As businesses increasingly rely on digital communications and email to operate, cyber-criminals are becoming more sophisticated and intelligent in their attacks.
Email is now the most common channel for criminals to launch cyber-attacks and has become a leading cause of data breaches and financial loss. Attackers are increasingly exploiting vulnerabilities in email to spread advanced attacks like ransomware.
At the same time, social engineering attacks like phishing target employees directly, exploiting a lack of security knowledge to trick people into giving up passwords and financial information.
Stopping these threats is a major challenge for businesses globally. It can be difficult for small teams in particular to get the visibility into threats that they need, and to find the right solutions and technologies to protect their users and data.
To help small businesses learn more about how they can stay secure against email threats in the cloud, we spoke with Jason Norton, Product Marketing Director at VIPRE. VIPRE is a provider of endpoint, email and network security solutions, aimed predominatly at the SMB market.
In this article, we discuss how email threats have changed, why small businesses are particularly at risk, and what the best ways are for small teams to build a strong security foundation.
Cyber Attacks Are Becoming More Sophisticated
Since VIPRE was founded in the mid-1990s, there has been a major shift in both cybersecurity threats and business attitudes towards them. Back then, Norton says, many small businesses relied on free tools for anti-virus, something they couldn’t even countenance doing now.
There has been a “tremendous acceleration and velocity,” in the sophistication of advanced email threats, Norton says. The emergence of powerful ransomware attacks like WannaCry and NotPetya, which have affected thousands of businesses around the world, demonstrate how sophisticated and damaging email threats have become.
One recent ransomware attack against smartwatch manufacturer Garmin highlights just how devastating these email attacks can be for businesses. A piece of malware called WastedLocker took down Garmin’s systems across multiple days, which meant many of their wearable devices were unusable for customers. This attack was sponsored by Russia’s EvilCorp, a state-sponsored group of cyber-criminals that were indicted by the US department of Justice. They group reportedly demanded a ransom of $10 million USD to restore Garmin’s access to their systems.
But the attacks that we often read about in the headlines don’t tell the whole story. The largest proportion of attacks are against SMBs, Norton says, and these attacks go largely unreported.
Why Small Businesses Are Increasingly at Risk of Cyber Attacks
The threats facing small businesses are different to those facing large enterprises, but just as challenging, Norton says. While big organizations have massive IT departments and budgets they can use to tackle email threats, small businesses have to tackle the same sophisticated attacks with far fewer resources.
To add to this problem, the barriers to entry for cyber-criminals has fallen dramatically. In the past, hackers had to have a strong technical knowledge to target a business. Today, all they need is intent and access to the dark web, Norton says. From here, criminals can buy malware and ransomware off the shelf, which can be distributed via email. This makes targeting small businesses far easier for cyber-criminals.
The rapid move to remote working we’ve seen caused by the Covid-19 pandemic has been another major driver of cyber-risks to small businesses. Working from home has “raised the stakes even more,” Norton says, by increasing the volume of emails sent to communicate and by isolating users at home.
How Small Businesses Can Build A Stronger Security Foundation
Norton’s advice for organizations to better protect themselves from these advanced cybersecurity threats is to implement a layered security approach. Organizations need protection at the “network, endpoint and email,” level, he says, with security awareness used to promote better security hygiene internally.
With these layers in place, businesses are in a much better position to tackle advanced cyber-threats, Norton says. Strong technical security will prevent malware and ransomware protecting your organizations from inbound attacks via the email channel. With these protections in place, admins should feel comfortable that they have the foundation of security laid down to protect them from most advanced threats, Norton says.
Awareness training on other hand, teaches employees what an email threat looks like, helping to prevent successful phishing attacks and email fraud. “To combat today’s sophisticated email threats, you have to have a combination both of technology and user behavior training,” Norton says.
The increasing complexity of attacks means that there’s never going to be a technical solution that eliminates the threat of social engineering completely he says, so some method of training users to look out for these attacks become more and more important.
While it’s important that small businesses ensure they have multi-layered security in place, it’s also important they are is easy to use and manage. Norton says that “tool sprawl” has been a problem with IT professionals for a long time. Admins often need to manage multiple different security products to combat issues in different areas, which is often complex, time consuming and expensive.
Increasing the simplicity of your security infrastructure by consolidating vendors is an important step in building a strong security foundation. Customers need a platform that is easy to work with and won’t require the use of multiple dashboards and consoles, in order to improve their resilience against security threats, Norton argues.
Norton’s final piece of advice for admins is to “be immersive with the information and resources that are out there,” and use resources such as the CISA government guidelines as guides to implementing better security practices.
By combining a layered approach to security, with strong email, web, endpoint and awareness training in place, while following security best practices, your organization will be in a much better position to protect itself from sophisticated cyber-attacks.
Thanks to Jason Norton for taking part in this interview. You can find out more about VIPRE and their range of cybersecurity solutions here: https://www.vipre.com/