In the next few years, enterprises with a low level of IT security will find themselves in great danger: Industry 4.0 and IoT devices will create a massive number of point of attacks making us way more vulnerable than today.
Will SMEs be able to defend themselves from this new wave of attacks?
Polls are telling us that in most cases no, they are not and they will be totally unprepared – making “Cyber Insecurity” the new buzzword of the Italian business community.
SMEs account for 90% of the national enterprise panorama. They are dynamic businesses and they play a fundamental role in innovation and in being a symbol of the Italian tenacity. SMEs do work way more than bigger firms making them particularly attractive to hackers since they can be easily attacked and they can also lead to bigger and more structured companies.
These companies are easy targets for cyber criminals as their security infrastructures are definitely not sophisticated and they do not have cyber security experts. Also, employees are not very careful and do not know much about IT systems and there is a genuine lack for available experts who can deal with threats and react in the right way when needed.
In most cases the attacks are successful, not because hackers are amazing at what they do, but simply because of the lack of knowledge of cybersecurity in the organization.
A recent CISCO report shows that the growing number of attacks SMEs faced translated into big economic damages (even if numbers are bigger than €80.000) but also meant massive Data Breach – a vital asset for the company, whose value is also intensified by the new GDPR regulations.
But there is something positive too. Both SMEs and big companies are actually starting to understand the problems related to Cyber Security and to implement relevant procedures.
The growing need of having a new business security culture
Despite the constant awareness of cyber attacks and risks and the willingness of implementing new security measures Italian enterprises are not yet sufficiently oriented towards a real “security culture”.
This is mainly due to the lack of understanding that the most valuable asset for a company is the info and data they have and protecting them it is not just a right choice but also a strategic need.
There are some analysis tools available, such as Penetration Tests (which simulates a dangerous attack to the system) or Vulnerability Assessments (an evaluation of potential vulnerabilities of both systems and applications) that are still not widely used – not even in bigger companies.
The first defense, and probably the most significant one, is Security Awareness – the importance of explaining to employees to understand and recognize threats and not to fall for them.
Employees need to have the right tools to recognize threats so they can easily adopt the right defense strategies.
Let’s have a look at some of most common types of attacks and defense techniques.
Phishing: attention to fraud e-mails
Phishing is a type of fraud which belongs to a threat category widely known but, despite of everything, it continues to make its victims. In this case, cyber criminals evolve together with technologies and they use very sophisticated techniques of social engineering (the study of individual behavior of a person to steal useful info).
We can frequently receive emails, texts, calls aimed at stealing data about ourselves, bank account or credit card details or about access data of a company’s infrastructure.
To defend yourself against phishing there are some rules:
– Keep attention to the messages you are receiving.
– Never click immediately on a link in a suspicious email – if it looks like a dubious URL than it probably is.
– Never open attachments in emails before having them scanned by a good and updated antivirus.
Email spoofing: the threats which steals confidential data
Email spoofing is about forging the email address of the email’s sender. It is generally used to create spam emails and phishing to mislead the recipient about the origin of the message. The crook could try to act as a known contact, such as a colleague or a manager, and ask people to do something for him in the email.
The interest for gathering personal data in this case is the key element to try and find out as much as possible about the unlucky person: info about where he works, his colleagues, his hobbies etc…
The peculiarity of this scam sits in its simplicity of using public info which can be easily found online, hoping to convince the person targeted by email about its authenticity to do what he has been asked to.
There are really no best practices to defend us from email spoofing. Try to always look carefully at the sender’s email address – in case it is an attack you will notice some spelling mistakes. Also be very cautious if you are asked to send money: always ask the sender for a phone call to confirm details first. Don’t just send an email back as also the scammer can do it too.
Ransomware: the threat which freezes your computer and asks for ransom
Ransomware is one of those attacks which scares enterprises the most – and it is quite clear why. It is also known as the “ransom virus”: the hacker encrypts the data of the unlucky one – on a computer, tablet or smartphone and asks for a ransom (usually money) to unblock and reactivate the “stolen” device.
We have already talked about ransomware in this article.
Supply Chain attacks: pay attention to Software updates
The attacks to the distribution process make small enterprises and contractors vulnerable and they represent a growing trend in cyber security. Hackers are really evolving according to the latest technologies.
Through such threats criminals, who can use different techniques which make them difficult to be identified, are able to compromise software updates and they integrate themselves inside the verified update distribution list.
But how does it work? The hacker targets suppliers of a specific distribution supply chain with insufficient security measures, entering with no obstacles at all and having access to confidential info stored in the computers and starting a series of linked mechanisms.
A way to protect against such threats is to understand which are the security measures used by suppliers and partners with whom confidential data are shared. Always try to understand how they store and protect relevant content, projects and plans and also how their IT security system (patch, updates etc…) is structured.
Attacks to companies’ mobile devices
Mobile devices such as smartphone and tablets play a key role in the work life of every employee who can therefore manage their work remotely.
But what happens when they are outside the perimeter of the company’s firewalls and they connect to an open Wi-Fi network?
In most public networks, the info sent by a mobile device are not encrypted. Whoever might be in the proximity using a laptop and a network sniffer (a software or hardware tool which collects info that are traveling through the network) can easily access all the data which are passing through the wireless network.
The risk is that you might connect to unsafe Wi-Fi Access Points which are able to monitor the contents of everything that is being sent. This is a relevant issue for your company if sensitive documents are sent.
Furthermore, any single software without patch or other security vulnerabilities can be exploited for such types of attacks.
Some defence techniques
- The best choice is always to use the data network of your provider. If this is not possible that always opt for a Wi-Fi network which has a password (also check if cryptography is active).
- Use a VPN connection but, if most of the employees use cloud services to work it is actually better to use a Secure Internet Gateway which gives a access to a secure connection to the network. Every single time a request is made – from the simple web search to sending an email, from retail to cloud computing – DNS are used.
It would be better to deactivate the option of “data sharing”.
- A good habit, although it might seem obvious, is to always have under control the device you are using and make sure you are logged out from sites every single time you are done with.
- Remember to activate a plugin to block pop-ups on your browser (there are tons available) to stop seeing unwanted ads.
- Check your email account has a good Antispam filter, able to automatically reject malevolent emails.
Every day we risk being attacked, spam and phishing are just an example to be added to a wrong use of networks by employees.
One last piece of advice for SMEs and bigger companies which want to improve their cyber security strategy is to implement IT security systems incrementally instead of just maintaining things are they are since it would be a very big investment.
There are no IT solutions able to make sure a company is 100% safe: the threats out there are way too complex and they keep expanding and evolving and security strategies and technologies are constantly evolving too.
The best defense against hackers is to develop a defense plan organized by IT resources, made by strategies and security technologies: this means people, processes and technology.