Professionals working alone or in private practice must change defense methods to avoid cyberattacks of their small businesses.
This guide will:
- Describe changes in cyber exploits and attack defenses.
- Help independent professionals recognize and reduce the the most common cyberattacks risk.
In the autumn of 2016, Mirai, a network of malware bots, laid waste to a university and several high-profile targets like Netflix and Twitter.
First discovered in August of that year by white hat malware researchers, Mirai caused some of the largest, most disruptive distributed denial of service (DDoS) attacks ever recorded.
Since then, a lot has changed. Mirai and other botnets have evolved into stronger, remote-controlled malware systems, using artificial intelligence to guide attacks.
Cybersecurity exploits have also changed focus from enterprises to smaller businesses, which usually lack larger companies’ knowledge, skills, and IT budgets. Cyberattacks never stop evolving, and hackers are ever more inventive and daring.
As a result, attacks constantly change in unexpected and dangerous ways.
Small businesses, solo professionals, and private practices are more exposed than ever to cyberattacks. Recent trends include:
These trends should matter to solo professionals and professional practices. That’s because beyond the costs of repairing the damage of a cyberattack:
This guide provides detailed how-to instructions designed to protect your IT operations from specific types of cyberattacks.
And independent professionals must address additional requirements laid out by federal, regional, and state agencies and professional groups. A complete description of these requirements is beyond the scope of this guide.
But in each case, we’ll describe general practices and point to important information resources.
In several cases described below, attackers focus on businesses in the small-office IT environment. The IT systems are set up in professional practices and offices of solo professionals. What’s that?
Practitioners include private healthcare providers, lawyers, tax specialists, investors, brokers, and financial advisors.
Any network connected to the internet is exposed to holes in its cybersecurity defenses. These targets can include any system with an IP address or hostname that resolves publicly in a domain naming service (DNS).
Therefore, you risk hackers entering your network if your system uses a VPN, remote desktop protocol (RDP), or other access tools.
This section describes six major types of cyberattacks, their trends, causes, and effects on doing business in solo professional offices and practices. You’ll learn to recognize attack threats and how to reduce the risk of being a target.
Smaller organizations, including solo professionals and professional services practices, are getting more attention from cyber attackers than ever. That makes ransomware a serious threat to small businesses—the #1 threat in 2020.
Ransomware is a type of malware. It encrypts files on a device, making the system that relies on them unusable. Attackers demand payment (ransom) to give your access back. The hackers require payment in cryptocurrency, a credit card, or untraceable gift cards.
This exploit is panic-inducing, annoying, and effective. Unfortunately, paying the ransom doesn’t guarantee that you regain access.
Even worse, victims who do pay are frequently targeted again. Infection of one machine or device can spread ransomware throughout your entire network—and sometimes to other businesses in your supply chain.
In earlier years, during a ransomware attack, you could tell hackers “no way” that you would pay and restore files from backed-up copies.
Now, ransomware tactics have changed. First, attackers steal and then encrypt all the files that they can. Then, if you refuse to pay the ransom, they threaten to publish confidential files.
That means you must now encrypt sensitive business information such as IP and important data that you store or send with the internet.
There are several ways that ransomware can get into your computer or system:
There are no preventing ransomware attacks. The best one can reduce the odds of infecting your computer or system. That means someone who’s computer-savvy must go through your computers, devices, and network, looking for vulnerabilities such as:
If you get attacked, there are quite a few things you can do and others that you should avoid.
What not to do? Do not panic or pay the ransom. If you refuse to pay, you’re in good company—more than 75 percent of small businesses make that choice.
What to do immediately. Here’s what you should do to limit damage to your network. (If you have a cloud host or MSP, it’s their job to engage in these steps):
And if you don’t have a breach attack plan, create one as soon as possible after the dust settles.
Scammers use email or text messages to trick you into giving them your personal information. They might try to steal your passwords, account numbers, or Social Security number. If they get that information, it’s “Open, sesame!” They can gain access to your email, bank, or other accounts.
The goal of phishing remains the same, access to information they can eventually turn into cash. Nevertheless, the top targets of spoofing (fooling account owners) are changing.
With layoffs skyrocketing, and more employees working from home, hackers are pouncing on small-office businesses. However, mass phishing campaigns of the past are becoming more targeted and sent at lower volumes.
A single phishing email might have been sent to hundreds of recipients in the past. In 2020, most phishing campaigns were sent at much lower volumes and used new methods to carry the malware.
Why the change? Mass phishing waves are easier to detect than low-volume attacks. This trend shows that phishers are getting smarter about picking their targets.
Businesses might improve account user awareness, but phishers are getting more skillful, too. They’ve even started spoofing phishing awareness training platforms.
An attacker impersonates a trusted contact and sends the victim fake mail messages. The victim opens and clicks on the malicious link in the mail or opens the email’s attachment. One-click, and voila! Attackers gain access to confidential information and account credentials.
