Hackers target smaller fish

MNH Platinum are serious about fleet management services, and they’ve been doing it for 25 years, but with all due respect their operation, they’re not on the same scale as Sony Pictures or the Democratic National Committee. Yet that didn’t make them any less susceptible to hackers.

The UK firm was the victim of a virus which encrypted over 12,000 files on the company network. The perpetrators then demanded a ransom in order to decrypt the hijacked files. The virus inflicted on MNH Platinum proved resolute to counter-measures and this diminutive company had no choice but to accede to the hackers’ demands.

Small and medium-sized businesses in the cross hairs

The company’s case is not unique and many small businesses may now find themselves the target of unscrupulous and specialised cyber-criminals, as they seek out unprepared targets that would not consider themselves fruitful enough to attract the attention of hackers.   

The type of attack endured by MNH Platinum is called ransomeware and can be extremely profitable for the perpetrators. Previously ransomeware was able to ensnare PC users and expand to any network-connected device to gather hostages, but now this criminal enterprise is also able to target smartphones, Mac and Linux systems and even smartwatches.

A host of different types of attack

• Cross-site scripting attacks are malevolent scripts injected into otherwise benign and trusted websites with the aim of sending malicious code that is able to then access any cookies, session tokens, or other sensitive information retained by the browser and used with that site.
• Ransomware is where a piece of malicious software, typically received via a phishing email, encrypts all of the data on a company’s network, with the perpetrators requesting a ransom (typically £500–£1,000) in order to provide the decryption key.
• Hack attacks are where a hacker manages to gain access to the company’s network, characteristically by manipulating an unpatched vulnerability within the software, allowing them access to the company’s data. The target will generally be personally identifiable information (PII) on an establishment’s customers, especially credit and debit card information.
• Denial of Service attacks are when a company’s website is overwhelmed by a volume of data pushed to its servers in a malicious manner. These attacks are increasingly easy and cheap to carry out.
• Human error is common as people are generally the weakest link in any security chain, and a vast number of data breaches are the result of information being lost, or distributed to the wrong person. Even seemingly routine data can have far-reaching consequences, particularly where sensitive PII is involved.
• CEO fraud is where a criminal poses as a senior person within the firm, either by hacking or “spoofing” their email account, and persuades someone with financial authority to make a payment.

Time for vigilance

It’s concerning for business owners, but should be of a concern to us all as 2015 saw a record-setting total of breaches to systems and the reported number of exposed identities soared to 429 million. Yet this number might just be scratching the surface of the problem as more and more companies choose not to report the full extent of breaches for fear of a consumer loss of confidence.

Businesses are likely to become even more reluctant to report the magnitude of a breach when the EU’s General Data Protection Regulation comes into force in 2018. This could hit companies with fines reaching up to €20m or 4% of their annual turnover, whichever is greater, for allowing any security breaches to compromise their customer data. 

Cyber-criminals are dependent on small and medium businesses effectively keeping their drawbridge down in the belief that they’re not big enough to warrant the attention of sophisticated hackers. However, attitudes are gradually changing and small businesses are starting to appreciate the potential severity of cyber-attacks, but there are still many firms that have failed to implement proactive protection and are juicy pickings for computer pirates.

Tips to protect your business against cyber-attacks

• Make your password harder to hack with upper- and lower-case letters, numbers and special characters. They should be at least eight characters in length and not spell any meaningful words.
• Change your password regularly with a password management service like Dashlane or PasswordBox which can help you keep track of hard-to-remember passwords.
• Clear your browser history so that it becomes difficult for anyone to create a detailed record of your online activities.
• Do not use free Wi-Fi as they offer an easy way for hackers to access everything on your device.
• Use HTTPS (hyper-text transfer protocol secure) to add an extra layer of security and encryption while online.
• Watch what you click on as phishing enables someone to infect a computer with a harmless-looking email.
• Always use an anti-virus as it can offer many different types of computer protection and keep you one step ahead of hackers.
• Be careful while using a thumb drive as they can be Petri dishes that will spread viruses easily across computers and networks.

The editorial unit