Opening a single email can put small and medium businesses at risk, making remote-work security more important than ever.
The attack began on the morning of April 19.
The internal monitoring systems at financial software provider
Wave Accounting alerted staff that some of its services were being disrupted. Someone was flooding the system with requests in an attempt to render the company’s offerings unavailable in what’s known as a “distributed denial-of-service” (DDoS) attack.
Within minutes, nearly every one of Wave’s 280 employees was engaged to contain the damage, inform customers, and rout out the attack.
“It was pretty much all hands on deck,” explains Ideshini Naidoo, the company’s chief technology officer, adding that Wave had to work around the added challenge of not being physically together while mounting its defense.
Fortunately, Naidoo and her team were already on the lookout. As the coronavirus spread chaos and disorder around the world, and as aid packages were offered to help small and medium-sized businesses (SMBs) in the United States, cybersecurity experts
warned that attacks would spike.
“Attackers have this really good opportunity to send a phishing email that says, ‘Hey, you can get PPE like masks by clicking here,’ and off you go providing details you shouldn’t,” Naidoo says. “Or, people appeal to the humanitarian side, saying, ‘Click here to make a charitable donation to support healthcare workers.’ People are falling for those phishing attacks.”
In the end, Wave’s services were only down intermittently over a few hours. Had the attacker been more sophisticated, or had the company been less prepared, Naidoo says it could have caused significant damage.
“A DDoS attack is a serious concern,” she says. “It can take you out, and if a small business’s services are not available to their customers, that’s it, you’re not making any revenue, and you have potential reputational risk.”
Phishing during the pandemic
While large enterprises were once the primary targets of such attacks – including one that robbed
Google and Facebook of $100 million between 2013 and 2015, and another that cost
Sony Pictures roughly the same amount in 2014 – hackers have discovered that they can often penetrate an SMB’s network more easily. Using a DDoS or other type of attack, they can then prevent that business from operating until a ransom is paid.
“A few years ago, SMBs were not as targeted, just because the getting was pretty good from big companies,” explains Matthew Gardiner, principal security strategist for the cloud-based security provider
Mimecast. “As security got better at big companies, attack patterns shifted to small and medium-sized businesses.”
According to Gardiner, the primary avenue of attack against SMBs is in the form of malicious emails that often contain harmful links or attachments. While some of these emails are generic, poorly written, and easy to spot, others leverage real information to mimic trusted senders requesting sensitive data.
“They’ll use LinkedIn to find someone in human resources at a company and someone [else who works] at that company. A few months ago they’d make sure they’re at different offices, but of course, now most people are at home, and they’ll send an email simulating that it’s from the employee to the HR person, saying, ‘Change my direct deposit address,’ ” says Gardiner.
According to a recent
study by Mimecast, impersonation attacks grew by 24% between January and June. The study, which analyzed more than 195 billion emails, found that these attacks typically use subject lines containing words like “invoice,” “order,” “PO,” or the names of well-known courier or shipping companies.
“Some of these can look very convincing because they can, in an automated fashion, pull graphics off your website, so the email that comes through might have your company logo on it and look superficially quite legitimate,” explains Ian Pratt, HP’s global head of security.
Pratt adds that such attacks appear to be getting more sophisticated and more successful in part because victims don’t have access to the same resources as they would in a traditional office.
“I suspect part of it is that users aren’t in an office situation where they can ask a colleague whether it looks legitimate or not. They’re working on their own at home, unable to query things,” he says. “Just using anti-virus software isn’t enough these days.”
Preventing cyberattack in a remote workplace
The new work-from-home environment not only makes it more difficult for companies to respond to suspicious activities, but it also expands the attack surface into the home.
Internet of Things (IoT) devices in the home, which range from smart thermostats to video doorbells to wireless printers, can provide a less-secure avenue for hackers seeking to gain access to the home network, which is often shared with workplace laptops, explains Shivaun Albright, HP’s chief technologist of Printing Security.
“Unfortunately, IoT devices commonly found in the home are not as secure because they are often missing key security features such as firmware updates,” she says. For example, it’s common for IoT devices to be shipped with a well-known default password that’s an easy target for hackers, especially since many people don’t bother to change it once the device is installed. And as soon as a single employee’s laptop is compromised, the corporate network can be at risk, threatening the entire business.
It’s for these reasons that HP printers come equipped with the highest-possible security settings in place right out of the box. “We’re shipping [small-business and home printing products] with unique passwords,” she says.
HP printers can also proactively detect and thwart a malware attack from outbound DNS network packets on those printers equipped with the
HP Connection Inspector. Once an attack is detected, the device initiates
Sure Start, a process that returns the device to a safe and secure state.
Mixing work devices and home environments
Gardiner says that there are a number of steps individuals can take to prevent phishing or impersonation attacks, and simple education on best practices from employers is key.
“The list is fairly long on basics, but certainly includes multifactor authentication and more sophisticated and automated anti-phishing, and then behind your technical controls you need to have your people and your processes resilient to cyberattacks,” he says. “Just very simple things can help, like looking closely at the full email address in the ‘From’ line rather than just the name of the sender, to check that the domain is the correct one for your organization,” adds Pratt. “Although these, too, can be forged or compromised, in most cases the scammers don’t bother, so it’s a useful check.”
The sudden transition to remote work created new opportunities for hackers to attack both business and personal devices. Keeping software up to date, enabling two-factor authentication, choosing strong passwords, and using a password manager can also go a long way in protecting small businesses from hackers.
Pratt adds that choosing technology designed with security in mind can significantly mitigate the risks and reduce the potential damage caused by an attack. For example, HP PCs come standard with
HP Essential Security, a suite of security features including
HP Sure Sense and
HP Sure Click, which proactively prevent threats and ensure fast recovery if an attack does happen. SMBs can upgrade to
HP Pro Security for advanced protection against malware and phishing attacks.
“Sure Sense is a next-generation approach to spotting malware that uses machine learning and artificial intelligence to stay ahead of attackers,” Pratt says. “When the user clicks on a potential phishing site that is trying to steal their credentials, we can alert them that they shouldn’t enter any passwords or other details.”
HP Sure Click provides an added layer of protection without relying on detection. “Basically, for any potentially risky activity like opening an email attachment or clicking on a link, it’s going to create a virtual machine in the background, a disposable computer, to perform that particular task,” Pratt explains. “That disposable computer is going to live just for the life of the task, and only have the access and resources required for that task, no more. When the task finishes, that virtual machine is automatically thrown away.”
While many small businesses equip their staff with generic cybersecurity software, Pratt warns that such services are often insufficient to protect them against increasingly sophisticated attacks, especially in a remote workplace setting.
“Just using anti-virus software isn’t enough these days,” he says. “Now everybody has to take this stuff more seriously and use more sophisticated approaches to security.”