In addition to traditional phishing methods, COVID-19 emails and shared file notifications have been more common since the pandemic. On SharePoint, OneDrive, and Dropbox platforms, workers daily receive shared-file notifications from these well-known applications. In 2020, hackers increasingly exploited these services’ credibility to conceal their identities and intentions.
Human nature (inattention or being rushed) has not changed, but the sources of phishing bait are new and more complex.
There are many ways to protect yourself from this attack, but the main one is vigilance. The main thing to remember is that successful phishing expeditions run on adrenaline. So, stay cool and watch for these telltale signs:
There is good news about phishing attacks. They are avoidable. Here are some ways to make you less of a target.
Reducing the Risks of Phishing Attacks
There is no 100 percent protection from any security risk, but here are reliable methods that can stack the odds in your favor:
Keep Your Trigger Finger on Hold
STOP if you get an email or a text message asking you to click on a link or open an attachment. Then ask yourself, “Do I have an account with the company or know the person that contacted me?”
If the answer is no:
If the answer is yes:
If You Think Your System Is Infected…
OK, you couldn’t stop yourself in time. You clicked a link that sent you straight to a cybercrook. Now what?
Reporting the Attack to Officials
If you got a phishing email or text message, report it. The information you give can help fight scammers.
Password cracking means recovering passwords from a computer or data that a computer transmits. Password attacks are exploits in which a hacker identifies your password or other sign-in credentials with various programs and password-cracking tools like Aircrack, Cain and Abel, or John the Ripper.
They are faking voice data, and video imitation isn’t a future attack tool. They were here in 2019. Hackers used AI and voice technology to impersonate a business owner. A company’s CEO was convinced of the owner’s identity to transfer $243,000 to a hacker.
But security defenses are more robust, too. For example, passwords are stored using a key derivation function (KDF). This method runs a password through a one-way encryption cipher, and a server keeps the encrypted version of the password.
Think about password attacks as tit-for-tat wars between cybercrooks and IT product designers and engineers.
Security exploits get more effective, so software and hardware are developed to make attackers use more time and resources to penetrate your network. Attackers respond by designing faster, stronger, or more unexpected exploits than their previous efforts.
This scenario has been part of IT security for years and will continue. Here’s a list of the most common password attacks:
You can summarize the causes of these attacks in a word: humans, often the weak link in the security chain. In password attacks, human nature expresses itself in several ways.
Poor account password management.
Poor account access management
Even if your IT ops involve only a handful of computers and devices, your business is still an attractive target to hackers. Consider a multi-layered approach to defending your work and communications processes. This approach includes setting up:
Yes, setup and monitoring duties require time and effort, perhaps more than you can or want to engage in. Consider hiring a third-party security services provider if you prefer to delegate these tasks.
As always, you never totally prevent a password attack. But making it too much trouble for hackers to enter your system can help you avoid harm.
The best ways to do this include creating policies for passwords and access to valuable data and sensitive business information.
Password policies require users to create and maintain dependable, safe passwords. These rules are at the top of the security to-do list. They go beyond suggested best practices (although it’s fine to have these, too).
We understand if all this effort seems like a bit much for a single-person business or a small professional practice. The secret to IT security success is having clearly defined standards and following them consistently.
If you get hacked, you’re in good company. About 50 percent of smaller businesses share your experience. Remember, when you get hit, act quickly to reduce damage to your IT infrastructure and business relationships: by
Containing the damage immediately.
Reset all passwords and remove any corrupted files. In a serious breach, you might take the entire system offline, isolate part of your network, block website traffic or install temporary firewalls.
Contacting authorities and members of your business network.
If the attack stole sensitive financial information, calls to the FBI and FTC should be on your to-do list.
Contact customers, suppliers, partners, and service providers. Being thorough here will build goodwill along your supply chain.
When a data breach occurs, the threat—deliberate or accidental—often comes from the inside. An insider threat can be a partner, employee, or contractor inside your organization; or an unpredictable event based on a moment of carelessness.
If you doubt insider threats can touch your practice, think again. The stereotype of an insider threat—a disgruntled employee, leaving with a briefcase filled with sensitive information—is still relevant but less so than previously.
And now, you can add internal threat as a service (ITSaaS) to the mix. You can buy almost anything on the dark web, where you can find organized cells of recruitment infiltrators.
In this scenario, bad actors become trusted employees to be interviewed, entering your workforce and stealing highly valuable IP and other information.
Human error, not to mention greed and malice, can always be counted on to expose IP and sensitive business, legal, or financial information to bad actors. Here are six things to watch for:
In this exploit, hackers intercept communications between a system user and the server the user is trying to reach.
Hackers can steal passwords and other sensitive data or actively alter the information by injecting malware into the communications session.
