The New York Times has a very good article titled: No Business Too Small to Be Hacked. We have been saying for the past few years that businesses of all sizes are vulnerable to cyber-crime. The more examples of real-life, documented cyber-crime the more awareness will be raised. Awareness of risks is critical because many small businesses incorrectly believe they are too small to be a victim of cyber-crime.
The article talks about ransomware which is a rapidly growing threat. Cyber-criminals are less likely to try to steal data from a small company, such as credit cards or other financial information. They are more likely to hit a company with ransomware which in most cases encrypts the company’s files and data and demands a ransom from the company in order to decrypt or unlock the files.
Here are some highlights of the article:
Just as the holiday shopping season neared, a toy company, Rokenbok Education, was navigating a nightmare situation: Its database files had been infected by malware.
Online criminals had encrypted company files, making them unusable, and were demanding a hefty ransom to unlock the data. Rokenbok, a California-based company that uses building blocks and even robotics to teach children how to think like engineers, lost thousands of dollars in sales in two days.
Rokenbok’s founder and executive director, Paul Eichen, was already struggling to adapt his seven-employee company to a fast-changing toy world. Even worse, the malware attack was not Rokenbok’s first. The company had been hit earlier with a denial of service attack that shut down the company’s website.
“I sweated that one,” Mr. Eichen said. “Customers’ first impressions are critical.”
Not paying the ransom meant days of rebuilding
These days, businesses like Rokenbok are especially susceptible to a type of malware called ransomware, which holds data hostage in return for money. Data is slowly encrypted by criminals until the entire system is locked up. The process can take up to 42 days, Mr. Calvert said.
Rokenbok’s ransomware attack made its database files unusable. But rather than pay the ransom, the company reconstructed its key systems, a process that took four days.
Ransomware preferred over stealing data
“Credit card numbers are harder to monetize,” said Christopher Young, general manager of the Intel Security Group at Intel Corporation. “You have to get the numbers and sell them to someone else before you make money.” Ransomware, he said, is high volume and requires no middleman. Hackers gain entry when employees click on malicious links in emails or download infected material.
Phishing attacks, which use malicious emails to steal data, are also on the rise, security experts added.
Denial of Service attacks
The 5050 Skatepark, an 8,000-square-foot indoor park on Staten Island for skateboards, BMX bikes and scooters, rejiggered its passwords after being hit with a denial of service attack last fall that made its website unavailable. The skatepark, which generated $100,000 in revenue in 2014, attracts skateboarders from all over the world, said one of its founders, Edward Pollio. Having the website closed down was a blow to revenue, he said.
“The attack caused havoc,” said Mr. Pollio, who still has a day job as a carpenter. “People were asking if we were still in business. Not having a website is like being closed.”
Employee training is critical
Employee training is also inexpensive, but important. Since most hacking episodes occur when employees click on malicious links or websites, education is the best defense, many security experts said.
Daniel Peebles, information technology manager at Andretti Autosport, the auto racing group based in Indianapolis, tackles education head on. Besides explaining malware and phishing through PowerPoint presentations, he sends emails to employees about the latest threats.
“You must definitely have a will to learn,” said Mr. Peebles, who served in the Army. “Attackers are always finding new methods. So you’ve got to keep up with the pace.”
Tom Gorup, security operations leader at Rook Security in Indianapolis, advised preaching security to employees from the beginning. He advocates offering monetary rewards for identifying security problems. “Become a guerrilla work force,” added Mr. Gorup, who also served in the Army.
Cyber-criminals are going after businesses of all sizes. We hear about large data breaches such as Home Depot, Sony and Target but as this article shows, small businesses are victims of cyber-criminals as well. Ransomware and Denial of Service (DDoS) attacks are increasing and smaller companies are becoming victims more and more. All size companies need to perform security audits and train their employees on how to spot and avoid phishing scams that can lead to ransomware attacks. In addition, thorough data backup is critical in the event a company is victim to ransomware. Without a solid backup procedure encrypted ransomed data can be lost forever.