Small business malware attacks – 2023 update
If you are a small or micro business, it’s likely that your attention will be focused on developing and marketing your product or service, and all things cybersecurity-related sit further down the never-ending priority list. There’s always something more pressing or less boring to attend to just like when you’re meant to be revising for exams and suddenly doing household chores become an appealing diversion.
The latest Cyber Security Breaches Survey stated that senior managers in smaller organisations view cyber security as less of a priority in the current economic climate than in previous years, so are undertaking less monitoring and logging of breaches or attacks.
According to Verizon’s Data Breach Investigations Reports, the percentage of smaller businesses being hit has climbed steadily in the last few years. A spear-phishing report last year found that employees of small businesses experience 350% more social engineering attacks than those at larger enterprises. Not only that, but Malware is the most common type of attack on small businesses, followed in popularity by phishing (17%), data breaches (16%), website hacking (15%), DDoS attacks (12%) and ransomware (10%), according to a Quickbooks survey.
The topic of cyber security can be covered from a number of angles. Today, however, I am focussing on a specific area of a cyber incident and that is malware. Because it’s easier to put any sort of advice into context if you understand the reason, I’ll start by explaining, the most common types of malware.
Types of malware
Hackers use a range of different types of software or ‘malware’ which is an amalgamation of ‘malicious’ and ‘software’ to infiltrate businesses and individuals, sometimes for fun but usually for financial gain. Here are some key types of malware to get you started:
Ransomware – locks your computer and systems and holds it hostage usually insisting you pay a ransom via Bitcoin in exchange for its release.
Spyware – hides on your computer and logs everything that you do online including sites you visit and passwords you enter.
Viruses – are so-called because of the way they behave. They spread through a system infecting clean files, corrupting or deleting them.
Trojans – look like legitimate software or are hidden in legitimate software and are usually part of a two-pronged attack creating a back door for other malware to gain access.
Worms – infect devices and entire networks, either locally or across the internet, by using network interfaces. A bit like a virus in one machine, a worm infects connected machines and devices without you necessarily clicking on/or downloading anything.
Adware – is not malicious but thoroughly annoying. It is included in a bundle of other legitimate or seemingly legitimate software that you download. It does infiltrate your security but with the purpose of serving you lots of adverts.
No business is too small either, in fact, many hackers look for the easiest targets. Big cases like the recent ransomware attacks on Travelex and Kaseya are the ones you hear about of course but according to a report by CybSafe, nearly half small of businesses in the UK have been hit by phishing attempts in the year covering 2018 and 2019 and of those, 66% became victims. To learn more about recent cases, we have highlighted key points in the latest Verizon Data Breach Report.
Malware attacks
The methods hackers use to plant malware are varied. Some hackers look for a vulnerability in software, the infamous WannaCry is an example of this. It was a worm designed to infiltrate a vulnerability in Windows software. There was however a patch available for this vulnerability which had been issued by Microsoft two months previously, so the lesson here is to ensure that software updates are installed as soon as they come through.
Links sent via email and subsequently clicked on can send the recipient to a bogus website (a method known as ‘Pharming’) that looks legitimate and then ask to input sensitive information like passwords or bank details, these can be from legitimate-looking sites like HMRC or TV Licencing.
Some emails will encourage you to download a file. Again, they will try to look legitimate, but the file will download the malware onto your PC and potentially infect the network you are connected to. Sometimes malware is designed to target removable drives like external hard drives and USB sticks, which infect every computer they are subsequently connected to.
In some cases, malware is planted on suspect or even legitimate websites that have themselves been hacked. This was the case with the British Airways data breach in 2018, where customers were diverted to a fraudulent site designed to harvest personal details. This is known as form jacking and it’s on the rise. Incidentally, it is the responsibility of the business owner to ensure their website has not been infiltrated.
Finally, malware is sometimes bundled in with other software packages.
Defending against malware
Some of the steps you need to take will cost time and money but not necessarily as much as you think. Cyber Essentials steps like researching and installing reliable anti-virus software, ensuring your firewalls are switched on, and setting your security systems up so that system updates with security patches occur automatically are all reasonably simple steps if you’re cyber-savvy but if you’re not, a cyber security firm could do all of that very quickly.
A lot relies however on human behaviours, so knowledge, awareness, and vigilance are key. To that end, documenting the rules for the safe use of IT systems and emails in a Cyber Security Policy and communicating them regularly with your employees is the best place to start. It will include guidelines for the safe use of email and the internet; for example, only browsing secure websites, not downloading any software without permission and having its authenticity verified first, not using external devices, not using employer IT equipment for personal use, and rules for generating strong passwords and managing them.
This will limit the chances of your business becoming another cyber victim but of course, there is still a chance you could be targeted despite all your best efforts. For this reason, make sure all or at least all of your critical data is backed up regularly in an area unconnected to your main business systems. Ensure confidential data, be it internal intellectual property or external personal data, is encrypted and limit access to data to those that use it and have a plan in place so you’re ready to spring into action should an incident occur; we have a guide on incident response planning.
Need help with cyber security for your organisation?
If you need help or advice on how to manage your business’s cyber security, we’re here to help. We can advise on your security vulnerabilities, select the right security technology and check your systems are configured correctly. We are certified in Cyber Essentials and Cyber Essentials Plus, as well as being a CE-certifying body. To learn more, you can find our extensive free guide to Cyber Essentials here.
We can also put policies in place to run staff training exercises. Contact us for a friendly chat.