The massive ransomware attack known as WannaCry, which spread across tens of thousands of computers worldwide on May 12, demonstrates yet again the value of an airtight cybersecurity policy. WannaCry, which crippled high profile targets like Britain's National Health Service (NHS) and Spanish telecom Telefonica, includes a National Security Agency (NSA) exploit called EternalBlue, which the intelligence agency lost control of last year.
But it's not just large companies or systems like the NHS that are vulnerable to WannaCry. Andrew Stuart, managing director EMEA at Datto, said small businesses need to protect themselves from these attacks too, lest they suffer a fatal blow from cyber criminals who have managed to get their hands on a spy agency's cyberweapon.
"Smaller businesses are just as likely to be hit by this worm, as well as the new variants that the NCSC is warning us to expect this week," Stuart said. "The struggle for smaller firms is they don’t necessarily have the resources to call in experts to clean up their networks in the aftermath of an attack such as this."
That doesn't mean small businesses are defenseless, though, Stuart said. By taking the following steps, entrepreneurs can ensure their company – and by extension their livelihood – is protected from cyberattacks like WannaCry. [For more information on the origins and impact of WannaCry, visit our sister site Tom's Guide.]
- Install the latest Windows update: A mid-March Windows update includes a patch that closes the vulnerability that makes WannaCry effective. Users who install this update will be insulated from the attack.
- Update anti-virus software: There remain many different types of viruses out there, and cybercriminals are always building on them and innovating. No doubt a variant of WannaCry will show up on the scene too. So, for added protection, make sure your anti-virus software is up to date.
- Back up all data: Finally, you can't be locked out of your data for good if you have it backed up on hard drives that aren't connected to your network. That way, if your network is infected, you still have access to your data. Once you clean up your network, it's as simple as recovering your data from the backed-up source.
Research conducted by Datto shows just how high a risk small businesses are taking if they don't employ these cybersecurity best practices. In September 2016, Datto surveyed European IT service providers to gauge the frequency and pervasiveness of ransomware attacks on their small business clients. Of those surveyed, 87 percent said their clients had been targeted by an attack in the past year, while 62 percent said the attacks led to a potentially fatal downtime for the victim-businesses.
Bob Antia, chief security officer and VP of IT Operations and Facility at cloud-based data backup company Unitrends, said these types of attacks are not likely to stop.
"I think this is the new normal," Antia told Business News Daily. "Two weeks ago it was the Google Docs [email phishing scam]. This week we have [WannaCry] and that's morphing on a daily basis because source code is out there. We know the NSA treasure trove is in bad guy's hands, why wouldn't they use it?"
The biggest difficulty when it comes to cybersecurity for small businesses, Antia said, is that entrepreneurs often lack the time and the expertise to properly defend themselves. That's where automated, cloud-based data backup services come in. After a brief configuration period, the automated system transfers all of your important data to the cloud, where the service provider maintains and protects it separately from your own network in the event of an attack.
In addition to ransomware attacks like WannaCry, Antia warned entrepreneurs to be on the lookout for other attempts to break into their network. What it comes down to, he said, is "never trust, always verify." Here are two other methods cyber criminals employ to compromise a network, and how you can avoid them, according to Antia.
Email scams: Whether it's phishing for passwords or trying to steal tax returns, cyber thieves are creative. Human error is the number one reason for the success of an email scam, so educating staff to stay on top of their email behavior is key. Hover over links, examine email addresses carefully and never divulge sensitive information without first confirming the recipient's identity, either in person or with a phone call.
"Constant suspicion on email is always good hygiene," Antia said. "When in doubt pick up the phone and call."
USB storage: USB storage devices are also a common vector for attacks. Also amongst the stolen NSA cyberweapons was at least one that employed USB vulnerabilities. It was the infamous Stuxnet virus that was used to disable Iranian centrifuges in 2010. Never utilize (or allow your employees to utilize) USB devices from an unknown source.
"Be careful who and what you get your storage from," Antia said. "If you find a USB stick on the ground or in a parking lot, throw it away. Just not worth it."
The good news is, these attacks are preventable if you keep your software up to date and your guard up. Educating and training staff, backing up sensitive information and storing it in a safe place, and following cybersecurity best practices will help insulate you from the most damaging attacks and thwart cyber criminals attempts to take your business down.
For an in-depth look at cybersecurity and policies you can begin implementing to defend yourself, visit our Cybersecurity Guide for Small Businesses.