Professionals working alone or in private practice must change defense methods to avoid cyberattacks of their small businesses.
This guide will:
- Describe changes in cyber exploits and attack defenses.
- Help independent professionals recognize and reduce risk of the most common cyberattacks.
In autumn 2016, Mirai, a network of malware bots laid waste to a university and several high-profile targets such as Netflix and Twitter. First discovered in August of that year by white hat malware researchers, Mirai caused some of the largest, most disruptive distributed denial of service (DDoS) attacks ever recorded.
Since then, a lot has changed. Mirai and other botnets have evolved into stronger, remote controlled malware systems, which now use artificial intelligence to guide attacks.
Cybersecurity exploits have also changed focus from enterprises to smaller businesses, which usually lack the knowledge, skills, and IT budgets of larger companies. Bottom line: cyberattacks never stop evolving, and hackers are ever more inventive and brazen.
As a result, attacks change constantly in unexpected and dangerous ways.
Like small businesses in general, solo professionals and private practices are more exposed than ever to cyberattacks. Recent trends include:
These trends should matter to solo professionals and professional practices. That’s because beyond costs of repairing the damage of a cyberattack:
This guide provides detailed how-to instructions designed to protect your IT operations from specific types of cyberattacks.
And independent professionals must address additional requirements laid out by federal, regional, and state agencies and professional groups. A complete description of these requirements is beyond the scope of this guide.
But in each case, we’ll describe general practices and point to important information resources.
In several cases described below, attackers are described as focusing on businesses in the small-office IT environment. What’s that? It’s the IT systems set up in professional practices and offices of solo professionals. Practitioners include private healthcare providers, lawyers, tax specialists, investors, brokers, and financial advisors.
Any network connected to the internet is exposed to holes in their cybersecurity defenses. These targets can include any system that has an IP address or host name that resolves publicly in domain naming service (DNS).
Therefore, if your system uses a VPN, remote desktop protocol (RDP), or other access tools, you’re at risk of hackers entering your network.
Related guide: How to pick a good VPN
This section describes six major types of cyberattacks, their trends, causes, and effects on doing business in solo professional offices and practices. You’ll learn to recognize attack threats and how to reduce the risk of being a target.
Smaller organizations including solo professionals and professional services practices are getting more attention from cyberattackers than ever. That makes ransomware a serious threat—the #1 threat in 2020—to small businesses.
Ransomware is a type of malware. It encrypts files on a device, making them and the system that relies on them unusable. Attackers demand payment (ransom) to give your access back. The hackers demand payment in the form of cryptocurrency, a credit card, or untraceable gift cards.
This exploit is panic-inducing, maddening, and effective. Unfortunately, paying the ransom doesn’t guarantee that you regain access. Even worse, victims who do pay are frequently targeted again. And infection of one machine or device can spread ransomware throughout your entire network—and sometimes to other businesses in your supply chain.
In earlier years, during a ransomware attack, you could tell hackers, “no way” that you would pay and restore files from backed up copies.
Now, ransomware tactics have changed. First, attackers steal and then encrypt all the files that they can. Then, if you refuse to pay the ransom, they threaten to publish confidential files. That means that now you must encrypt sensitive business information such as IP as well as important data that you store or send along the internet.
There are several ways that ransomware can get into your computer or system:
There’s no preventing ransomware attacks. The best one can do is reduce the odds of infecting your computer or system. That means someone who’s computer-savvy must go through your computers, devices, and network, looking for vulnerabilities such as:
If you get attacked, there are quite a few things you can do and others that you should avoid.
What not to do. Do not panic or pay the ransom. If you refuse to pay, you’re in good company—more than 75 percent of small businesses make that choice.
What to do immediately. Here’s what you should do to limit damage to your network. (If you have a cloud host or MSP, it’s their job to engage in these steps):
And if you don’t have a breach attack plan, create one as soon as possible after the dust settles.
Scammers use email or text messages to trick you into giving them your personal information. They might try to steal your passwords, account numbers, or Social Security number. If they get that information, it’s “Open, sesame!” They can gain access to your email, bank, or other accounts.
The goal of phishing remains the same, access to information that they can eventually turn into cash. Nevertheless, the top targets of spoofing (fooling account owners) are changing.
With layoffs skyrocketing, and more employees working from home, hackers are pouncing on all types of small-office businesses. However, mass phishing campaigns of the past are becoming more targeted and sent at lower volumes.
In the past, a single phishing email might be sent to hundreds of recipients. In 2020, most phishing campaigns were sent at much lower volumes and used new methods to carry the malware.
Why the change? Mass phishing waves are easier to detect than low-volume attacks. This trend shows that phishers are getting smarter about picking their targets.
Businesses might improve account user awareness, but phishers are getting more skillful, too. They’ve even started spoofing phishing awareness training platforms.
An attacker impersonates a trusted contact and sends the victim fake mail messages. The victim opens and clicks on the malicious link in the mail or opens the mail’s attachment. One click and voila! Attackers gain access to confidential information and account credentials.
