Your money or your data?
We show four examples of real SME cyber attacks show what businesses must do to avoid this business-threatening risk A ransom note suddenly flashes up on your computer screen demanding thousands of pounds or the loss of all your data. It’s a nightmare scenario and one happening right now to a frightening number of SMEs.
The cyber criminals, who are pursuing softer targets as bigger firms become harder to penetrate, have the power to put businesses, livelihoods and jobs at risk. In this digital age, even a beauty salon in a market town now has to be aware of the extortion threat posed by international gangs.
The Federation of Small Businesses says two-thirds of its members have fallen victim to cyber attacks in the past two years, costing the UK economy an estimated £5.3 billion and each business almost £3,000 in total.
Exploiting the fact that individuals are usually the weakest link in any security chain, the scammers will seize upon any misjudged click to lock computer systems and issue their demands.
But how does it feel to be on the receiving end? Here we reveal the inside story of an SME cyber attack.
Attack method: Ransomware. Malicious software, typically received via a phishing email that encrypts all the data on a company’s network.
SME target: Enterprise centre.
The case: Townsend Business Centre in Belfast was held to ransom when its computers were disabled by hackers who demanded three bitcoins — equal to about £13,000 — in return for a decryption key to remove the malware.
It’s increasingly common for criminals to demand payment in bitcoins in the belief that the crypto-currency is an anonymous way to be paid. The business centre refused to pay the demand and, having reported the attack to police, suffered three days of disruption before all information was recovered and its servers restored.
However, chief executive Margaret McMahon said the business had been fortunate: “We didn't have any specific vulnerabilities, but these criminals are incredibly intelligent. They could have been round the corner in Belfast or they could have been in Taiwan — we just don't know."
Thankfully, a lot of information was recovered quickly because the business centre regularly backed up its data.
Lessons learned: Backup your data regularly, and if this involves cloud storage, make sure the contents of the database are encrypted.
Attack method: Email spoofing
SME target: Web services company
The case: Worcester-based web services company PCA Predict had their branding plagiarised as part of a mass malicious email shot demanding payment from millions of random recipients.
Sometimes you don’t have to be a victim of hacking to come under attack, as staff at Worcester-based PCA Predict found out. Their brush with cyber criminals began one lunchtime when an email server started to struggle and its bandwidth usage surged. Phones were ringing non-stop from recipients of an email, apparently from the company, showing a payment receipt for £120.
An estimated 1.5 million emails had been sent by a botnet containing a malicious attachment designed to steal banking credentials from the recipient. The scammers had used the contents of an original email message from PCA, as well as copied headers and internal server names.
The company was deluged by 6,000 calls and 40,000 emails in a short period of time. These weren’t from PCA customers as the company’s own data hadn’t been compromised. PCA responded quickly by placing warnings on its phone system and website, and, crucially, adding “This is Spam” to the offending email when it realised that images in the fake message were still being hosted on its own infrastructure.
Lessons learned: PCA’s actions minimized the crisis, but would another company be so lucky without in-house tech skills, easy access to systems and the infrastructure to cope with a surge in bandwidth?
Attack method: Whaling attack, targeting one big fish rather than smaller fry
SME target: Tech start-up
The case: These attacks, also known as CEO fraud, often take place on a Friday afternoon, under the pretence of getting a wire payment done before the weekend. The hacker poses as a senior person within the team and convinces those in financial authority to make a payment.
London-based tech start-up Skimlinks has been on the receiving end of several SME cyber attacks. Alicia Navarro, Skimlink’s chief executive and founder, said one such incident asked her financial controller for the immediate payment of a five-figure sum to cover the invoice contained within the email.
The message from Alicia’s chief financial officer did not come from the company’s domain, but from a very similar one — sklmlinks.com — and included a false forwarded email that had been written in Ms Navarro’s name.
She said: “We regularly get emails spoofing employees. Nothing has come close to succeeding, but I’ve heard of other startups that were fooled and did wire money as per the email’s request.”
Lessons learned: Review internal procedures on how transactions are requested and approved. Always check email addresses, and if in doubt request clarification from an alternatively sourced address.
SMEs often think they are too insignificant to bother hackers, or that security measures will be too costly to implement. But as we’ve seen, many firms find out to their cost that they are a potential goldmine.
Educating employees about this SME cyber attack threat — only 22% do so at the moment — and carrying out regular reviews to spot vulnerabilities in IT systems and software are essential precautions.
Otherwise, firms may find they are in business one minute and out of it the next.
Takeaways:
SMEs are now a soft target as big firms tighten their defences.
About half of SME cyber attacks involve phishing.
Online service booking systems are a common ransomware target.
Scammers know individuals are a security weak link.
Educating staff is key to stopping cyber attacks.
Contact us to see how Forint can support you with the stages of Incident Response:
PREPARATION - There can be no guarantee that you will never be attacked. Therefore, a pre-prepared plan, with correctly exercised and documented activities can be created to allow the organisation to put an effective response to an identified attack.
IDENTIFICATION - The correct tooling needs to be employed which monitors the critical assets, network infrastructure and external gateways to an organisations data. Learn how you can finely tune your assets to maintain maximum visibility of your estate.
CONTAINMENT - Containment of the incident is paramount. The longer an incident is allowed to be run without containment can mean the success or failure to your organisation.
RECOVERY - Once a cyber security incident has been contained, it is imperative that the organisations services are returned back to a workable state. See how to enhance the prioritisation and recovery of critical business assets, so that you can get back to business quickly.