Unlike well-resourced, large corporations and enterprises with sophisticated infrastructure and cutting-edge technology, smaller organizations like the local restaurant chain, accounting firms, or private medical groups are typically at a disadvantage when it comes to shoring up their information security requirements. In fact, they may not even be thinking about it—and this lapse in judgement carries with hit some significant risks and potentially dangerous repercussions. These resource and time-constrained businesses are now facing the same information security threats as those of the big companies in the form of malware attacks, data breaches, and email phishing.
Gartner defines a small to mid-sized business (SMB) as a business which, due to its size, has different IT requirements—and often faces different IT challenges—than larger enterprises do, and whose IT resources are often highly limited in areas like budget and staff. Small businesses are usually defined as organizations with fewer than 100 employees, while midsize enterprises are those organizations with 100 to 999 employees. The second most popular attribute used to define the SMB market is annual revenue—small business is usually defined as organizations with less than $50 million in annual revenue; midsize enterprise is defined as organizations that make more than $50 million, but less than $1 billion in annual revenue.
Unprotected SMBs Create Greater Risks For Us All
What makes SMBs even riskier is that they can be used as a “gateway” to infect larger enterprises. Once compromised, their hijacked network can be leveraged to spread computer viruses to bigger businesses. According to the U.S. Small Business Administration, on average, more than 4,000 ransomware attacks have occurred daily since January 1, 2016.
For example, one errant click from an end user can quickly become a network-wide infection. We’ve seen a growing number of criminal operations adding worming components to their malware ever since last year’s WannaCry ransomware outbreak. In May of 2017, WannaCry took advantage of installing backdoors onto infected systems. To be clear, a backdoor is an (often secret) method of bypassing normal authentication or encryption in a computer system, a product, or an embedded device like a home router. The malware-targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the form of bitcoin cryptocurrency, by exploiting older Windows systems.
The attack was estimated to have affected more than 200,000 computers across 150 countries, with total damages ranging from hundreds of millions to billions of dollars. Security experts believed from preliminary evaluation of the worm that the attack originated from North Korea or agencies working for the country.
While patches were previously released to close the exploit, much of WannaCry’s spread was from organizations that had not applied these, or were using older Windows systems that were past their end-of-life. This is often the scenario with small businesses—when there is no onsite IT support, an SMB’s lack of knowledge and outdated technology essentially makes them sitting ducks.
Is Help On The Way?
The recent signing of the National Institute of Standards and Technology (NIST) Small Business Cybersecurity Act is a good step in the right direction towards helping SMBs manage and mitigate security risks. With this legislation, Congress has ensured that small and mid-sized businesses will experience a higher baseline level of safety online and perhaps established a frame of reference that can be useful to other countries as well.
Before this legislation, many organizations were susceptible to multiple levels of online attack and exploitation without awareness of the true impact these attacks could have on their organizations.
Protecting and Preventing
The good news is, there are best practices you can adopt to protect your business. The U.S. Small Business Administration has the following pro tips to offer:
- Implement an awareness and training program. Because end users are targets, employees should be aware of the threat of ransomware and how it is delivered.
- Enable strong spam filters to prevent phishing emails (an attempt to obtain sensitive information electronically) from reaching employees and authenticate inbound email using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent email spoofing.
- Scan all incoming and outgoing emails to detect threats and filter executable files (used to perform computer functions) from reaching employees.
- Configure firewalls to block access to known malicious IP addresses.
- Patch operating systems, software, and firmware on devices. Consider using a centralized patch management system.
- Set anti-virus and anti-malware programs to conduct regular scans automatically.
- Manage the use of privileged accounts based on the principle of least privilege: no employees should be assigned administrative access unless absolutely needed and those with a need for administrator accounts should only use them when necessary.
- Configure access controls—including file, directory, and network share permissions— with least privilege in mind. If an employee only needs to read specific files, the employee should not have write access to those files, directories, or shares.
- Disable macro scripts (tool bar buttons and keyboard shortcut) from office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full office suite applications.
- Implement Software Restriction Policies (SRP) or other controls to prevent programs from executing from common ransomware locations, such as temporary folders supporting popular internet browsers or compression/decompression programs, including the AppData/LocalAppData folder.
- Consider disabling Remote Desktop protocol (RDP) if it is not being used.
- Use application whitelisting, which only allows systems to execute programs known and permitted by security policy.
- Execute operating system environments or specific programs in a virtualized environment.
- Categorize data based on organizational value and implement physical and logical separation of networks and data for different organizational units.