In addition to traditional phishing methods, COVID-19 phishing emails and shared file notifications are more common since the pandemic began. On SharePoint, OneDrive, and Dropbox platforms, workers receive shared-file notifications from these well-known applications daily. In 2020, hackers increasingly exploited the credibility of these services to conceal both their identities and intentions.
Human nature (inattention or being rushed) has not changed, but the sources of phishing bait are new and more complex.
There are many ways you can protect yourself from this attack, but the main one is vigilance. The main thing to remember is that successful phishing expeditions run on adrenaline—yours. So, stay cool and watch for these telltale signs:
There is good news about phishing attacks. They are avoidable. Here are some ways to make you less of a target.
Reducing the Risks of Phishing Attacks
There is no 100-percent protection from any security risk, but here are solid methods that can stack the odds in your favor:
Keep Your Trigger Finger on Hold
If you get an email or a text message that asks you to click on a link or open an attachment, STOP. Then ask yourself, “Do I have an account with the company or know the person that contacted me?”
If the answer is no:
If the answer is yes:
If You Think Your System Is Infected…
OK, you couldn’t stop yourself in time. You clicked a link that sent you straight to a cybercrook. Now what?
Reporting the Attack to Officials
If you got a phishing email or text message, report it. The information you give can help fight the scammers.
Password cracking means recovering passwords from a computer or from data that a computer transmits. Password attacks are exploits, in which a hacker identifies your password or other sign-in credentials with various programs and password cracking tools like Aircrack, Cain and Abel, or John the Ripper.
Faking voice data and video imitation aren’t future attack tools. They’re here, now. In 2019 hackers used AI and voice technology to impersonate a business owner. A company’s CEO was convinced enough of the owner’s identity to transfer $243,000 to a hacker.
But security defenses are more robust, too. For example, passwords are now stored using a key derivation function (KDF). This method runs a password through a one-way encryption cipher, and a server stores the encrypted version of the password.
Think about password attacks as tit-for-tat wars between cybercrooks and IT product designers and engineers. Security exploits get more effective, so software and hardware are developed to make attackers use more time and other resources to crack into your network. Attackers respond by designing exploits that are faster, stronger, or more unexpected than their previous efforts.
This scenario has been part of IT security reality for years and will continue for years. Here’s a list of the most common password attacks:
You can summarize the causes of these attacks in a word: humans, often the weak link in the security chain. In password attacks, human nature expresses itself in several ways.
Poor account password management.
Poor account access management
Even if your IT ops involve only a handful of computers and IT devices, your business is still an attractive target to hackers. It pays to consider a multi-layered approach to defending your work and communications processes. This approach includes setting up:
Yes, setup and monitoring duties require time and effort, perhaps more than you can or want to engage in. If you prefer to delegate these tasks, consider hiring a third-party security services provider.
As always, you never totally prevent a password attack. But making it too much trouble for hackers to enter your system can help you avoid harm. The best ways to do this include creating policies for passwords and access to valuable data and sensitive business information.
Password policies are a set of rules meant to require users to create and maintain dependable, safe passwords. These rules are at the top of the security to-do list. They go beyond suggested best practices (although it’s fine to have these, too).
If all this effort seems like a bit much for a single-person business or a small professional practice, we understand. The secret to IT security success is having clearly defined standards and following them consistently.
If you get hacked, you’re in good company. About 50 percent of smaller businesses share your experience. Remember, when you get hit, act quickly to reduce damage to your IT infrastructure and business relationships: by
Containing the damage immediately.
Reset all passwords and remove any corrupted files. In a serious breach, you might have to take the entire system offline, isolate part of your network, block website traffic or install temporary firewalls.
Contacting authorities and members of your business network.
If the attack stole sensitive financial information, calls to the FBI and FTC should be on the top of your to-do list.
Contact customers, suppliers, partners, and service providers. Being thorough here will build goodwill along your supply chain.
When a data breach occurs, the threat—deliberate or accidental—often comes from the inside. An insider threat can be a partner, employee, or contractor inside your organization; or an unpredictable event based on a moment of carelessness.
If you’re doubting insider threats can touch your practice, think again. The stereotype of an insider threat—a disgruntled employee leaving with a briefcase filled with sensitive information—is still relevant but less so than previously.
And now, you can add internal threat as a service (ITSaaS) to the mix. You can buy almost anything on the dark web, where you can find organized cells of recruitment infiltrators. In this scenario, bad actors become trusted employees, with the goal of being interviewed, entering your workforce, and stealing highly valuable IP and other information.
Human error, not to mention greed and malice, can always be counted on to expose IP and sensitive business, legal, or financial information to bad actors. Here are six things to watch for:
In this exploit, hackers intercept communications between a system user and the server the user is trying to reach. Hackers can steal passwords and other sensitive data or actively alter information by injecting malware into the communications session.
