IT security in SMEs sometimes depends on the awareness of the employees.
Many Swiss entrepreneurs still think that cybercriminals are not interested in SMEs. But it is precisely this careless attitude that cybercriminals are taking advantage of and are increasingly attacking the IT security of SMEs. Andreas Eugster, head of the Zug police cyber investigation department, has a lot to do. And he has a clear message to entrepreneurs in the canton of Zug and throughout Switzerland.
Increasing number of cyber incidents – Inadequate IT security
The police statistics The canton of Zug is showing increasing numbers of cyber incidents. Andreas Eugster and his team come into play when the IT security was not sufficient, the fraudsters were successful and the company files a criminal complaint with the authorities.
Digital investigation is the task of the Zug police cyber investigators: looking for clues, evaluating data, drawing conclusions and continuing to search. Andreas Eugster doesn't reveal exactly how they do this. Police tactics. But he reveals something without hesitation: “There is always more to do for us”. Today, every analog crime also has a digital component, explains Andreas Eugster. You can hear his passion for his job. Cybercriminals know exactly where the chances of a successful digital break-in are greatest.
The biggest risk is people
The technologies of the major providers are now equipped with the most modern and intelligent security functionalities. This has made humans the weakest link in the chain, as Andreas Eugster knows from his own experience: “The gateway is almost always a human interaction. One click on an inconspicuous link can be enough for a perpetrator to gain access to the system.”
To get people to do such actions, cybercriminals use the “Social engineering” manipulation technique at. They camouflage and fake activities, for example sending emails in the name of superiors or partner companies. Cybercriminals smuggle deceived employees past even the most intelligent security technologies - and don't even notice it.
The origins of social engineering
Social engineering is a phenomenon in IT security that has gained attention due to the connection between the world of work and private life. Particularly due to the spread of social media and mobile devices, communication between professional and private life has become even more mixed.
Until the early 2000s, standardized forms of communication from the world of work, such as emails or telephone calls, were also used in private life. It was common for business telephone numbers and email addresses to also be known to private contacts. So they could also be used for private communication.
Contact from your personal environment via a professional communication channel was therefore not ruled out. However, it was only possible to a limited extent to access company data or passwords via fictitious telephone calls or spam emails. A common process was and is so-called phishing.
The term is made up of the words “password” and “fishing”. It refers to the process of stealing passwords via manipulated links.
New forms of social engineering
Towards the end of the 2000s, smartphones and social networks ever further. The use of new platforms became a generally accepted form of communication. Companies also created their own profiles on social platforms.
A number of social media outlets have emerged as places where personal and professional communication intersect. Company employees not only used computers, but also their own mobile devices. This meant they could conduct professional and private communications on the same platform within a few seconds. This reduced the separation between work and private life.
Added to this is the new trend, too to use private IT devices for work purposes. This opened up many new opportunities for attackers in the area of social engineering. Instead of sending emails to large and untargeted lists of individuals, they can now spy on specific people.
How does social engineering threaten companies’ IT security?
Individuals and their employers can be easily identified via social networks. In particular, comparing data from professional and private networks is very helpful. In the first step, an attacker can select a target person from a specific company. In the second step, the attacker can gain the person's trust over weeks or months.
Given the situation, he can then casually ask for specific company-related information during a conversation.
Attackers can also use fake profiles to pose as employees, project partners or suppliers of the same company. Another method is the manipulation of programs such as browsers on the target's computers. The attacker can then steal the company's login data via fake but deceptively real-looking websites.
There are no limits to the creativity of the attackers. The threat of social engineering has reached international proportions over the years. Europol has already taken on the fight against this form of online fraud. IT security companies like redIT also offer solutions to protect against phishing attacks.
“Awareness definitely needs to be raised.”
The cyber investigation by the Zug police was launched in the summer of 2016. Since then, Eugster has picked up the phone many times: “I receive calls from companies of all sizes that have been attacked. The processes in large companies are often well-established, but small and medium-sized companies are usually overwhelmed and rely on external help. SMEs are still far too little aware that they are also lucrative targets for criminals with the intention of enriching themselves. This awareness definitely needs to be increased, says Eugster.
Blackmail via ransomware
A common method of attacking companies through their own IT infrastructure is through the use of Ransomware. This is specially developed software that criminals use to manipulate data on company servers.
There are two types of ransomware. One encrypts data, the other blocks access to the computer but leaves the data on the computer unchanged.
In the second case, the victims of the attack have the opportunity to secure the information. This is done by removing the data carriers from the digitally locked computer. For this reason, it is much more interesting for attackers to encrypt data directly on the computer.
In a subsequent step, the company is confronted with a ransom demand. Until a few years ago, analog payment methods such as prepaid cards were still used. Today, attackers prefer to use digital currencies that can be sent anonymously.
Currencies based on blockchain technology are therefore often used for extortion via ransomware. This is not just the well-known currency Bitcoin. Various other currencies are also used for this purpose. Dash, Zcash and Monero are examples of digital currencies that allow attackers greater anonymity.
Ransomware attacks cost much more than just the ransom
If the ransomware strikes and encrypts the entire system, it will be costly. But not primarily because of high ransoms. The police and the federal government clearly advise against paying ransoms at all. “If you make yourself vulnerable to blackmail once, you will always be vulnerable to blackmail,” says Eugster. What costs companies much more expensively, however, are operational and subsequent loss of sales, costs for restoring and better protecting the entire IT infrastructure. The cost estimates for a cyber incident vary widely depending on the extent of the attack, depending on the source USD 190, CHF 1 million. or even USD 13 million.
No more reasons to neglect IT security
companies worldwide named IT security as the biggest risk for the first time in 2020 for the business. And yet, according to Microsoft, 90% of SMEs do not implement data protection. Many reasons for this no longer hold water in 2020: Modern IT solutions offer enterprise-level security and are now available at SME costs. Cybercrime is highly relevant for SMEs, because at least every third has already come into contact with it. It could only be due to a lack of awareness.
Training and awareness of employees
That's why this is Employee training is a central point in the security precautions of SMEs. The workforce must be trained in user behavior and develop an increased awareness of fraudulent behavior patterns. Cyberpolice Eugster speaks here primarily of “healthy skepticism” and compares it with an analogous example. “If you have a paper flyer in your mailbox, despite the ban on advertising, with a telephone number on it and promises of some kind of money, you hardly believe it and throw the advertising in the waste paper.” It is precisely this behavior that must also find its way into the digital sector.
The Planned test attack enables an unvarnished view of IT security and the behavior of employees, a good tool that can contribute a lot to healthy skepticism. And this is urgently needed, because cybercriminals are unlikely to lose interest in SMEs so quickly.
That's why we offer this specifically for SMEs redCloud Phish Threat a service that allows you to test your employees without consequences to see whether they are fit to deal with abusive emails. The solution also helps Security awareness training, to keep the employee risk factor as small as possible.
What is IT security?
IT security is also central to your company. That's why we offer you a range of services that also include the protection and preparation of your employees. These include, among others:
- Security awareness training
- Protection against phishing attacks
- Setting up firewalls
- Provision of SSL certificates
- Protection against spam
We would be happy to advise you individually in this area. Get in touch with us today!