Cybersecurity Tips for SMBs
Since the start of 2020 to Dec. 2021, fraud has risen 600%-800%.
According to the Canadian Anti-Fraud Centre:
- Profitability and portability of the crime – cybercrime is global and can happen anywhere, anytime
- People spending more time at home – increased security risks from remote work; more time for them to be online
- Fraudsters exploiting the e-commerce boom
- Staffing shortages – businesses operating with reduced, overworked or distracted staff
In 2020, 71,100 fraud reports were filed and 42,184 Canadians were victims of fraud, losing over $106 million.
So far in 2022…
(107,139 in 2021)
(68,061 in 2021)
($383.6M in 2021)
* According to the Canadian Anti-Fraud Centre as of Oct. 31, 2022.
A word about Business Email Compromise
Business Email Compromise (BEC) is a type of social engineering attack that takes place over email. In a BEC attack, an attacker falsifies an email message to trick the victim into performing some action — most often, transferring money to an account or location the attacker controls.
BEC is not always part of a malware attack! It is a monetization technique. i.e. the victim is not always the victim of a cyber attack.
Examples of Business Email Compromise (BEC) | Description |
---|---|
CEO fraud | Impersonating the CEO may leave employees unwilling to question a request. This could be to transfer funds, or provide sensitive information. |
False invoice scam | The criminal pretends to be a supplier and needs payment for services rendered. It often uses previous invoices with modified banking information. |
Attorney Impersonation | Similar to the CEO impersonation, many employees will tend to comply with requests from the legal department. The requests are likely to be marked as urgent and confidential to reduce chances of someone asking questions. |
Account compromise to defraud customers | In this situation, a company account is compromised in order to send invoice payment request to customers with modified banking information. |
Attack Vectors | Description |
---|---|
Compromised accounts | Using a legitimate account increases the legitimacy of an email, which in turn increases the chances of the recipient to believe the request is legitimate. |
Domain spoofing | SMTP, which is the email protocol, doesn’t verify email addresses by default. An attacker can fake the address and display name to make it look like it came from within the company. SMTP also allows a sender to use a different “reply to” address, ensuring they receive the responses. |
Lookalike domains | The objective here is to create a domain that upon quick review looks similar to a trusted domain. For example bmo.com and brno.com, or ca-bmo.com, might look similar enough to fool someone that isn’t paying attention. |
Getting started checklist
If you only do two things from this list — enable multifactor authentication and patch everything!
Multi-Factor Authentication
Patch – keep everything up to date
Antivirus (AV) – it’s a no-brainer!
Detection capability (this is what CYDEF does)
Password policy enforced: The longer the better
Security Awareness Training
Response Plan
Label external emails: This makes it easy to identify emails from outside of the company
Encrypt hard drives – make sure encryption is enabled
Inventory Assets: Protect all systems
Offsite Backups – always a good idea
Local Admin rights – employees should not have this
User access – review regularly
Public WIFI – avoid if possible or use a VPN
‘Break glass’ Admin account: Have a backup in case your global admin account is compromised
Segregation of duties: Policies and procedures in place requiring more than one person to perform high-risk actions
Response Plan
Does your team know what to do if they suspect a phishing email? If an attack occurred today, would you know what to do first and who to contact both inside and outside your organization?
Have a response plan for when an attack occurs.
Your one-page plan should outline:
- Defined roles – who does what:
- Identify the on-scene commander in charge of the response
- Identify supporting personnel (incident response team)
- Define immediate actions drills (e.g., who grabs which logs, who isolates the computer(s), etc.).
- Have a dedicated email address: If you suspect you’ve been phished, how does your team get in touch with the incident response team?
- Investigation: All relevant information will be examined, depending on the severity
- External Emergency Call list (cybersecurity professional services, insurance provider, your bank, etc.)
- Containment: Take the necessary steps to limit the spread of the incident
- Eradication: The damage is contained and the evidence has been collected and preserved, and you’ve removed the cause of the incident
- Post mortem: Understanding what happened and learning from the experience
- Table-top exercises: Strongly encouraged to test response plans against potential attack scenarios
Security Awareness Training
Your entire team must remain vigilant against phishing scams at all times. However, this is especially true during holidays. Cybercriminals take advantage of the fact that we are busier, more stressed, rushed, and understaffed. Security Awareness Training can help ensure your team stays alert year-round.
Cybersecurity is not just an IT problem
Cybersecurity is everyone’s problem – from the board right through to IT support
Phishing is the most common method for cyber criminals to “walk” through your front door
20% of your team will always click on a link – how do you defend against that?
Your team can benefit from micro lessons to stay vigilant and help protect your organization
How we can help
Threat Hunting + Managed Detection and Response in One
CYDEF leverages the best of people, processes, and technology to bring you a managed detection and response (MDR) solution that was built around threat hunting.
You’ll have peace of mind knowing we investigate 100% of threats. This zero trust model detects threats which have bypassed traditional cybersecurity solutions.
We detect modern attacks as well as novel and unknown threats that existing security solutions miss, such as ransomware, PUPs, policy violations, living-off-the-land attacks, zero-day exploits, phishing, man-in-the-middle attacks, crypto mining, espionage, and more.