Easy prey
Email is still an organisation’s weakest point, with 91% of attacks starting with email-based phishing attacks. And they’re not going away. In fact, 90% of global organisations have seen an increase in the volume of phishing attacks in the last year.
If large organisations are at risk, small businesses – which don’t have fully resourced in-house security teams and large security budgets – are at even higher risk.
Some people would think that email threats would be a thing of the past by now. Most savvy email users know not to open attachments or links sent by people they don’t know. But what if that email looks legitimate? What if it’s an email from Microsoft – or so it seems – saying our password is about to expire and that we should follow a link to create a new one? The branding is the same, the language is the same; the mail even comes from Microsoft.com. Most of us would probably click on it.
And just like that, cybercriminals have harvested our credentials and have access to our Microsoft accounts, including emails, calendars, and sensitive documents.
Then they take it a step further. With internal access, they can analyse the language we use in our own emails and scrutinise our calendars. In minutes, they know that Joe Soap, financial director of Joe Soap Trading, will be travelling on Wednesday at 2pm – the perfect time to send an email from his address to the accounts team, asking them to make an urgent payment to a “supplier”.
The email comes from the FD’s address. It sounds like he wrote it. Why would the accounts team question it? It’s strange that he’d be sending mails from an aeroplane, 30,000 feet in the sky but maybe the plane has WiFi, we can’t call him to confirm, but he says it’s urgent. Payment is made; cyber criminals win.
Cyber criminals also search for emails containing words like ‘invoice’ or ‘payment due’. They’ll change the banking details on the invoice, and because there’s no governance structure in place, the invoice will be processed, but the money will go to the criminals.
Or they’ll weaponise Word or Excel attachments in a way that bypasses traditional security systems. Once you open the file, it runs a script that installs malware, like WannaCry. From there, your organisation is exposed to manipulation by cyber criminals.
Cyber resilience checklist
It might seem like a hopeless situation, especially when we tell businesses to assume that they will be attacked eventually. But that’s the current state of the security landscape and our best defence is to be prepared with a well-developed and tested cyber resilience strategy.
In addition to having the right security controls in place to prevent an attack, the strategy should include these elements:
Communication. Once you realise you’ve been hacked, you need to inform staff and other affected stakeholders of the breach immediately. Provide regular updates until the breach has been isolated. Prepare an honest media statement, outlining what you know about the attack (without implicating the business), who is affected, and what you’re doing about it. Communicate immediately, not one week after the incident.
End-user awareness. Tell your staff what has happened and why the network has been shut down. Use the incident to educate users, but this shouldn’t be your only attempt to train them. Regular cybersecurity awareness training should form part of your cyber resilience strategy. Yet this is often overlooked by SMEs who believe that sending out a mail now and then reminding staff not to open suspicious mails is enough. It’s not. Staff won’t read them. Security awareness training should be interesting and relevant – we’ve found that videos and humour work best to get the message across. Your end-users need to know what your strategy is – and their role in it – in the event of an attack.
Durability. You need an effective backup, recovery, and failover plan to ensure your staff can still work and access mails while the breach is addressed. Downtime can be detrimental to small businesses – 60% of SMEs that suffer a cyberattack are forced to close their doors within six months. Businesses need to be able to switch over to alternative technology that ensures continuity without further compromise.
Recoverability. Can you recover all emails and data from the exact moment you were attacked? Can you get your operations back up and running quickly? Have you appointed stakeholders with defined responsibilities in the event of an attack, to ensure the business recovers? Having a plan means knowing the answers to these questions.
Your cyber resilience strategy needs to be tested often – at least every six months. Don’t only test parts of it – execute the entire strategy.
Regular testing allows you to adapt your strategy to stay ahead of new and evolving threats and will help keep security awareness top of mind for everyone.
A cyber resilience strategy also prepares you for compliance with data protection laws, like the GDPR and POPIA. One requirement of these laws is that businesses can prove that they implemented reasonable measures to protect data in the event of a breach.
Yet, SMEs often only implement a plan after they’ve experienced a breach. By then, it could be too late.
By Heino Gevers Customer Success Director, Mimecast