Cybersecurity Tips for SMBs

Between the start of 2020 to Dec. 2021, fraud rose 600%-800%.

According to the Canadian Anti-Fraud Centre:

  • Profitability and portability of the crime – cybercrime is global and can happen anywhere, anytime
  • People spending more time at home – increased security risks from remote work; more time for them to be online
  • Fraudsters exploiting the e-commerce boom
  • Staffing shortages – businesses operating with reduced, overworked or distracted staff

In 2020, 71,100 fraud reports were filed and 42,184 Canadians were victims of fraud, losing over $106 million.

In 2022…

0
Reports of fraud
(107,139 in 2021)
0
Victims of fraud
(68,061 in 2021)
$0
Lost to fraud
($383.6M in 2021)

* According to the Canadian Anti-Fraud Centre as of Dec. 31, 2022.

Real world example of a Phishing email (click to enlarge)

Real world example of a phishing email (click to enlarge)

A word about Business Email Compromise

Business Email Compromise (BEC) is a type of social engineering attack that takes place over email. In a BEC attack, an attacker falsifies an email message to trick the victim into performing some action — most often, transferring money to an account or location the attacker controls.

BEC is not always part of a malware attack! It is a monetization technique. i.e. the victim is not always the victim of a cyber attack.

Examples of Business Email Compromise (BEC)Description
CEO fraudImpersonating the CEO may leave employees unwilling to question a request. This could be to transfer funds, or provide sensitive information.
False invoice scamThe criminal pretends to be a supplier and needs payment for services rendered. It often uses previous invoices with modified banking information.
Attorney ImpersonationSimilar to the CEO impersonation, many employees will tend to comply with requests from the legal department. The requests are likely to be marked as urgent and confidential to reduce chances of someone asking questions.
Account compromise to defraud customersIn this situation, a company account is compromised in order to send invoice payment request to customers with modified banking information.
Attack VectorsDescription
Compromised accountsUsing a legitimate account increases the legitimacy of an email, which in turn increases the chances of the recipient to believe the request is legitimate.
Domain spoofingSMTP, which is the email protocol, doesn’t verify email addresses by default. An attacker can fake the address and display name to make it look like it came from within the company. SMTP also allows a sender to use a different “reply to” address, ensuring they receive the responses.
Lookalike domainsThe objective here is to create a domain that upon quick review looks similar to a trusted domain. For example bmo.com and brno.com, or ca-bmo.com, might look similar enough to fool someone that isn’t paying attention.

Click on the links below to learn more about protecting your organization from cyber threats

Business Email Compromise (phishing attack) - CYDEF

Getting started checklist

If you only do two things from this list — enable multifactor authentication and patch everything!

Multi-Factor Authentication
Patch – keep everything up to date
Antivirus (AV) – it’s a no-brainer!
Detection capability (this is what CYDEF does)
Password policy enforced: The longer the better
Security Awareness Training
Response Plan
Label external emails: This makes it easy to identify emails from outside of the company

Encrypt hard drives – make sure encryption is enabled
Inventory Assets: Protect all systems
Offsite Backups – always a good idea
Local Admin rights – employees should not have this
User access – review regularly
Public WIFI – avoid if possible or use a VPN
‘Break glass’ Admin account: Have a backup in case your global admin account is compromised
Segregation of duties: Policies and procedures in place requiring more than one person to perform high-risk actions

(CYDEF can help with all of this!)

Response Plan

Does your team know what to do if they suspect a phishing email? If an attack occurred today, would you know what to do first and who to contact both inside and outside your organization?

Have a response plan for when an attack occurs.

Your one-page plan should outline:

  • Defined roles – who does what:
    • Identify the on-scene commander in charge of the response
    • Identify supporting personnel (incident response team)
    • Define immediate actions drills (e.g., who grabs which logs, who isolates the computer(s), etc.).
    • Have a dedicated email address: If you suspect you’ve been phished, how does your team get in touch with the incident response team?
  • Investigation: All relevant information will be examined, depending on the severity
    • External Emergency Call list (cybersecurity professional services, insurance provider, your bank, etc.)
  • Containment: Take the necessary steps to limit the spread of the incident
  • Eradication: The damage is contained and the evidence has been collected and preserved, and you’ve removed the cause of the incident
  • Post mortem: Understanding what happened and learning from the experience
  • Table-top exercises: Strongly encouraged to test response plans against potential attack scenarios

Security Awareness Training

Your entire team must remain vigilant against phishing scams at all times. However, this is especially true during holidays. Cybercriminals take advantage of the fact that we are busier, more stressed, rushed, and understaffed. Security Awareness Training can help ensure your team stays alert year-round.

Cybersecurity is not just an IT problem

Cybersecurity is everyone’s problem – from the board right through to IT support

Phishing is the most common method for cyber criminals to “walk” through your front door

20% of your team will always click on a link – how do you defend against that?

Your team can benefit from micro lessons to stay vigilant and help protect your organization

Additional Resources

  • GetCyber Safe
    National public awareness campaign created to inform Canadians about cyber security and the simple steps they can take to protect themselves online.
    https://www.getcybersafe.gc.ca/en

  • Simply Secure – Rogers catalyst
    Foundational best practices to help protect your SMB against cyber threats.
    https://simply-secure.ca/

  • Have I Been Pwned?
    Check if your personal information is for sale on the dark web, including email, phone, passwords, etc.
    https://haveibeenpwned.com/

How we can help

Threat Hunting + Managed Detection and Response in One

CYDEF leverages the best of people, processes, and technology to bring you a managed detection and response (MDR) solution that was built around threat hunting.

You’ll have peace of mind knowing we investigate 100% of threats. This zero trust model detects threats which have bypassed traditional cybersecurity solutions.

We detect modern attacks as well as novel and unknown threats that existing security solutions miss, such as ransomware, PUPs, policy violations, living-off-the-land attacks, zero-day exploits, phishing, man-in-the-middle attacks, crypto mining, espionage, and more.

You don’t need to be a cybersecurity expert to work with us