2022 was a challenging year for all companies, regardless of their size, economic activity and even level of cybersecurity budget. Social Engineering, Ransomware and ZeroDays attacks were mainly responsible for the headache of many IT departments and even the closure of many companies that did not have the economic muscle or the right strategy to deal with this crisis.
That only happens in large companies
However, we still hear small and medium-sized companies say, “That only happens to big companies, have you ever heard an SME say it was attacked”.
Let’s think for a minute, a small or medium sized business, which has about 200 customers, which allows it to receive considerable profits for its size, pay bills, and provide jobs. Knowing the negative impact to their image, they really believe that they will be in the press saying “We were hacked”, that is NOT going to happen, in many cases when they are victims of a cyber criminal, they prefer to keep silent and see how they can solve by their own means, even paying when they are extorted by Ransomware. Which helps the Ransomware as a Serviceindustry stay in the game.
Ransomware as a Service
Many are still surprised when they hear “RaaS” or “Ransomware as a Service”, they see it as a joke, however, cybercriminals are at the forefront of technology and are perfectly aware of the different business models, both current and emerging.
RaaS is a business model based on subscriptions purchased by affiliates who are responsible for distributing the malware previously developed by the Operator, and receive a commission for each victim who pays the ransom for their information, thus reaching more countries, more victims, with less effort and less chance of being caught and using multiple techniques.
As shown in the image above, there is a whole infrastructure behind this service, very well financed by organized crime in many cases and in other cases just a group of enterprising criminals.
Now let’s not lose the focus of Affiliate number 3, the reason why we wrote this article, the “Script Kiddies”, people with little knowledge of computers, who become experts running tools without the slightest knowledge of how they work. These are the most dangerous actors, since they do not measure risks of any kind, they have no remorse, since, for them, this is a simple game and, not having any relevant knowledge, they look for the so-called “Low Hanging Fruit” or “Low Hanging Fruit”, and who are they?
Low Hanging Fruit The Ideal Target for Script Kiddies
Low Hanging Fruit, are known as those targets, easy to obtain, within which stand out, people or organizations with little or no awareness in cybersecurity, and mainly the famous “Who will attack me?”, and clearly in this classification enter SMEs.
Why are SMEs the PlayGround of Cybercrime?
Why complicate your life, if it can be easier and with little effort.
Instead of attacking a large company and demanding a ransom of $250,000 or more (which it probably won’t pay), cybercriminals prefer to attack 500 easy companies and charge $5,000 each, knowing that they would rather pay it than go bankrupt. In this way, the cybercriminal receives $2.5 million. Multiply this per affiliate and you will see why it is such a lucrative business and a difficult war to fight for those who are not cybersecurity conscious and/or believe they need infinite resources to protect themselves.
Why is it so simple?
- Little or no awareness of cybersecurity issues (Not all).
- Reduced IT staff, with inadequate training (Todologists).
- Reduced IT budget.
- Nonexistent or inadequate security controls for your scenario. (Home antivirus, computers without updates, among others).
I’m Aware of the Risks, but the Solutions are Too Costly
This is not true at all, many times small changes in our culture can have a big impact on the security of the organization.
The problem lies in the fact that, when seeking help from security companies, they focus on large and well-known consulting firms that, although they have excellent products and services, these have costs that are too high for small companies, generating immediate rejection and the assumption that there are no alternatives that adapt to their reality and needs.
Logically, the investment in cybersecurity controls must be proportional to the value of the information to be protected, and the cost of recovering in case of loss of this information. Reminding them that the cost is not only in money to be paid to a consultant, but in time and impact on the corporate image.
What Can I Do Then?
We present you with the phrase “Small actions generate big changes”.
- Seek advice from consultants who can guide you and help you identify your real need and put you on the right path (LinkedIn is a good place to look for them, or in security communities such as the Dojo Community).
- Define your business processes.
- Define security policies for the protection of your information that are aligned with business objectives and allow the execution of the organization’s processes and operations.
- Use original software or programs, many times support analysts, without proper training, offer to install pirated programs, according to them “Free” or “Cheaper”, to save a few dollars, generating higher costs in the future.
- Verify that all your systems are up to date (everything connected to your network).
- Have an up-to-date and automated software and hardware inventory of all your devices.
- Protect your computer with phrases that are easy for you and difficult for others (“I love going out on Sundays with my wife.”).
- Never leave your computer unlocked, (No matter how much confidence you have in your computer, the biggest threat may be inside). Do not share your username and password with ANYONE.
- Use vaults to store your passwords, I personally like KeePass.
- Classify your information by level of importance and confidentiality and protect yourself from information leaks.
- Back up your data on external drives, and at least in more than one place (External drives + Cloud), encrypt your data before uploading or storing it elsewhere.
- Make use of firewalls and only open the ports that are necessary to operate.
- Use enterprise security solutions, not home-made ones, there are many low-cost ones such as “Kaspersky Cloud Security” for small and medium-sized businesses, with a centralized online management and reporting console.
- Beware of suspicious emails containing links or attachments that you were not expecting. Contact the sender to verify the information.
Some Solutions and Services for SMEs
- Wazuh
- PfSense Firewall
- Kaspersky Endpoint Security Cloud
- AssetExplorer (For inventories)
- Managed Network Security Service (We protect your network, you focus on your business)
- Safetica (Data Leakage Protection)
- Infection Monkey (Attack Simulator)
Conclusions
- Cybersecurity is everyone’s issue, no matter if you are a micro, small, medium or large company, everyone can be the next victim.
- Small changes in our mentality and some basic controls can help us reduce the risk.
- Use original software and always keep it updated.
- Seek professional advice, just because your neighbor or friend installs software does not mean he is a qualified technician.
- Always back up your information in external environments, it will make the difference between a company that is a victim of Ransomware that went bankrupt and one that did not.