These attacks are especially relevant to smaller businesses because most man-in-the-middle attacks target organizations without money for expensive cybersecurity solutions.
MitM attacks are preventable. Just remember to:
In a distributed denial-of-service (DDoS) attack, hackers use malware or other cyber tools to make computers or network resources unavailable to their intended users.
When run with hundreds of thousands of bits of malware, DDoS attacks can halt the activity of the largest companies. These attacks can run on their own or with password attacks to deliver more damage to their targets.
Many DDoS attacks target a network layer that controls connections between networks. As attackers send large volumes of junk traffic to your IT infrastructure, your site can become slow or even inaccessible to users. Eventually, your site becomes unusable. Your business and its revenue streams stop.
DDoS attacks have grown more powerful and complex over the years and victimize networks of all sizes. Mammoth attacks (2.3 Tbps in February 2020 and up to 1.5 Tbps in 2016) continue to amaze IT security pros.
But smaller attacks are also effective against under-protected internet assets of smaller businesses.
Network traffic monitoring and analysis is the best way to detect and identify a DDoS attack. These symptoms can indicate a DDoS attack in progress:
Understanding the warning signs of network slowdown, intermittent website shutdowns, and loss of other important system functions is important.
These general rules and guidelines apply to all small-office IT operations. However, when you engage in specialized practices, there are more requirements.
Depending on your specialization, your practice might work with various types of sensitive legal, financial, and healthcare data. Security standards, laws, and regulations protect each type of information.
Each country and U.S. state has its data protection laws and recommendations. Here are compliance tips for U.S. law firms:
Many agencies govern how legal firms gather, store, and handle information. Here are the major entities that guide these activities in the U.S. and European Union:
These industry acts and standards describe the necessary data protections for specific data types. These include:
Doctors in medical practices with fewer than 20 employees are often reluctant to spend money on HIPAA security measures. They don’t believe they’re at risk for a data breach. But then, all it takes is a lost laptop, theft of a tablet, or human error to release patient data accidentally. And then, there’s the risk of ransomware or a data breach.
Small businesses are liable to a wide variety of cyberattacks. Here are some hints and pointers to agencies that can guide your practice through the modern age of cyberattacks.
The HIPAA Security Rule focuses on securing the creation, use, receipt, and maintenance of electronic personal health information by HIPAA-covered organizations. This rule sets guidelines and standards for the administrative, physical, and technical handling of personal healthcare information.
Healthcare data breaches are very frequent. We published a research piece highlighting the incidence of healthcare data breaches in the US between 2009 and 2019.
Here’s a list of capabilities that medical practices must be able to show in data audits:
HIPAA: The Health Insurance Portability and Accountability Act is a federal law that aims to make it easier for people to:
International Standards Organization: ISO 22301: 2012 is an international standard that provides a best-practice framework for implementing an optimized business continuity management system (BCMS). More ISO standards apply to medical patient data. You can find them here.
The Securities and Exchange Commission (SEC) and U.S. state securities regulators are starting to crack down on financial advisors’ cybersecurity practices to ensure that financial services professionals and their firms take cybersecurity seriously. Here are recent changes in compliance-related enforcement activity. The:
Developing these capabilities should make complying with GLBA, PCI DSS, and SOX standards easier.
Most malware attacks succeed by using online social engineering schemes that manipulate unsuspecting users, opening the door wide for hackers. To prevent this scenario:
Recognize patterns of vulnerability. For example, the RSA 2020 State of Security Operations report revealed that 35% of threats were detected between 8 p.m. and 8. a.m.
With the average organization deploying 129 apps, there are ample opportunities for bad actors to find weaknesses in your I.T. infrastructure. No organization can address all vulnerabilities. That’s where vulnerability assessments come in. They help you:
Financial services businesses rely on many types of vendors, suppliers, and partners who can expose your business to trouble. Across all sectors, Ponemon Institute found that 59 percent of those surveyed said they’ve experienced a breach due to a third party.
Yet only about a third kept an inventory of their third parties, and even fewer—16 percent—said they effectively mitigated the risks. Protect your network by:
You should have well-defined methods to find and use quickly to quarantine, block, or eliminate malicious network traffic. If you don’t have them, you should. Your effort needn’t be a burden. Just create a document that provides answers to questions about everyone in your business network:
Answering these and other questions ahead of time can reduce post-attack confusion and pave a smoother path to recovery.
These sources provide background information about regulations that affect day-to-day cybersecurity operations and how to set up your security compliance system:
As you can see, recent changes in cyberattack tactics and targets put your business in the crosshairs of actors who will try to do you harm.
Protecting yourself from these groups will require more time, effort, and money than before. But remember, your potential savings of time, money, and perhaps your reputation will be larger.
In the tit-for-tat cybersecurity war, the bad guys are still ahead, but by less than before. Even in a one-computer office, the risk is real and won’t disappear. The best that you can do is: