Open an email, open a door for cyberattack: Here’s what your company should watch for

More than most, small businesses may have more to lose and are often less prepared that others when it comes to cyberattacks, more than 90% of which penetrate a company originate through emails.

According to Accenture’s Cost of Cybercrime Study, 43% of cyberattacks are aimed at small businesses, but only 14% are prepared to defend themselves.

More broadly, 45% of small- to medium-sized businesses worldwide say their security measures are insufficient and ineffective at mitigating attacks, a Ponemon Institute State of Cybersecurity Report revealed. Some 66% have experienced a cyberattack in the past 12 months, and 69% said their cyberattacks are becoming more targeted. Ponemon is a research center advancing responsible information management.

Discovering a breach that does not shutdown a computer network can take up to half a year. IBM found that it takes a company 197 days on average to discover a breach and 69 days to contain it, but that companies that contained a breach in less than 30 days saved more than $1 million.

And when it comes to how the attacks begins, the finger points to a ubiquitous source.

“Email has become the No. 1 point of entry for injecting malware into a personal computer and through it to a corporate network,” said Robert Boles, founder and president of Blokworx Inc., a Larkspur-based cybersecurity firm for managed service providers.

Cyberattacks can also occur by enabling macros in a Word document, updating a password, responding to a social media connection request or investigating a new WiFi hot spot.

New cybersecurity playing field

John Comfort, president of Linked MSP in Santa Rosa, a managed service provider specializing in outsourced IT and cybersecurity advises clients to always “stop, look and evaluate” incoming emails before clicking on them.

Comfort identified six steps businesses can take to reduce or prevent email-based fraud:

1. Be cautious when opening unexpected emails. Verify the domain (after the @ mark) and the username. If there are links within the email, “hover” the cursor over them to verify. Comfort asks his clients to send suspicious emails to him for analysis. “Not even Goggle would use @gmail.com as its domain.”

2. Be vigilant opening expected emails. Expected emails may be malicious if the sender is real but his or her computer is compromised; if the sender is real but is actually a look-alike, or if there are links within the email. Again, hover to verify. Contact the user via phone or through a separate email to verify or ask an IT professional to review it.

3. Use strong passwords with two-factor authentication. This protects against account compromise that can be configured as forwarders. The two-factor option uses a password-less approval prompt. In addition, use protected emails with end-to-end encryption. Without this, third parties may read a private or company proprietary conversation.

4. Implement an email phishing training platform for employees to increases awareness of email content and aid in preventing unwanted clicks.

5. Utilize a web content filtering platform. This prevents access to known bad websites and can stop an attack if a malicious link is accidentally clicked. Filtering algorithms using high-level email authentication standards (such as Sender Policy Framework (SPF) or Domain Keys Identified Mail (DKIM) should be used before sending/forwarding emails.

6. Deploy an endpoint security platform. This is the “last catch” for malicious content, but it may not catch everything. It does provide protection when malicious websites are not blocked and reduces the capability of the attack.

“In a recent Small Business Administration study, 88% of business owners felt their companies were vulnerable to a cyberattack. According to the FBI, the cost of cybercrimes reached $2.7 billion in 2020,” Comfort added.

“So, what can a small business owner do? Since most owners wear so many different hats and simply don’t have the time or resources to devote to reducing cybersecurity threats and often don’t know where to begin.”

He said the path to prevention begins with awareness, training and constant vigilance. Comfort also recommends hiring consulting firms, getting cyber liability insurance and developing a security plan as a “good way to begin” to prepare.

Cyber schemes revealed

The most common types of cyberattacks include phishing, viruses, malware and ransomware.

Some 91% of cyberattacks begin with phishing emails. These attacks involve the use of fraudulent emails appearing to come from reputable sources that deceive people into doing the wrong thing, such as clicking on a malicious link or attachment, or responding to an email that allows malware or ransomware to block access, take control and shutdown a computer system — or illegally harvest information from a hard drive.

Vishing is phishing that uses voice communications.

Once personal facts are obtained by the attacker, private details are used for what is known as spear phishing, a more targeted attack based on having specific information about recipients. Key details are a victim’s date of birth, social security, phone and credit card numbers, home address and password information (possibly obtained via requests to reset passwords).

Whaling is phishing aimed at high-ranking and high-profile victims.

Lateral phishing occurs when a cybercriminal takes over a user’s company account to phish other users within the organization.

Viruses are programs designed to “infect” and spread to devices connected within a network. The main purpose of a virus is to cause temporary damage to software and give cybercriminals access to valuable data about clients, the business or other professional or personal data.

Malware is software that is internationally designed to cause damage to a computer system (servers, computers, networks and clients). According to Purplesec.com, provider of IT security services and consulting, 92% of malware is primarily delivered by email. Dataprot reports over 500,000 new pieces of malware are detected every day. Dataprot is a website that educates people about information privacy and offers cyber security advice.

Ransomware is a type of malware that “highjacks” computers, networks and mobile devices shutting them down and denying access to the business owner and/or staff until a ransom demanded by cybercriminals is paid. Ransomware cost the world $20 billion in 2021, a figure expected to reach $265 billion by 2031 according to Cyberesecurity Ventures, a research firm and publisher covering the global cyber economy.

IT services provider Sophos reported that in 2021, 37% of all businesses were hit by ransomware; recovery cost businesses an average of $1.85 million that year. While 32% of businesses paid the ransom, they only received 65% of their data back. Only about 57% of businesses are successful in recovering their data, even when using a backup system.

Rationale for change

Stephen Hicks is chief security architect with EndSight in Napa, a company offering IT services, cloud management and technical support.

“Never say cyberattacks will never happen to you,” Hicks said. “Thinking you can block them all is like trying to plug many holes in a dam, but this should not stop us from doing all we can to prevent them.”

Hicks said the cost of sending 200 million spam messages, a form of phishing, is very low, and the bad guys will get in eventually if businesses are not vigilant. He says malware has become a highly profitable business.

“Cybercriminals have artificial intelligence and machine learning tools. QR codes are now being compromised to divert funds away from intended, legitimate recipients to thieves’ pockets.”

He said from the dawn of the internet, its founders at MIT and Cal Tech imagined it being used to share data openly, stay connected with everyone, and improve the world for the better.

“Back then, security was an afterthought. Not anymore. Security matters now. But for some, it’s hard to close the barn door after all the animals are gone!”

Hicks observed that few are doing business today as they did decades ago, yet some are still holding onto 20-plus-year-old computers and other outdated equipment.

“When thinking about upgrading, some business owners only consider the cost of replacement, not the cost of downtime or the value of the loss associated with reputational damage, which could be immeasurable,” Hicks said. “However, competitors are weighing these factors, and making changes enabling them to move ahead.”

He believes the best defense is having an active cybersecurity plan that is frequently updated, with employees training and policies.

IT needs rethinking for work from home

“A number of businesses are still working with an antiquated workstation model dating from the main frame and client-server architecture era, while trying to make it work today from employees’ homes and cope with a host of security issues,” said Sam Forma, president and founder of Formatech IT Services in Napa.

”Meanwhile, others are leveraging cloud technology to make their data more secure and updating their networks with enterprise quality solutions,“ he said. ”A key question is can a company’s existing IT infrastructure effectively cope with today’s challenges?

“Older infrastructures still exist and are not always utilized in a safe and secure manner, leaving them vulnerable to phishing and increasing the possibility that employees may give up personal information, access credentials and sensitive company data.”

He said reliance on weak passwords has not worked well either, because they are often not complex enough and applied to multiple sites, meaning breaking one allows access to many data repositories.

“What is needed are two-factor, biometric or key fob–enabled entry solutions — not just a person’s anniversary date, a child’s name, or X-base code access systems — as well as machine learning and AI (artificial intelligence) tools. In short, I believe there is a need to go back to the procurement process to obtain devices and methods that can better mitigate risk.”

Another question is how are businesses going to deliver services to employees in a work-from-home culture, and make it as safe (or safer) than the workplace, while removing traditional IT barriers?

The transformation process begins with the deployment of new technology and by bringing more information to the cloud. Backup systems and software are also essential but should be pushed out to repositories touching the data — while not allowing prior backup methods to corrupt it. Any good backup system involves having multiple revisions that can be pulled from servers as frequently as twice a day providing six months of backups ready to replace corrupted data and software on demand.

Forma said some treat personal computers as if they were personal pets, not as if they were cattle — just tools. Rethinking the IT architecture is needed to become more flexible, and safer, especially at a time when cyberattacks continue to rise and resources to combat them more expensive.

“Security is a journey that never ends, not a destination,” Forma said. “IT is an expense, a cost center, not a profit center that can improve the bottom line, but the investment in cybersecurity can avoid costly delays, down time and customer dissatisfaction while reducing business risks.”

Cybersecurity Watch: This story is underwritten by Comcast, which has had no input on the editorial content. See more stories this topic.

Editor’s Note: This story has been updated. An earlier version incorrectly attributed a report on the cost of ransomeware. The research was done by Cyberesecurity Ventures.