Analysis: with attacks on the rise, small businesses are vulnerable to some of the same cyber threats as large businesses 

Bob’s heart sank as he looked at his PC in his office. On the screen was a message saying all his files had been encrypted and that he would have to pay $25,000 in Bitcoin to recover them. And it wasn’t just his PC: all the employees in his small business has been affected, along with the server where he kept vital customer and production records. He couldn’t afford the $25,000 hit to his accounts, but nor could his business afford to lose all its records. What was he to do?

Typical horror stories about cyberattacks and data breaches tend to involve large corporations and the destruction or theft of millions of records. Large companies have considerable IT resources at their disposal, but also make enticing targets due to the large amount of personal data (credit card details and passwords) that may be held by them.

For small to medium enterprises (SMEs) the threat is different. They have limited resources to protect themselves and may not perceive themselves as vulnerable to cyberattack. However, attacks on small businesses are rising. Additionally, SMEs are vulnerable to some of the same threats as large businesses: Carelessness, disgruntled employees, systems failure and even opportunistic attacks from the outside.

From RTÉ Radio 1's The Business, Smarttech's Ronan Murphy on our state of preparation to fight back against digital threats

Two bitter personal experiences illustrate some of the difficulties faced by an SME. In the first case, a research server hosted by Amazon Web Services was attacked. This server was running Windows Server 2012, an easy operating system to set up and configure quickly. A risk assessment had been done prior to deployment and I determined the overall risk was minimal as the server did not present a particularly enticing target.

Nevertheless, the server was attacked. We discovered the attack after unusual activity was spotted. The evidence for this was several script files that appeared from nowhere. We were able to trace the origin of these to China. Additionally, we determined that the applications on the server were untouched. A hacker had taken over the server to use for bitcoin mining. This is a potentially lucrative activity that requires huge amounts of computing power, so while the server itself was not of value, the computing capacity it presented was.

Luckily, our data was not affected, nor was it accessed, as it was stored on an encrypted database on a different server. That data was protected by several layers of security, which guaranteed that no one could access it unless they were in possession of several decryption keys.

From RTÉ Radio 1's Drivetime, how secure is your password?

We traced the server breach to a mistake I made when setting it up. I had forgotten to switch on Windows automatic updates, which exposed the server to several vulnerabilities which the hacker exploited. In the end, we created a new server. We made sure it was fully patched and that it was updated regularly, and continued our work.

The second case involved ransomware. An associate had clicked a link on an unknown website and this unfortunately allowed some ransomware onto his system which it promptly encrypted his hard drive. The ransomware demanded approximately $300 in payment.

Then the problem got worse. On the hard drive were several folders which were shared using Dropbox. Those were encrypted as well, which meant that folders on my PC also became encrypted. The ransomware was not able to propagate itself via shared folders, so the problem stopped there. But it still left us with a mess to clean up.

It is important to understand that several steps can be taken to reduce the risk of an attack happening and to minimise post-attack damage

Luckily, Dropbox provides a mechanism to revert to the previous version of any file in a Dropbox folder. Even the free version provides this. So, recovery was simply a matter of asking Dropbox to restore the files to the point just before the malware was downloaded. Very little work was lost. However, because the rest of the hard drive was not backed up, some personal material was unrecoverable.

Both incidents illustrate problems of concern to SMEs. Firstly, SMEs are vulnerable even if their data does not present an enticing target. An SME may have control of computing resources, in the cloud or otherwise, that may be of use to a hacker. Additionally, an SME may become collateral damage in attack on a larger service provider on whom they depend.

Secondly, education is essential. A small business may feel it does not have the time to educate its staff about the risks of clicking on unsolicited emails or browsing unknown websites. An SME can go to great lengths to protect its business through technological means, but it all comes to naught if an employee is careless or even malicious. Thus, an IT usage policy must be drafted, communicated clearly and suitable training offered.

From RTÉ Radio 1's Drivetime, Eoin Byrne and Donna O Shea from Cork Institute of Technology on the needs of the cyber security sector across the country

It is important for SMEs to understand that several steps can be taken, to reduce the risk of an attack happening and to minimise post-attack damage. The following figure illustrates some essential steps, and many can be implemented at minimal cost.

20 cybersecurity tips for SMEs 

Technical measures

(1) Patch, patch, patch – keep ALL your software up to date and do not run unsupported software.

(2) Whitelist allowed apps. Do not allow unauthorised software on your system.

(3) Harden user applications. Especially prevent web browsers from running ads, Flash and Java.

(4) Block Excel and Microsoft Office macros, unless they come from a trusted source.

(5) Install and maintain anti-virus software.

Educate all employees. No clicking on unknown emails or links. Be aware of social engineering

(6) Install and maintain anti-malware software.

(7) Restrict user privileges. No-one except a sysadmin should be an administrator.

(8) Regularly back up all your data, to a remote site if possible. Test your backups, otherwise they are useless.

(9) Use multi factor authentication (MFA) for all remote access.

(10) Implement a next generation firewall against the outside world.

(11) Encrypt and thoroughly password protect all employee laptops.

(12) Don’t use public wifi for sensitive work and ban the use of removable storage.

Process and personnel measures

(13) Do a risk assessment. Who is a threat? What do you need to protect? How well must it be protected?

(14) Evaluate and mitigate all risks to GDPR compliance and prepare a data breach response.

Block Excel and Microsoft Office macros, unless they come from a trusted source

(15) Document all your cybersecurity policies.

(16) Classify your data. What is mission-critical? How will you protect it?

(17) Educate all employees. No clicking on unknown emails or links. Be aware of social engineering.

(18) Conduct an annual penetration test and regular vulnerability assessments, including desktop breach exercises.

(19) Consider cyber insurance to cover breach and recovery costs and any legal claims.

(20) Always check invoices with trusted parties.

(Guidelines adapted from ACSC, Smarttech247 and ProPrivacy)

And what about our friend Bob? His colleague and IT sysadmin, Alice, had backed everything up the previous night. While the affected PCs all required a full reinstall, no vital company data was lost, nor was personal data compromised. It took Alice half a day to get enough systems restored to resume business. Bob breathed a sigh of relief and made a note to arrange malware awareness training for everyone. Despite the loss of half a day, he considered himself and his business lucky.

The views expressed here are those of the author and do not represent or reflect the views of RTÉ