It was General Sun Tzu who first said, “know your enemy, and you shall win a hundred battles without loss.”
Unfortunately, as our businesses become ever more dependent on the digital economy a new type of enemy has emerged – cybercriminals.
Described by the news outlet CNBC as a pandemic, global cybercrime is estimated to have cost businesses around $600 B in 2017.
In keeping with the general’s advice this article will help you prepare for “battle” by giving you an overview of the ten most common tactics used by cybercriminals today; and end with some advice on how to deal with these attacks.
The New Target
While the news is filed with reports of cyber incidents involving large organizations, the number of small and mid-sized businesses targeted by criminals is growing. A 2018 Verizon survey uncovered over 53,000 cyber-events and 2,200 successful data breach events. In 58% of the cases, the victims of these attacks were characterized as small businesses. 
The actual number of incidents might be much larger since many attacks on small businesses go unreported. A study commissioned by the Hiscock Insurance Company and conducted by Forrester Research found that 47% of small businesses suffered at least one cyber-attack in the past year.
A similar study by Small Biz Trends indicates that small and mid-sized companies are now the target of 43% of cyber intrusions. Unfortunately, 60% of the organizations that suffer a severe attack failed within six months.
The reason for these attacks varies. As you might suspect, 76% are financially motivated and 73% of attacks are initiated by non-insiders, meaning people not affiliated with the organization.
The Verizon study showed that crime syndicates are the main perpetrator representing around 50% of attacks. Business “insiders” were the second largest group, followed nation-state affiliated groups and government-sponsored hackers.
Beyond financial gain, the other top reasons for cyber-attacks include:
- Intellectual Challenge/Fun
- Ideological Differences
The list of industries that are the prime target of cyber-criminals is not surprising. According to the Verizon report repeated targets include:
- Healthcare Operations
- Accommodation/Hospitality Industry
- Educational Institutions
- Financial Service Firms
- Manufacturing Companies
- Retail Operations
- Public Service Agencies
Types of Attacks
Since their beginning in the late 1980’s cyber-attacks have evolved and diversified. The following is a list of common cyberattacks used by criminals against small and mid-sized businesses.
Phishing attacks remain the most common form of cyber-attack faced by small and mid-sized businesses. They consist of emails designed to trick the recipient into clicking onto a link which will download some malicious code (a.k.a. malware) or connect the user to a website where a series of interactions and questions will attempt to gain disclosure of confidential information such as a password, social security number(s), or banking information. Cyber experts estimate that about 4% of phishing attacks succeed in penetrating security defenses and allow criminals to gain from their efforts.
In 1989 the first reported ransomware attack took place. It was instigated by Harvard-trained scientist Joseph Popp who created what became known as the AIDS Trojan – a virus that targeted AIDS researchers and demanded money to release their locked-up files.
Ransomware attacks showed up intermittently until 2005 when their number began to skyrocket. Today there are more than twenty variants of this type of malware. According to cybersecurity firm Acronis International, six organizations a minute are the targets of ransomware attacks. Of these, 34% indicated that they would pay if their environment was compromised.
Ransomware takes two general approaches. In one type of attack, the malware encrypts files preventing access. In other situations the malicious code takes control of internal utilities and locks access to files. This includes “shadow copy” backups automatically created by the operating system.
If the ransom is paid a decryption key (in theory) is sent to the user which restores access to the information.
The widespread use of wireless access points (i.e., WiFi) has made this type of attack very popular. The criminal sets up a communication channel between two parties which allows simultaneously eavesdropping on the exchange. This allows the undetected interception of passwords, financial data, personal information, or other valuable material.
This type of attack is often successful when travelers are forced to rely on an unknown WiFi network such as at an airport, school campus, or hotel lobby.
- Trojan Horse
Drawing on a story line in the Aeneid by Virgil, the metaphoric title explains the nature of this attack. Through a variety of means, criminals convince a user to download malware which enables them to delete data, block access to data, modify files, copy information or monitor online activity.
There are several types of trojan horse malware including: trojan-banker, trojan-downloader, trojan-dropper, trojan-IM, and others.
- Denial of Service
A Denial of Service (DoS) attack consists of one or more servers flooding a targeted computer with so many requests that the computer system runs out of resources and shuts down. For example, a DoS attack could overwhelm an e-commerce website shutting down the firm’s business.
