Why SMEs are an attractive target for cyber criminals?

SMEs are a bigger target than they think

Most SMEs don’t realise the extent of the cyber security threats they face. We hear it over and over again, and recent government research confirms it: asked if they agreed with a number of common cyber security misconceptions, 78% of SME respondents to a Cyber Streetwise survey believed at least one. Two thirds of them (66%) didn’t even think their business was vulnerable at all.

In fact, PwC/BIS’s most recent Information Security Breaches Survey found that 60% of small businesses had suffered a security breach. Make no mistake: if you’ve got a website, you’re vulnerable.

Why your website is vulnerable

Your website is just a commodity. It doesn’t matter who you are or what you do – your website, and the information that can be accessed from it, is worth money to someone on the black market.

Even if you don’t store financial information such as customer payment details, the data you do hold – such as employee payroll details, proprietary data or client information – has a value to someone. Hackers will rifle your databases and pull all the information they contain.

Dell SecureWorks’ recent Underground Hacker Markets report examined the underground economy and found that the black market is booming.

Business information can be sold to competitors. Contact information can be, and is, collated with other stolen data and used to hack other accounts. Spammers want lists of email addresses. Some hackers want information on specific users or IP addresses. Some want to spread malware. All such information is traded online.

Moreover, the number of stolen credentials now for sale has inevitably led to prices dropping considerably, meaning they are increasingly easy to come by: 2014’s large-scale attacks saw one billion data records compromised – one for every three Internet users worldwide. Many of these were entirely unencrypted and ripe for immediate exploitation.

Hacking generally isn’t a one-off event, either: it’s a chain. Your website will be attacked, and once everything useful has been taken from you, the hackers will install malware that will infect your site visitors, so that their information can be stolen as well.

The cyber attack spreads, gathering more and more information as it goes. Eventually it’ll hit a big target. Your website may not be obviously valuable in itself, but as a means of attacking a bigger company in the supply chain, it’s a great asset. Many massive hacks on large companies have been perpetrated as a direct result of an exploit on smaller third-party suppliers.
How your website is vulnerable

Known vulnerabilities

Many SME websites use common, off-the-shelf CMS platforms, software, applications and plugins, which often contain vulnerabilities that can be exploited by hackers. Criminals use bots to crawl the Internet, looking for these vulnerabilities and amassing information.

When they find a vulnerability, they exploit it. When they don’t, they record as much information about the website as they can, and wait for a vulnerability to come to light that they can return to exploit later.

Automated attacks are cheap and easy to run, and by their nature are indiscriminate, looking only to exploit known weaknesses – not specific sites. Every website is equally at risk, including yours.

When a critical vulnerability is announced, the criminals will already be working quickly to exploit it before it’s patched. If you’re using unsupported or vulnerable versions (such as WordPress, Adobe or Windows, to use three recently affected examples), then your website will be compromised unless you act quickly to install a patch or update. In October last year, for example, Drupal announced that users who hadn’t patched their CMS platform within seven hours of a bug’s discovery should presume their websites had been hacked.

For this reason, SMEs are often at greater risk than their larger counterparts: although every Internet-facing organisation essentially faces the same threats, big organisations have the resources to support IT teams who are better prepared to deal with automated attacks, implement better patch management and software update programmes, and use regular penetration testing and vulnerability scans to determine the strength of their networks and web apps.

Weak passwords

Passwords also remain a common point of intrusion. Far too often, default passwords are left unchanged, or weak and easily cracked passwords are employed by lazy users.

Microsoft’s Security Intelligence Report (SIR), Volume 17 noted that: “What makes stolen account credentials so valuable to cybercriminals is the extent to which users reuse their account names and passwords across different sites and services”.

If another website has been compromised and login details have been stolen, criminals will automate attacks using the username/password combinations they have gained to see what else they can gain access to. Password reuse is rife, so the statistical chances of criminals gaining access to multiple sites with a single set of stolen credentials are vast.

This is why it is important to change all default passwords to strong passwords: you can be vulnerable simply because someone else from an entirely different company has chosen a poor password.

Microsoft continues: “according to a 2011 study of 6 million user-generated passwords, 98.8 percent of users chose a password that was on the list of the most common 10,000 passwords and were therefore easily cracked using off-the shelf password hash-cracking software and commodity personal computer hardware.”

A seven-character password comprising upper- and lower-case alphanumeric characters has 3,521,614,606,208 possible combinations (i.e. 627). Assuming an attacker’s password cracking tool can make 1,000 attempts per second, it would take up to 40,759 days (111.7 years) to defeat, which is significantly longer than any attacker is likely to bother with. Add punctuation marks and special characters and the inherent security of a password increases dramatically.

A brute-force dictionary attack may be more successful if the password is based on an actual word, even if “leetspeak” (replacing letters with numbers – e.g. “p455w0rd”) is used, but – again – attackers will give up after a set number of failed attempts.

Of course, a password is a single authentication factor. No matter how strong it is, if it becomes widely known, it’s no barrier to access.

For even greater security, you should consider two-factor authentication, where a password must be combined with some other authentication factor such as a one-time password or secret question. Think of your bank card and PIN combination as an example: you need both factors to access your account.

COUNTRIES SHOULD INVEST MORE ON CYBERSECURITY

KILEO ON CYBERSECURITY: WORLD ECONOMIC FORUM - COUNTRIES SHOULD INVEST MOR...: 

During the world economic forum in Davos this year, Cybersecurity was one of the "AGENDA". François Hollande emphasized on countries to invest more on cybersecurity. Eugene Kaspersky, chairman and CEO of Kaspersky Lab, also addressed the most pressing issues facing cybersecurity during a panel session.


In the panel discussion – Thomas Hendrik Ilves, President of Estonia; Jean-Paul Laborde, Executive Director of the United Nations Security Council Counter-Terrorism Committee Executive Directorate; and Bradford L. Smith, Executive Vice-President of Microsoft Corporation considered how it is possible to balance security and privacy in the Internet age, how to build resilient cyberdefenses on a national level, and how international cooperation can bolster global cybersecurity generally.

Worst Mistakes People Make In Email Subject Lines

We asked career and email experts what not to do in your email subject line. Here are the most common mistakes:

1. Not writing one

Not including a subject line is one of the biggest mistakes you can make. Amanda Augustine, career expert at professional job-matching service TheLadders, stresses that the subject line can be the most important part of the email, since it often determines whether an email is opened and how the recipient responds. An email with a blank subject line will likely get deleted, lost, or immediately irritate the recipient, who is forced to open the email to figure out what it's about.


2. Writing too much

A typical desktop inbox reveals about 60 characters of an email's subject line, while a mobile phone shows just 25 to 30 characters, says Augustine. What's more, 50% of emails are now read on mobile phones, according to Dmitri Leonov, a VP at email management service SaneBox. If you write more than six to eight words and don't put the most important words at the beginning, you could lose the recipient right from the start.


3. Being too vague

The subject line should communicate exactly what the email is about so that the recipient can prioritize the email's importance without having to open it. For example, writing "Do you have a sec?" is too vague, says Augustine, since the reader will have to open the email or reply to figure out what you want. Don't make the reader guess. Keep it specific, straightforward, and use logical keywords that will make it searchable later.


4. Using filler words

Since you only have so much space to work with, don't waste it with unnecessary words like "hello," "nice to meet you," and "thanks," which can easily be included in the email's body. For instance, if you're applying for a job:

Don't write: Hello! May I ask about a job opening?

Do write: Referred by Jane Brown for Technical Writer position


5. Putting words in ALL CAPS
Using all caps may get someone's attention, but in the wrong way. It's the digital equivalent of yelling, and your job is to make the email as easy as possible for the recipient to read rather than giving them anxiety, says Leonov. Instead, use dashes or colons to separate thoughts, and avoid special characters like exclamation points.


6. Starting a sentence that finishes in the email

If you begin a thought or question that ends in the email body, then the reader is forced to open the email. It's annoying, and since clarity and being respectful of the recipient's time is the goal, it's not very helpful, says Augustine. Consider whether instant message, a call, or an in-person chat might be a better medium for your question.


7. Using the wrong name

Augustine says copy-and-paste errors are all too common. Sometimes when people are sending a similar email to multiple people, they forget to tailor it to each reader and end up with the wrong name or title in the subject line. The easiest way to avoid this is to reread the subject line before you hit send.


8. Not indicating the urgency

"People want to know whether they really need to read this now and if they have to respond," says Augustine. If you need a response, make it clear in the subject line and set a deadline. For instance, you could say: "Please reply by Friday." If not, tack on "no response needed" or "FYI" to the end.


9. Not including who referred you

If you've been referred by a mutual acquaintance, do not save that for the body of the email, says Augustine, since you risk it getting trashed before the recipient opens it. To grab the reader's attention, she suggests beginning the subject line with the full name of the person who referred you.