FILE EDIT VIEW HISTORY BOOKMARKS TOOLS WINDOW HELP

THE SMALL BUSINESS GUIDE TO Cybersecurity FILE EDIT VIEW HISTORY BOOKMARKS TOOLS WINDOW HELP

o you think cybercriminals you’ll learn about the biggest cybersecurity risks Dare too busy targeting the facing small businesses, the 3 most common cyberthreats to watch out for, how to secure your Zimniy Courtesy Photo likes of Capital One, Citrix and business, and how to respond to a data breach. to bother with your small business? Think again. Grows During /Shutterstock

Some 76% of occur at businesses COVID-19 Crisis with under 100 employees. Cybercriminals know The FBI reports that instances of cybercrime small businesses tend to be easy targets, and appeared to grow as much as 300% since the that accessing a small business’s computer beginning of the coronavirus pandemic! The networks often gives them entrée to client and Bureau’s Internet Crime Complaint Center (IC3) vendor networks, too. is receiving between 3,000-4,000 cybersecurity For a small business the cost of a data breach complaints a day, up from an average of 1,000 per can be devastating. The average day before the pandemic hit. costs smaller companies an average $3,533 per employee. It takes an average 206 days to As America’s daily activities increasingly identify a risk and another 73 days to contain it, moving online due to stay-at-home orders, the making the life cycle opportunities for cybercriminals grew due to: of a data breach ● Employees, new to remote work, who were unaware of 279 days. basic security measures No wonder nearly ● Businesses struggling to keep externally-accessed 60% of companies 76% systems secured go out of business OF CYBERATTACKS OCCUR within six months of ● Lack of social and workplace interactions AT BUSINESSES WITH

a cyberattack. Benoit Daoust courtesy Photo UNDER 100 EMPLOYEES. There are ongoing uncertainties, including: The stakes are high. ● Supply chains (PPE and essential goods) Fortunately, there are some steps you 60% ● Online orders and payments can take to prevent ● Medical help and COVID-19 testing a cyberattack—and OF COMPANIES GO OUT OF survive one if you’re BUSINESS WITHIN 6 MONTHS ● High unemployment /Shutterstock OF A CYBERATTACK. hit. In this e-Guide, ● Fears and other factors

2 THE SMALL BUSINESS GUIDE TO CYBERSECURITY FILE EDIT VIEW HISTORY BOOKMARKS TOOLS WINDOW HELP

billion in 2019. That’s expected to rise to $17 billion in 5 biggest cybersecurity risks 2020 and $20 billion in 2021. Cybercrooks use various What’s putting your business at risk? The answers techniques to blend in, including: might surprise you. The biggest cybersecurity risks ● Obfuscation: Cybercriminals use obfuscation to conceal for small businesses are: information such as files to be downloaded, sites to be visited, etc. 1. Human Capital Risk: Hackers target employees, which is why you need a strong IT security staff. Educate your ● Critical System: Attacks on critical infrastructure employees about your security requirements. ● Legitimate Software: Malicious files often coming 2. Cyberthreat Risks: These include and social from software downloaded from URLs that were not whitelisted. engineering (tricks cybercrooks use to make people do things they don’t want to do); clickjacking (technique used ● Distribution Model: Popular websites housing malicious by cybercriminals to hide and other threats under files. The digital extortion of businesses will continue. content of legitimate sites); (a network of hijacked The value will be in ransoming Industrial IoT (IIoT). computers and devices infected with malware remotely Attackers are discussing on underground forums to how

controlled by a hacker to send spam and launch DoS attacks; to monetize IoT infections. alphaspirit courtesy Photo fileless attacks (malware that doesn’t drop a file on your disk, 2. Business Email Compromise: BEC are scams targeting but can infect your computer, steal your data, etc.); and denial companies that conduct wire transfers and have suppliers of service (DoS ) attacks designed to disable, shut down or abroad. Since 2016 over $9 billion has been lost to business disrupt a network, website or service). email scams. Email accounts of executives or high-level employees are either spoofed or compromised through

3. Data Risk: The exposure to loss of value or reputation /Shutterstock caused by issues or limitations to an organization’s ability to keyloggers or phishing attacks to do fraudulent transfers. acquire, store, transform, move, and use its data assets. ● According to the FBI, there are 5 types of BEC scams: 4. Infrastructure Risk: Potential losses due to failures to ❍ The Bogus Invoice Scheme: Attackers pretend to be foreign suppliers requesting fund transfers for protect business critical data assets and applications. It’s key payments to an account owned by fraudsters. to make sure technologies, such as mobile, cloud, social media, ❍ CEO : Attackers posing as the company CEO or and IoT devices are safe to use in the workplace. other executive send an email to employees in finance, 5. Operational Risk: Protecting against data breaches and requesting them to transfer money to the account they other cybersecurity threats. control. ❍ Account Compromise: An employee’s email account is hacked and used to request invoice payments to vendors listed in their email contacts. Payments are EtiAmmos courtesy Photo The 3 most common cyberthreats then sent to fraudulent bank accounts. Cyberthreats grow more sophisticated every year. ❍ Attorney Impersonation: Attackers pretend to be Here’s what to watch out for. from the law firm supposedly in charge of crucial and confidential matters. These requests often are done 1. : Hackers get into your system and hold your data via email or phone, at the end of the business day. /Shutterstock hostage until you pay a ransom. If you don’t pay, your business ❍ Data Theft: Employees in HR and bookkeeping are is out of commission. Ransomware cost companies $11.5 targeted to obtain personally identifiable information

3 THE SMALL BUSINESS GUIDE TO CYBERSECURITY FILE EDIT VIEW HISTORY BOOKMARKS TOOLS WINDOW HELP

(PII) or tax statements of employees and executives. Create policies incorporating the following cybersecurity Such data can be used for future attacks. practices. ● Because these scams do not have any malicious links 1. Passwords zimmytws courtesy Photo or attachments, they can evade traditional solutions. Employee training and awareness can help enterprises ● Use a different password for every account or website. Most of spot this type of scam. us re-use the same password across multiple accounts, so a hacker who accesses an employee’s Etsy account can try the ● FBI Warning: The FBI has issued a warning anticipating a same password on their business email account with a good

rise in BEC schemes related to the COVID-19 pandemic. chance of success. /Shutterstock “Fraudsters will take advantage of any opportunity to steal your money, personal information, or both. Right now, ● Change passwords frequently—every quarter. Use long, they are using the uncertainty surrounding the COVID-19 complex passwords. A can help by pandemic to further their efforts.” automatically creating and saving passwords. Popular password manager apps include: According to the FBI, there has already been an increase in BEC targeting municipalities purchasing ❍ Trend Micro Password Manager personal protective equipment (PPE) in the fight against ❍ LastPass COVID-19. Most of the recent BEC attacks were targeted ❍ 1Password at financial institutions or banks. ● Don’t store passwords in an obvious place like a Post-it note 3. Cryptocurrency mining: These hackers don’t care about on your computer monitor or under your keyboard. your data. They just want to get into your computer system ● Don’t share the same password among users or tell others your and use its resources to mine cryptocurrency. These attacks password. target tablets, smartphones, routers, printers and IoT devices— any device with computing capabilities they can leverage. 2. Email security ● Watch for these clues that an email is fraudulent: ❍ Look for obvious grammar and spelling mistakes; often How to protect your business hackers are from outside the U.S. and aren’t fluent in English. Hover your mouse over links in the email to see if You have two areas of defense against cyberthreats: the link matches the link in the pop-up. For example, a link your users (you and your employees) and your that shows as www.paypal.com in an email might actually be devices. Follow best practices for both to keep your www.paipal.com when you mouse over it. business safe. ❍ Examine the email sender’s address to make sure it’s

correct. In the preview pane an email might look like it’s from Natali_ Mis courtesy Photo [email protected], but when you expand the header Best practices for user security information, you see the actual email address is JohnSmith@ Attackers prey upon: youbiz.com. ❍ Verify before responding to an email request for sensitive ● Human error data. In CEO fraud, for example, the hacker may say their

phone isn’t working or they’re in a meeting, so you need to /Shutterstock ● IT security complacency answer by email. Don’t! Call the person to double check ● Technical deficiencies before sharing sensitive information.

