Most cybersecurity threats simply take advantage of our failure to establish and maintain basic information security hygiene. Because for example, we don’t segment our networks and back up all of our data, we invite ransomware attacks. But, in 2019, that threat morphed to Cryptojacking and Cryptomining, presenting an even more formidable challenge to the CISO community, and to the SMB IT community as well.
While ransomware has been one of the biggest threats impacting businesses in the past two years, today’s threat actors are using the same variants of ransomware previously used to encrypt data to ransom an organization’s resources and are instead being used to silently mine for cryptocurrency.
This shift means that the argument most SMB leaders I have talked to have used in the past called, “My business is too small to be attacked, and I have no valuable assets to worry about” no longer carries water.
Cryptojacking is the hijacking of a computer by an attacker so its processing power can be used to mine cryptocurrencies. Mining cryptocurrencies involves applying massive compute power to solve complex systems of equations.
Cybercriminals essentially convert your business’ computing resources to their financial goals, using advanced malware on your systems to perform these calculations while they generate tokens and earn fees in the process. Many of these attacks come from web browsers while others rely on you inadvertently installing malicious code into your system. The government of North Korea has made it their national source of economic prosperity.
The impact on you is substantial. If you actually depend on your IT systems for business operations, your systems will run much more slowly. If cybercriminals use your system for long periods of time at high volumes, your systems will likely crash. Computer processors were not designed to run at 100% of capacity for extended periods. If you try to uninstall the malicious offenders, you will trigger a trip wire that will transfer administrative control to the bad guys, and you will not get your system back.
Most of your customers will not be used to 2001-era page load speeds, but that’s what you will be giving them once you have been seized. If any part of your business is web-based, you can kiss those customers good-bye.
The majority of cyber-attacks that target SMBs cost companies about $150,000, which includes lost revenue, customers, commercial opportunities and other out-of-pocket expenses. But according to a recent study by Cisco, some cybersecurity attacks and data breaches can cost SMBs as much as $3.9 million, which includes the cost of cleaning up after the incident is over.
In a just-released report on the state of cybercrime in small businesses by the NCSA, the findings about just how poorly small businesses are able to withstand a data breach is truly shocking. According to the data, the percentage of small businesses that have experienced a data breach in the last 12 months ranges from 11 percent in the very small business, to 44 percent in midsized businesses, with 28% as the average. Of these businesses, this was the outcome:
69% were offline for a limited time
37% suffered a significant financial loss
25% filed for bankruptcy
10% went completely out of business
The types of costs associated with the reported cyber-attacks and data breaches are similar to other studies like the one that Kaspersky Labs did over the last nine months that found SMBs spending about $120,000 on average following a security incident. (Kaspersky: Data Breaches Cost Enterprises $1.23M.)
The biggest impact of an attack to an SMB is the downtime that follows. Almost half experienced downtime of eight hours or more, and while that number is similar to larger firms with 500 or more employees, the ability to recover is the biggest difference. This goes to the resilience that larger firms have built in against such an attack which results from a rigorous attention to hygiene.
Every SMB who had experienced a cyber-attack, found that the threat vectors were of the same types experienced by their large business counterparts:
1. Phishing: 79%
2. Advanced Persistent Threats (APTs): 77%
3. Ransomware: 77%
4. Distributed Denial of Service (DDoS) attacks: 75%
5. The proliferation of BYOD policies that can bring outside threats inside or cause data to leak: 74%
How to prevent? Setting up simple advanced server filtering programs will detect the bad guys before they get started. Scanning your web servers in real-time will detect and alert to any newly installed suspicious scripts and files and running ad blockers and cryptomining blockers will stop malware running on browsers. Investing in endpoint protection will focus detection and blocking on your interconnected systems and in today’s WFH environment, you will need some form of a UEM solution to manage and protect the new perimeter.
Better training is one way for smaller companies with less money to spend on security can use to help stem the tide of these various cyber-attacks. And taking the steps to transform the entire company into a ‘security aware’ business will go a long way toward prevention. Arming employees with the foundational knowledge about the traditional attack vectors of malware such as phishing and how they can protect themselves especially from socially engineered attacks will make a huge difference with very little expense.
Maintaining a strong password policy and backing up regularly while retaining a recent backup copy off-site, requires no additional technology expense but is critical to protecting against the most common attacks.
All of these tasks are part of fundamental information security hygiene. As you can see, there is no need for some genius AI or ML solution that can figure out how to protect against Star-wars classes of threat vectors. If you can’t or don’t want to do all of this stuff yourself, then you should hire an outside firm to do it for you. These days, there are lots of very competent MSSPs deploying advanced SIEM and threat defense / endpoint protection platforms that will both force and guide you to put some fundamental protocols in place so that the combination will let you sleep at night knowing that you are protected from cryptomining and these business-killing cyber-attacks.
The alternative is to continue trying to stick Post-it notes on the ocean. It hasn’t worked yet and it won’t work in the future.