These attacks are especially relevant to smaller-sized businesses because most man-in-the-middle attacks are targeted at organizations that don’t have the money for expensive cybersecurity solutions.
MitM attacks are preventable. Just remember to:
In a distributed denial-of-service (DDoS) attack, hackers use malware or other cyber tools to make computers or network resources unavailable to its intended users.
When run with hundreds of thousands of bits of malware, DDoS attacks can bring activity of the largest companies to a halt. These attacks can run on their own or with password attacks to deliver an extra bit of damage to its targets.
Many DDoS attacks target a network layer that controls connections between networks. As attackers send large volumes of junk traffic to your IT infrastructure, your site can become slow or even inaccessible to users. Eventually your site becomes unusable. Your business and its revenue streams stop.
DDoS attacks have grown more powerful and complex over the years, and they victimize networks of all sizes. Mammoth attacks (2.3 Tbps in February 2020 and up to 1.5 Tbps in 2016) continue to amaze IT security pros. But smaller attacks are also effective against under-protected internet assets of smaller businesses.
The best way to detect and identify a DDoS attack would be via network traffic monitoring and analysis. These symptoms can indicate a DDoS attack in progress:
It’s important to understand the warning signs of network slowdown, intermittent website shutdowns, and loss of other important system functions. These general rules and guideline apply to all small-office IT operations. When you engage in specialized practices, however, there are more requirements to consider.
Depending on your specialization, your practice might work with various types of sensitive legal, financial, and healthcare data. Each of these types of information is protected with security standards, laws, and regulations.
Each country and each US state has its own data protection laws and recommendations. Here are compliance tips for U.S. law firms:
Many agencies govern how legal firms gather, store, and handle information. Here are the major entities that guide these activities in the U.S. and European Union:
These industry acts and standards describe the necessary data protections for specific types of data. These include:
In medical practices with fewer than 20 employees, doctors are often reluctant to spend money on HIPAA security measures. They don’t believe they’re at risk for a data breach. But then, all it takes is a lost laptop, theft of a tablet, or human error to release patient data accidentally. And then, there’s the risk of ransomware or a data breach.
Small businesses are liable to a wide variety of cyberattack. Here are some hints and pointers to agencies that can guide your practice through the modern age of cyberattacks.
The HIPAA Security Rule focuses on securing the creation, use, receipt, and maintenance of electronic personal health information by HIPAA-covered organizations. This rule sets guidelines and standards for administrative, physical, and technical handling of personal healthcare information.
Healthcare data breaches are very frequent. We published a research piece highlighting the incidence of healthcare data breaches in the US between 2009 and 2019.
Here’s a list of capabilities that medical practices must be able to show in data audits:
HIPAA: The Health Insurance Portability and Accountability Act is a federal law that aims to make it easier for people to:
International Standards Organization: ISO 22301: 2012 an international standard that provides a best-practice framework for implementing an optimized business continuity management system (BCMS). There are more ISO standards that apply to medical patient data. You can find them here.
To ensure that financial services professionals and their firms take cybersecurity seriously, the Securities and Exchange Commission (SEC) and U.S. state securities regulators are starting to crack down on financial advisors’ cybersecurity practices. Here are recent changes in compliance-related enforcement activity. The:
Developing these capabilities should make complying with GLBA, PCI DSS, and SOX standards easier.
Most malware attacks succeed by using online social engineering schemes that manipulate unsuspecting users to open the door wide for hackers. To prevent this scenario:
Recognize patterns of vulnerability. For example, the RSA 2020 State of Security Operations report revealed that 35% of threats were detected between 8 p.m. and 8. a.m.
With the average organization deploying 129 apps, there are ample opportunities for bad actors to find weaknesses in your IT infrastructure.. No organization can address all vulnerabilities. That’s where vulnerability assessments come in. They help you:
Financial services businesses rely on many types of vendors, suppliers, and partners, who can expose your business to trouble. Across all sectors, Ponemon Institute found that 59 percent of those surveyed said they’ve experienced a breach due to a third party.
Yet only about a third kept an inventory of their third parties and even fewer—16 percent—said they effectively mitigated the risks. Protect your network by:
You should have well-defined methods that you can find and use quickly to quarantine, block, or eliminate malicious network traffic. If you don’t have them, you should. Your effort needn’t be a burden. Just create a document that provides answers to questions about everyone in your business network:
Answering these and other questions ahead of time can reduce post-attack confusion and pave a smoother path to recovery.
These sources provide background information about regulations that affect day-to-day cybersecurity operations and how to set up your security compliance system:
As you can see, recent changes in cyberattack tactics and targets put your business in the crosshairs of actors who will try to do you harm.
Protecting yourself from these groups will require more time, effort, and money than in the past. But remember, your potential savings of time money and perhaps your reputation will be larger, too.
In the tit-for-tat war of cybersecurity, the bad guys are still ahead, but by less than before. Even in a one-computer office, the risk is real, and it won’t go away. The best that you can do is: