Sunrun Inc. leases solar power equipment and services to homeowners. In early January 2017, the payroll manager of Sunrun fulfilled what she thought was a routine request for the W-2 tax forms of the company's 4,000 U.S. employees. The urgent request came from Sunrun's CEO Lynn Jurich — or so it seemed.
The information emailed out by the payroll department included social security numbers, wage and tax information, and personal addresses. According to the San Francisco Chronicle, Sunrun discovered the well-planned email scam within an hour of the request, but the damage had already been done.
Your Money or Your Data
Timothy Francis, the enterprise leader of cyberinsurance at Travelers Insurance, says 60 percent of all online attacks in 2014 were against small- and medium-sized enterprises (SMEs). A Verizon report published in 2012 indicates the cost of the average security breach to small businesses is $36,000.
Increasingly, the most common and lucrative security breaches for criminals involve the installation of ransomware on computers. Ransomware is software that locks users out of their computers or restricts access to data by encrypting the information. The user must enter a special key code to restore access, and the hacker will only provide the key if the ransom is paid. The most malicious ransomware actually erases all of a user's data, even if the ransom is paid.
Many owners of SMEs believe they are small fish in an ocean of corporate whales that are far more appealing to criminals. They read about high-profile hacks of large organizations like Yahoo!, Target, JPMorgan Chase, eBay, and LinkedIn, and they feel safe, but large companies have learned the hard way to fortify their protection against cyber intruders and harden their defenses against future attacks.
As a result, more cybercriminals are turning their attention to easier SME targets, which often have minimal protection in place and lack the knowledge to prevent theft of information from their computers. Up for grabs are passwords, bank account information, residential addresses, and even social security numbers. Armed with this information, cyber thieves can drain funds, steal identities, and launch cyberattacks against businesses and even governments.
To protect themselves, SMEs can make some relatively low-cost investments to foil attempts by hackers to steal their data. The top four defense measures SMEs can take include:
- Install reputable third-party antivirus software
- Beef up passwords
- Educate end-users Initiate corporate governance controls
Security Solution Software
Many small businesses believe they can rely on the security solution software that came with their Microsoft Windows or Apple Macintosh machines to protect their business information, but that's not a wise decision. It's very important to invest in quality security solution software produced by a company such as Kaspersky Lab that specializes in building and updating antivirus software to handle the latest security threats.
Free security solution options are available, but the free offerings are not adequate substitutes for persistent, up-to-date, "full-spectrum" computer system vaccinations. In the short-term, the free downloads may not have all the latest databases of malware to purge from the system and may not be eligible for periodic updates. In the long-term, updates to stay on top of the latest cyber threats are critical to avoid virus infections in the future.
In early 2016, hackers broke into the laptop computer of Facebook creator Mark Zuckerberg. The intruders posted Zuckerberg's password, dadada, online, and he quickly became the laughing stock of the technology world for using such an easy-to-crack password.
Hackers write programs that apply dictionaries full of millions of passwords in their efforts to gain forced access to the information technology (IT) systems of individuals and businesses. So-called "brute force attacks" have a startlingly high success rate at breaking into computers. The three primary reasons the attacks are so fruitful are:
- Use of simple passwords that are easy to remember (and crack).
- Failure to change passwords frequently (if ever).
- Use of the same password across applications.
Once a hacker finds the key to one software application, then the probability of gaining access to other accounts with the same password is high. The recommended length of passwords is 20 random characters, and users should consider using password vault software to generate and maintain lengthy, complex passwords that can be pasted into the login pages of applications.
Most incursions into computer networks occur through phishing expeditions, in which hackers send emails to staff members that contain links to malicious websites. In some cases, the links take users to websites that install malware onto local computers. In other instances, links embedded in emails directly download viruses onto computer systems.
Ransomware, spyware (snoops around computers and networks and reports information back to hackers), and software that gives hackers control of the infected computer are the common applications delivered to unsuspecting businesses by cybercriminals. Targeted "spoofing" emails involve communications sent from someone who imitates authority figures like chief executives and owners to issue orders. In the Sunrun case, the spoofer's email address looked almost identical to that of the CEO.
Spoofing emails often go directly to a business' accounting manager with a request to disburse funds to a customer's bank account. The email provides the bank account information and fund transfer details. Many unsuspecting managers have sent amounts ranging from a few thousand dollars to a few million dollars to the bank accounts of cybercriminals.
The FBI reports that more than 22,000 organizations around the world have lost more than $3 billion to spoofing scams over the last three years, according to the BBC. The most effective way to combat the scourge is to educate every single staff member in the company, from the owner on down, in how to spot phishing and spoofing emails.
Strengthening Corporate Governance
Companies should also consider implementing more robust processes and procedures in relation to responses to electronic requests. For instance, any requests for the disbursement of funds, no matter who makes the request, should be verified in person or by phone.
This sort of "two-step" verification is a common option offered to bank customers. After a customer logs into an account online, he or she chooses to receive a randomly generated code by email or by text message. This code must then be entered to complete the banking transaction.
Premium security solutions such as those offered by Kaspersky Lab offer multiple layers of protection against cyber threats. However, in some cases, the most effective measure against hackers involves something much simpler — common sense.