“In a gold rush sell shovels”- Unknown
In the early days of the internet, hacking used to be complicated; a skill reserved for a few elite coders and experts in computing and networking. As time has gone on trends in hacking, malware, and DDOS attacks have followed broader trends in computing and internet services, namely commoditization. A wealth of SaaS tools are now available online for everything from coding to, payroll management, to threat intelligence. Unfortunately, the same can be said of illicit tools. Ransomware tools, DDOS attacks, and other malicious services are now available online for a price.
Malicious software and botnets take hundreds or even thousands of hours to build. One bad actor who writes a piece of ransomware could expect to generate substantial illicit profits. However, the true value for that person lies in selling the ransomware to tens, or even hundreds of thousands of wannabe hackers who have the desire to extort money from unsuspecting businesses and individuals but not the skills. The commoditization of hacking tools has resulted in a cyber-landscape rife with malicious actors with few skills but who are able to carry out sophisticated attacks anyway because they spent a few hundred dollars to buy a ransomware program.
So the question then becomes, how should business owners and organizations combat the proliferation of illicit tools? The answer is unfortunately not easy. It is impossible to entirely secure a company, but there are a few simple steps you can take which will substantially reduce your risk of becoming the victim of a ransomware (or other malware) attack. The number one way in which small businesses are infected with ransomware and malware is through email phishing. Phishing presents a unique problem for small businesses because it exploits a businesses most vulnerable vector: the human element.
However, fortunately, there are ways to counter email phishing campaigns. First, all employees should receive substantial and detailed training on how to avoid phishing emails. Employees should be taught to always verify the sender of the message and not click any links or download any files unless they are certain that it is a legitimate message. One file download can provide a vector that can wipe out tens or even hundreds of thousands of dollars in value. Additionally, companies must ensure they are using properly configured spam filters that will prevent emails from ever arriving in the employee’s inbox.
There is no total security solution. There is only the possibility of reducing cyber risk to a level that business owners and executives are comfortable with. In the coming weeks, ZenOpz will be running a series of blogs on how to build a proactive security program from the ground up. We will cover topics such as risk management, incident response, threat intelligence, and other critical components of an effective security program. Hopefully, business owners will be able to use these tips to fashion a security program that works for their business at minimal cost. In the meantime, check out our post on the cyber war being waged against small businesses.