Until airbags are fitted to email apps to stop staff opening bad messages, what else can a small biz do to protect itself?
Your gentle guide to thwarting miscreants
Backgrounder Crime doesn’t pay? Tell that to the small businesses that fall victim to cyber-attacks every year and have to fork out cash to crooks. According to a 2018 survey from the UK's Federation of Small Businesses, 5.4m of their members were attacked by cyber criminals, resulting in a loss of more than £5bn.
According to a report by insurance company Beazley, 71 per cent of ransomware attacks were aimed at SMEs, with a mean ransom demand of $116,234 (£91,493). What’s galling for these businesses is that 93 per cent of them had implemented some type of cyber protection but it all proved to be ineffective. The European Union Agency for Network and Information Security (ENISA) runs an annual survey looking at computer threats, and found email is the dominant vehicle for delivering such attacks, responsible for 92.4 per cent of malware infections.
ENISA’s report also indicated that phishing attacks have become much more targeted. Gangs are tailoring emails for specific individuals by carefully identified people’s interests and by aiming emails at those with privileged access to valuable data, such as financial records. Business Email Compromise is a growing form of attack: this is a scam targeting organisations that conduct wire transfers. Typically, crooks send invoices that appear to be legit to finance department staff in an attempt to persuade them to wire money to the fraudsters' bank accounts on the paperwork. Alternatively, emails appearing to come from the CEO or other high-ranking employees are sent to lower-level finance staff convincing them to wire money to a particular account or grant the impostors access to workers' personal files that are then stolen by the crooks.
The more convincing or appealing the email, tapping into an employee's foibles or weaknesses, the greater the chance of they fall for the scam. It is quite possible workers are completely unaware of how easily they can be manipulated or exploited, and how great a role they will unwittingly play in the fraudsters' schemes.
As an example of criminals tailoring their messages to snare specific well-placed staff, social-engineering security consultant Jenny Radcliffe tells a story of a cat lover who was targeted with an email containing a PDF about a cat for adoption. Unfortunately, the PDF was booby-trapped with malware that, when opened, handed criminals access to the entire network of the cat-lover’s employer.
The humble PDF has become one manifestation of a growing form of malware attack being employed by cyber criminals: fileless malware. This is a type of software nasty that executes purely in the infected computer's RAM, and does not touch any storage, making it potentially tricky to detect. ENISA calls such fileless infiltrations the “new norm,” with 77 per cent of successful attacks using fileless malware. Security consultant Brian Honan supports ENISA’s findings. “It’s still one of the most common forms of attacks that we’re seeing,” he told us.
Attack via email and PDF is dangerous because both email and PDFs are such a staple of day-to-day business and because people can be inclined to drop their guard when receiving and opening them. “The problem is that a lot of these businesses don’t think they’re worth hacking. What they forget is that they’re part of a chain and they have to be aware that any information they give is just part of the total picture,” said Radcliffe.
Criminals have benefited from staff who have posted links about themselves or the company that seem trivial: “Where do staff members like to drink? What are the transport links like? When the criminals know this information like this, it makes approaches to the company more credible,” noted Radcliffe.
It’s not just individuals who put information like this online. Businesses do it, too, on their websites. “These can be things like photos of a staff team-building day or information about a major order. I’ve seen photos with a computer background, so I can find the operating system they use from that, or the correct form for their email addresses,” Radcliffe said.
Cyber criminals have, therefore, evolved: not simply content with launching malicious code at vulnerable services, they are carefully targeting the people operating them. What’s a small or medium-sized biz to do? Yes, you can patch a system against malware and known vulnerabilities, but how should you respond when it’s your valuable employees opening the stable door?
You can train staff – tell them what to look for
The cat example was a good demonstration of the way malware slingers rely on feelings (as well as felines). “There are key red flags that organisations should be looking out for,” Radcliffe told us. “Emails that play on emotions: anything that can make you sad or happy. Emails that say that you’ve won something are popular. Or it could be a threat: you’ve been found speeding, for example – these are type of emails that act as a trigger.”
But Honan emphasized the need to go beyond this. “Look at the way that cars are designed,” he said. “They are designed to react to human mistakes. For example, the airbags protect drivers when something goes wrong. But we don’t often implement the same sort of protection when it comes to email. Many of the email platforms don’t have safety measures by default. If we want to protect businesses, we have to make the extra effort to provide enhanced protection.”
Translated: cyber protection demands technological changes, which may be the last thing small businesses want to hear given they are usually short on time, resources, and knowledge.
Fortunately, tools do exist to help, of course: the Virus Total community's range of antimalware toolkits will attempt to identify malicious code within attachments and downloads as they arrive.
IT teams can also take some relatively simple measures. These include the adoption of a more rigorous approach to configuring their email systems. One approach that should be employed as standard is TLS cryptography, which provides a way of verifying any mail is secure before its received and opened by the human recipient. It’s possible to provision an email system such that it will reject non-TLS messages.
You can verify mail services. Techniques include setting up domain key identified mail (DKIM) as anti-spoofing, which will ensure all mail received has been sent by the domain it purports to be and has not been interfered with en route. The system works by adding an encrypted element to a mail header that is used to check the DNS record of the sending domain.
Finally, you can check the integrity of a sender using domain-based message authentication reporting and conformance (DMARC). This also uses DKIM to verify a user’s identity but also advises any sender that DMARC is in operation, adding another layer of protection.
As to how SMEs handle attacks, there’s a universal agreement that talk of punitive measures against employees is counter productive. “Companies should be setting clear guidelines,” said Radcliffe. “Staff should know what to do if someone is suspicious about a particular email or phone call. They need to know to report it and where to report it. And make it clear that staff won’t be punished if they accidentally open malware.”
Punishing staff, as some might, can create a climate of fear will deter employees admitting that they’d made a mistake, making it harder to take action against malware until it’s too late.
Social engineering by hackers has become as complex and devious as the code they write. Email-based attacks are not going away, as hackers have recognized the value of this most trusted and ubiquitous of business tools. It’s time, therefore, for SMBs to take stock and work to counteract the rise of email-based malware using basic technology practices and some social engineering of their own.
Supported by SonicWall.