Never assume that cybercriminals target victims according to company size, using a bigger-is-better approach; this has proven not to be the case. Small businesses had better watch out, as hackers look for weaknesses in any company’s systems, whether human, digital, or physical.
These criminals perform a reconnaissance mission of sorts before targeting a victim and planning their subsequent attack. There are several ways they perform such an inspection, and this article will explore six of the most common ways cybercriminals identify companies as potential targets and the steps to protect against ransomware and other attacks.
1. Assess Your Corporate Website
Your corporate website provides criminals with a plethora of information and opportunity. It is one of the first places they will look. If your website is structurally vulnerable, they may use it as their point of attack, or they may assume that the rest of your IT systems are equally weak.
Criminals gather corporate information from the company website and information about individuals profiled on the site and their email addresses. That information becomes part of their phishing and social engineering database. Finally, your website may contain sensitive information that was inadvertently placed there.
How to Defend Against This
The first way to protect against an attack through your corporate website is to use a respected hosting provider. Keep your website theme and plugins up to date, and be sure you have a firewall service with an alerting feature.
The second layer of defence is to strengthen security by requiring authorised users (such as admins or authors) to access your website using Two-Factor Authentication (2FA) during login.
Finally, a thorough review of all information on the website ensures no sensitive data is available to the public, even if it’s not visible and hidden in metadata or PHP code.
2. Review Your Company’s Social Media Footprint
Another prime source for spear-phishing and whaling attack material is business-focused social media sites such as LinkedIn. Spear phishing is a targeted phishing attempt using believable emails because they are tailored to a specific individual. Whale phishing is also highly targeted and aimed at individuals at the highest levels within an organisation.
Thus, social media sites are ideal for cybercriminal gangs because they quickly learn who works at your company, giving them targets with complete profiles.
Personal social media is also a risk to businesses. People have become accustomed to sharing far more personal information on social media platforms such as Facebook rather than LinkedIn, for example. They may not reveal sensitive company data, but they provide ample information about themselves that criminals use to select their targets.
How to Defend Against This
In this case, the defence relies heavily on the individual. As an employer, you should monitor your corporate social media accounts for sensitive information and secure any data that could be used against you.
In addition, you can train your staff about threats through social media and provide clear security guidelines. Individual profiles cast a corporate footprint, and employees should be careful with their personal information as well as sensitive company information when interacting with social media.
3. Test Employee Cybersecurity Knowledge
Cybercriminals may email or cold-call staff to test their level of security experience before lining up a full-scale phishing attack. They understand that targets with little knowledge of cybersecurity are more likely to reveal sensitive information.
A call claiming to be from the company’s internal IT department or posing as an outside contractor are common techniques used to trick staff into revealing network access information.
At this point, the hacker is not attempting to collect sensitive data but rather testing potential targets for an upcoming campaign. Small companies often spend too little time educating their staff on cyber threats.
All it takes is for one individual to click a malicious link unknowingly or inadvertently provide the criminal with logon credentials to set the wheels in motion for a full-scale ransomware attack.
How to Defend Against This
Security-trained staff can be a solid deterrent to cybercriminals. All staff, not just IT, should recognise malicious emails or attacks that come over the phone or through text messages. When they receive phone calls from would-be hackers, they should understand the process for reporting the incident to their IT department.
4. Assess the Strength of Your Corporate Network
In addition to reviewing your human assets, cybercriminals often check the strength of your external firewalls and email security. With the recent expansion of the mobile workforce, network security requires protection at multiple endpoints, from local to remote offices and down to individual mobile devices. Security vulnerabilities can exist at any point where a branch or a device connects with the corporate network.
Companies of all sizes have had to step up security, maintain new security protocols, and manage security patches and other updates. Smaller companies are often challenged in this area due to a lack of staff technical and financial resources. Despite the cost of maintaining effective cybersecurity, trying to recover from a successful ransomware attack is far more costly to the company than following ransomware protection best practices.
How to Defend Against Attack
Regardless of size, every company must invest in effective cybersecurity systems; this includes firewall security, email security, antivirus/anti-malware systems for the network and all devices used to access it, especially BYOD.
Your corporate network must be secure with a firewall at every access point, including personal hotspots, private Wi-Fi networks, and public Wi-Fi. Most antivirus solutions include protection against malware, so they should be installed on every device used to access IT services, including an employees personal devices.
5. Dark Web Searches
The dark web hosts websites that allow cybercriminals to purchase stolen data and other goods anonymously and is not visible to regular search engines. This data often contains sensitive information like social security numbers, credit card numbers, login credentials, and personal names and addresses.
The dark web makes it incredibly convenient for criminals to purchase stolen data, immediately access bank accounts, and commit identity theft. Some of your company, employee, or customer information may be already available on the dark web.
How to Defend Against This
There are software and online services available to monitor the dark web and identify whether your company data is out there. Similar to antivirus scans, you need to perform routine audits for continuous monitoring. Your IT department can conduct these regular searches, or you can contract a third party to perform this service.
If an audit shows that your company’s confidential information is on the dark web, you will need to confirm the report’s accuracy. You may have to modify network permissions and notify your customers (if applicable) that there’s been a data leak so that they can perform these same tasks. If necessary, you may even need to report the leak to an appointed monitoring body.
6. Dumpster Diving
Cybercriminals can find sensitive information from your physical paper trail rather than a digital one. Dumpster diving is still a successful way to retrieve information such as login credentials, account numbers, and other sensitive data.
Physical corporate offices still rely on paper. Employees often print emails for easy access. Invoices, spreadsheets, reports, and a plethora of other documents are printed, distributed, and eventually disposed of daily. Further, paper products are recyclable, so they are disposed of into designated bins specifically for paper and not regular trash. Think of how much sensitive data may be sitting in those recycle bins.
How to Defend Against This
One essential way to protect data printed to paper is to add a shredder to your disposal routine. Depending on the sensitivity of your information, you can use an on-premises shredder or contract with a document shredding company. If you shred on-site, be sure the shredder has a setting for fine pieces rather than strips. That way, criminals can’t piece the documents back together.
Be sure to train your staff as to proper disposal of documents. Depending on the project or nature of the information, regulatory disposal procedures may already be in place. In that event, be sure your staff is aware of them.
Using a secure bulk shredding service is another option to consider whereby your staff can place sensitive paper documents in locked bins for secure offsite shredding.
Conclusion
Cybercriminals have become systematic in their approach to finding and selecting victims. Much of what they are looking for is readily available on your corporate website and social media footprint. They can gather material for their phishing, whaling, and other social engineering attacks from LinkedIn profiles. Hackers are further aided by the dark web, which makes sensitive information and malware tools readily available.
Your company must be vigilant in order to predict a ransomware attack. In addition to security protocols and antivirus software, educating your staff is the most vital element in any security plan. Everyone can do their part to protect the company’s network and sensitive data. Please get in touch if you would like to discuss any aspect of your security requirements in further detail.