4 THE SMALL BUSINESS GUIDE TO CYBERSECURITY FILE EDIT VIEW HISTORY BOOKMARKS TOOLS WINDOW HELP

● Prohibit employees from opening outside email someone you trust. Hover over the link to see if it attachments. Instead: matches the link that appears in the email, ❍ Create a policy that any supplier must use a or manually type in the URL instead of clicking cloud-based option to share files instead of on the link. sending attachments. ● Minimize use of cloud file-sharing. Be judicious about ❍ If this won’t work, require password-protected what you share with others on sites such as Dropbox attachments only. Any others should be viewed as and Google Drive. suspicious and deleted. Chadchai Krisadapong Courtesy Photo ● Never share customer information, intellectual ❍ If neither of the above will work, have employees property information or other core business contact the supplier to verify that the attachment data online.. is legitimate before opening it. ● ● Conduct regular phishing awareness training. Free or In general, don’t overshare online—with anyone. low-cost tools that let you simulate phishing attacks 4. Outside the office and educate employees about cybersecurity include: ● Be cautious using public Wi-Fi. Keep work ❍ Trend Micro Phish Insight conversations private. Many networks are unsecured, ❍ Cofense meaning usernames, passwords, or files that you /Shutterstock ❍ KnowBe4 upload or download can be captured by crooks. Bring your own Wi-Fi access device instead; you can ● Use email encryption when sending sensitive data. get one from any cell phone carrier. Encryption is built into or can be enabled on most popular email clients, ● Restrict remote access to your business network to including Outlook, only necessary users. Windows, MacOS, ● Close RDP ports and enforce VPN use. Linux, Android and THE FBI REPORTS THAT iOS. INSTANCES OF CYBERCRIME APPEARED TO GROW AS Best practices for device security 3. Online safety MUCH AS Take the following steps to secure your devices. ● When logging onto websites—especially 1. Computers and servers for sensitive purpose, 300% ● Choose a centrally-managed, business-grade antivirus such as accessing (AV) security solution so you can monitor all the bank accounts— devices on your network, restrict user access and

SINCE THE BEGINNING OF THE flydragon courtesy Photo use two-factor CORONAVIRUS PANDEMIC! enforce security policies. Consumer-grade products authentication for an THE BUREAU’S INTERNET don’t provide enough protection extra layer of security. CRIME COMPLAINT CENTER ● Implement multiple layers of protection. Installing ● Verify links. Be careful (IC3) IS RECEIVING BETWEEN AV software on your computers alone isn’t enough. of links in texts or Look for an all-in-one cloud solution that provides

3,000-4,000 CYBERSECURITY /Shutterstock emails, even if they endpoint, web security and COMPLAINTS A DAY. seem to be from email protection.

5 THE SMALL BUSINESS GUIDE TO CYBERSECURITY FILE EDIT VIEW HISTORY BOOKMARKS TOOLS WINDOW HELP

● Isolate payment systems. Separate your point-of-sale systems or credit card readers from the rest of How to recover from a cyberattack your network by putting them on a separate network or . Despite your best efforts, what if you’re hit by a cyberattack? Here’s how to handle it. ● Restrict both physical and digital access to servers. All it takes is one malicious employee to wreak Step 1: Respond havoc. Arpad Nagy-Bagoly courtesy Photo ● Turning off your computer, disconnecting your internet ● Require two-factor authentication to log onto servers. connection, or shutting down your router until you can ● Update software, hardware and firmware regularly; set assess the damage. updates to install automatically. ● Restore your data from backup. (See “The 3-2-1 Rule of 2. All devices Backup,” on left.) ● Whatever device people are using be sure to: ● Bring in IT experts to help if necessary ❍ Change default username /password. /Shutterstock ❍ Disable remote management Step 2: Recover ❍ Restrict access to specific addresses. ● Execute your disaster recovery plan. (If you don’t have a ❍ Require two-factor authentication. disaster plan, now is a great time to create one. Look for ❍ Update device software and firmware regularly. free templates online that you can use as a starting point and adjust based on your business.) 3. Mobile devices ● Attend to any breach notification requirements. Depending RESOURCES ● Enforce passwords or passcodes on devices. on your industry, you may be required by law to notify Use these resources to learn more customers, vendors or employees affected by a security about cybercrime, develop a plan ● Take advantage of THE 3-2-1 RULE biometric identification breach. to protect your business from OF BACKUP cyberattacks, and report a cyberattack. technology if available; ● Evaluate existing and new technologies you can use to it’s more secure than When making backups, prevent future breaches. Are your current cybersecurity ● SCORE using a password. experts recommend practices effective? If not, what can you add to better ● Trend Micro for ❍ following the “3-2-1” rule: Install security protect your business? Small Businesses software on devices. 3. Have 3 copies of backup at ● National Cybersecurity Alliance 4. Wi-Fi routers all times. ● Federal Communications Commission ● And other network- 2. Store backup using 2 Conclusion mediums (for example, on a ● Federal Trade Commission connected devices Cybercriminals are crafty—but you can outsmart them by like printers and hard drive and in the cloud). being aware of the risks and implementing cybersecurity best ● National Institute of Standards copiers, etc. 1. Keep 1 copy offsite so a and Technology practices immediately. Educate your employees, implement ● Use a separate Wi-Fi physical disaster at your ● FBI Field Office Cyber Task Force network for guests. location doesn’t wipe out a cybersecurity policy for your business, and put the proper your only copy. ● Internet Crime Complaint Center ● Enable encryption protections in place. Taking these simple steps will help to using (WPA2). prevent your business from becoming a statistic.

6 THE SMALL BUSINESS GUIDE TO CYBERSECURITY