The latest victim….the White House. That tells you all you need to know about just how effective spear phishing is as a tactic to infiltrate a computer system. If the attack is effective against that target then you better believe it could happen to your business. It happens to businesses across the country on a daily basis. If you haven’t taken this matter seriously, now is the time to do so. Educate your employees on how criminals employ the tactic. Educate your employees on what to look for to avoid your business becoming a victim. Take steps to protect your business before it becomes a victim. And develop a plan of action to respond if it fails.
Why are Criminals Targeting Smaller Businesses for Spear Phishing Attacks?
Simple answer, they are easier targets. Small companies tend to not have the same IT infrastructure and security that larger companies have in place. They also tend to have less formal rules and restrictions on employee use of company computers. This creates an easy target for criminals.
Small business have access to information that is just as valuable to hackers as larger companies. Small businesses often provide services to government agencies or other larger public companies and as such, have valuable information in their possession or offer a pipeline into these more lucrative targets.
What is “spear phishing?”
Spear phishing is a specific type of cyber attack that appears to be from someone or some company you know. The target receives an email, often with some information about the individual or business contained in the email such as a person’s name, the company’s phone system, or bank. Where does that information come from? The target’s online presence. Think about how much information is readily available regarding your business and the people working for it. Do you have a contact page on your website with names and email addresses?
This spear phishing email comes with a ZIP file attached or a camouflaged link to an automatic download. Sometimes the ZIP file is described as a PDF or other harmless file type. Click to open the attachment or the link and the target is caught.
What happens after your caught?
It depends. Some attacks are passive, meaning the hackers are simply accessing your computer system to observe and acquire information. There is at least one case where the hackers had access to a company’s system for over a year before anyone noticed! Hackers can monitor passwords and company activity. This can affect individual employees accessing personal accounts from work as well as the company. If the employee types in ID and password information to access a personal or business bank account, the hacker now has that information. Think about the potential exposure of your company’s trade secrets too.
Some attacks are active, meaning the hackers are accessing your computer system in an attempt to gain control over some portion in order to further their goals. The hackers then use that control to continue their efforts within your business or using your business as cover. In the White House breach, for example, it is widely reported that the attack came after hackers infiltrated the State Department to gain control over a legitimate email address which they then used to hack into the White House system.
In other cases the hackers take control of your system and hold it hostage. Once in your system, they take control of your company files then encrypt them and prevent your business from having access to them. The next thing you receive is a ransom demand. Pay up or lose the files forever. You can read about some of these cases in an NPR story here. It happens to police departments as well. Even law firms have been victims.
How Much Could A Spear Phishing Attack Cost Your Business?
Smaller attacks are relatively cheap. A few hundred dollars paid by the deadline will get you the encryption key to unlock your files in some cases.
In other cases, the potential financial exposure is much higher. The attacks are becoming much more sophisticated. More sophisticated programs will search out more valuable files. And if it locates them, guess what? The price goes up. The CAD designs for that $30 million dollar construction project are going to cost you a lot more to get back than the generic everyday company files.
Don’t forget the potential liability your company may have to third parties as well. If your files are compromised and the information accessed by the hackers includes personal information protected under privacy laws, then your business may be in for some significant expenses. Many states (including Texas) have breach notification laws. Fail to comply with the breach notification laws and your company could face significant fines. If the information is used by the attackers and a third party suffers a loss, your business could be subject to a law suit as well.
There is also lost business to consider. If your client learns that its confidential information was lost because your company didn’t take adequate measures to protect it, then how long do you think you will have that client?