Add protocols and behaviors to prepare/sustain secure remote working

• Embed cybersecurity in corporate crisis management (BCG)

Rationale for change

Stephen Hicks is chief security architect with EndSight in Napa, a company offering IT services, cloud management and technical support.

“Never say cyberattacks will never happen to you,” Hicks said. “Thinking you can block them all is like trying to plug many holes in a dam, but this should not stop us from doing all we can to prevent them.”

Hicks said the cost of sending 200 million spam messages, a form of phishing, is very low, and the bad guys will get in eventually if businesses are not vigilant. He says malware has become a highly profitable business.

“Cybercriminals have artificial intelligence and machine learning tools. QR codes are now being compromised to divert funds away from intended, legitimate recipients to thieves’ pockets.”

He said from the dawn of the internet, its founders at MIT and Cal Tech imagined it being used to share data openly, stay connected with everyone, and improve the world for the better.

“Back then, security was an afterthought. Not anymore. Security matters now. But for some, it’s hard to close the barn door after all the animals are gone!”

Hicks observed that few are doing business today as they did decades ago, yet some are still holding onto 20-plus-year-old computers and other outdated equipment.

“When thinking about upgrading, some business owners only consider the cost of replacement, not the cost of downtime or the value of the loss associated with reputational damage, which could be immeasurable,” Hicks said. “However, competitors are weighing these factors, and making changes enabling them to move ahead.”

He believes the best defense is having an active cybersecurity plan that is frequently updated, with employees training and policies.

IT needs rethinking for work from home

“A number of businesses are still working with an antiquated workstation model dating from the main frame and client-server architecture era, while trying to make it work today from employees’ homes and cope with a host of security issues,” said Sam Forma, president and founder of Formatech IT Services in Napa.

”Meanwhile, others are leveraging cloud technology to make their data more secure and updating their networks with enterprise quality solutions,“ he said. ”A key question is can a company’s existing IT infrastructure effectively cope with today’s challenges?

“Older infrastructures still exist and are not always utilized in a safe and secure manner, leaving them vulnerable to phishing and increasing the possibility that employees may give up personal information, access credentials and sensitive company data.”

He said reliance on weak passwords has not worked well either, because they are often not complex enough and applied to multiple sites, meaning breaking one allows access to many data repositories.

“What is needed are two-factor, biometric or key fob–enabled entry solutions — not just a person’s anniversary date, a child’s name, or X-base code access systems — as well as machine learning and AI (artificial intelligence) tools. In short, I believe there is a need to go back to the procurement process to obtain devices and methods that can better mitigate risk.”

Another question is how are businesses going to deliver services to employees in a work-from-home culture, and make it as safe (or safer) than the workplace, while removing traditional IT barriers?

The transformation process begins with the deployment of new technology and by bringing more information to the cloud. Backup systems and software are also essential but should be pushed out to repositories touching the data — while not allowing prior backup methods to corrupt it. Any good backup system involves having multiple revisions that can be pulled from servers as frequently as twice a day providing six months of backups ready to replace corrupted data and software on demand.

Forma said some treat personal computers as if they were personal pets, not as if they were cattle — just tools. Rethinking the IT architecture is needed to become more flexible, and safer, especially at a time when cyberattacks continue to rise and resources to combat them more expensive.

“Security is a journey that never ends, not a destination,” Forma said. “IT is an expense, a cost center, not a profit center that can improve the bottom line, but the investment in cybersecurity can avoid costly delays, down time and customer dissatisfaction while reducing business risks.”

5-step approach for business cyberstrategies

1. IDENTIFY: Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.

• Identify and control who has access to key business information

• Conduct background checks

• Require individual user accounts for each employee

• Create policies and procedures for information security

2. PROTECT: Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services.

• Limit employee access to data and information

• Install surge protectors and uninterruptible power supply

• Patch your operating systems and applications

• Install and activate software and hardware firewalls on all your business networks

• Secure your wireless access point and networks

• Set up web and email filters

• Use encryption for sensitive business information

• Dispose of old computers and media safely

• Train your employees

3. DETECT: Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.

• Install and update anti-virus, anti-ransomware, and anti-malware solutions

• Maintain and monitor logs

• Review anomalies and other events

• Create and implement detection processes

4. RESPOND: Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.

• Develop a plan for disasters and info security incidents

• Communicate to key stakeholders immediately and completely

• Mitigate impact of attacks

• Develop and implement improvements

5. RECOVER: Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.

• Make regularly scheduled backups of important business data/info

• Ensure backups are recoverable at least annually

• Consider cyber insurance

• Make improvements to processes/procedures/tech

Source: National Institute for Standards and Technology (NIST)

Cybersecurity Watch: This story is underwritten by Comcast, which has had no input on the editorial content. See more stories this topic.

Hacker tactics

All email users and recipients should become aware of tactics used by hackers and suspicious signs to look for.

• The message contains threats or a sense of urgency (act now for this limited time offer, or the IRS must hear from you today to avoid penalties, etc.)

• The message is sent from a public email domain, or the domain name is misspelled

• The email is poorly worded or has grammar and spelling errors

• Email contains suspicious attachments or links (the destination address does not match the context of the email, inconsistencies in email address, links and domain names)

• Unusual requests from person you don’t know (please send cash so my son can fly home)

• Information provided is brief but compelling (information you requested is attached)

• The email recipient did not initiate the conversation (but led to believe he or she did)

• A too-good-to-be-true email (you won a prize or discount, reply or click for details)

• Request for credentials, or personal details (or even a realistic, but fake, invoice)

• Message has an unfamiliar greeting or tone (either overly familiar or unusually formal)

Source: IT Governance and center

Editor’s Note: This story has been updated. An earlier version incorrectly attributed a report on the cost of ransomeware. The research was done by Cyberesecurity Ventures.

Show Comment