There is a variation called a Distributed Denial of Service (DDoS) attack. It takes the form of coordinating multiple systems direct their service requests so as to overwhelm even large servers.
- Watering Hole
This colorful name draws inspiration from the way in which some predators lie in wait at watering holes to attack visitor to the site. In this case, criminals monitor traffic to specific websites and then infect them with malware with the expectation that one or more of the returning visitors will eventually fall victim to the infected site.
These attacks often target groups or specific organizations.
- Computer Worm
These are self-replicating programs that generally consist of two parts. The worm itself is malware designed to self-replicate and spread from computer to computer, gaining control of their resources. The second part of the virus is called the payload and it is the segment that performs malicious acts such as deleting files or encrypting information as in a ransomware attack.
DDoS attacks rely on worms to gain control of multiple computers which can then be organized into a coordinated denial of service attack.
This is a generic term that refers to the practice of modifying or altering computer hardware or software in order to allow unauthorized access or use of the computer’s resources. There are many types of hackers including white hats, who provide security services for companies by testing the barriers protecting the organization’s information technology systems. They are also known as ethical hackers.
Others hackers seek personal gain (black hats), while other simply enjoy the intellectual challenge of testing their skills against strong, secure networks. Black hats will often target small businesses in the hope of finding various vulnerabilities that are not present in the networks of large organizations.
- Found USBs
If on you way to your car or your office you happen to glance down and see a USB stick, our advice is do not take it to your office and plug it into a computer. This is a common trick used by criminals to gain access to your network. What might look like a luck find – could turn out to be a devastating ploy that put your entire computer network at risk.
Recently, to incentivize the temptation to examine such a find, criminals have been baiting this scam with ever-larger memory sticks sometimes measured in terabytes.
- Social Engineering
One of the oldest techniques used to penetrate security networks, social engineering is the use of deceptive practices to extract confidential information from information for nefarious purposes. It sometimes takes the form of a phone call or email in which the criminal poses as a new employee seeking help in logging into a network from a remote location. Playing on the sympathy of the targeted person the request for assistance is often rewarded with disclosed passwords and contact points.
Once logged into the network, the criminal has the freedom to install viruses, worms, and other forms of malware. This was the technique used by hackers who invaded the Sony Pictures network in 2014 which led to the release of various payroll records, confidential memoranda, and the pirating of unreleased movies.
The Future of Cyber Crime
Cybercrime is on the rise. A United Kingdom government estimate claims that the number of records breached has grown from 3.8 M in 2010 to 3.1 B in 2016. This amounts to an astonishing 1,000-fold increase in seven years.
As these attacks increase the tools and techniques being used to perpetrate these crimes is also growing and evolving.
Now that various governments have launched clandestine hacking projects new technologies are being entering the cyber-battlefield. For example, security experts warn that the use of artificial intelligence will cause dramatic advances in both penetration which might outstrip the ability of cybersecurity experts to cope with attacks.
Coping with Cybercrime
Fortunately, there are some simple things that businesses of all sizes can do to significantly reduce the risk of a successful cyberattack.
- At the top of the list is employee training. Consider periodic lunch and learn seminars run by a cybersecurity expert who can brief employees on the most common types of attacks and how to react when they see them.
- Keep your software updated and apply patches sent out by the vendor as soon as they are released. This dramatically narrows the window during which a cybercriminal can hack into your network.
- Implement well-thought out security policies especially regarding the use of various memory devices (e.g., thumb drives) on your network.
- Rotate passwords frequently. Likely, this is the one policy that will get the most outcry from the staff since no one likes keep track of these frequent changes. However, it is an important and effective means of blocking hackers, especially former employees.
- Integrate cyber-response into your overall readiness response plan. Consider running a cyber-attack drill to see how your staff reacts to this category of threat and add a cyber section to your Emergency Action Plan.
Businesses of all sizes are now the targets of cybercriminals. Don’t assume that your organization wouldn’t be of interest to an attack – it is now and will be in the future. Take steps to prepare so that your digital environment is not one that is tempting to a criminal.
Remember the words of Sun Tzu, “The greatest victory is that which requires no battle.”