Sometimes I feel like a real pest. But I feel like I’m a rather safe and cautious pest.
Yesterday, I sent an e-mail to Sherry Johnson and Tracy Phillips from AmericanHort to ask them about a company that said they published the organization’s media kit. We’ve been members of AmericanHort (formerly OFA) since 2010, and we never remember seeing an e-mail from this organization. Tracy wrote me back pretty quickly to say they were legit.
It was the sixth time this year I e-mailed Sherry and Tracy this year about someone contacting us about a service offered for AmericanHort or its major trade show, Cultivate. As it turned out, this was the first time all year a company was truthful about their relationship with AmericanHort. I apologized to the ladies for being a pest, to which Tracy responded, “As I always say, if ever in question give us a shout!”
On a similar vein, I also saw an article on Forbes.com yesterday about five ways small businesses can protect themselves against cyber attacks. When most people think of cyber attacks, they think of a criminal syndicate sitting behind a bank of computers trying to break into the networks of Fortune 500 companies. But that’s about as old-school as wearing a pager. The smooth criminal puts in minimal effort and lets you do the dirty work.
Interestingly enough, the false faxes and phone calls we received and many types of cyber attacks are based on a no-tech approach: Social engineering.
Social engineering > physical hacking for cyber threats
There’s a reason why there were five different attempts to scam us this year: It works. Scammers, criminals, and shady companies wouldn’t put their effort into something that didn’t give return on their investment.
Speaking of ROI, Trend Micro, a respected cyber security company, reported earlier this year on its blog exactly how much return criminals can make in cyber crime. A Fox Business News report showed that an average stock market investor that focused on reliable companies between 1926 and 2009 would have made a solid 10 percent return on their investment. On the other hand, current statistics show that the black market of the cyber world has the potential for a 1,425 percent return on investment.
That’s right: for the low, low price of, say, $5,900 (using the statistics for up-front costs cited in the Dark Reading article), a month’s worth of work could bring in a profit of $84,100. Now then, that’s only the profit for the first month, because the criminal company doesn’t have to buy a new hardware and software each month. Even so, if you extrapolate that profit over the course of a year, you’ve earned your first dirty million.
Of course, those statistics are based off of the current scam-du-jour: ransom attacks. That’s when a virus gets through on an individual computer, locks it down from the inside, and demands a ransom for it to be unlocked. And while a small business may think a $300 ransom is a small price to pay, the damage may go beyond just a few bucks. You’re sending an online payment to a criminal. What if they steal your payment account information? What if you pay and they refuse to unlock the computer or the vital files they trapped? (I mean, they already scammed you once. What makes you think they’re going to play fair?) Now we’re talking not just money and man-hours lost, but you may permanently lose access to your most valuable files.
But just like the scam attempts thrown at us using very old-school methods (a fax? really?), ransomware relies on the victim to invite the danger past any cyber security. In the Dark Reading example, the criminal creates a seemingly innocent website that entices a victim to interact with it. One click, one download, and *poof* — there goes the neighborhood. The victim may have even been warned by anti-malware software to not proceed, but that doesn’t always stop people from barging on through anyway.
Why? Because of social engineering, which involves manipulating people so they become a willing participant in giving out their private information instead of having it stolen. It relies on the overwhelmingly common human traits of being trusting and curious. People trust that the e-mails they receive are from who they say they are, and they trust their antivirus software will protect them. Here were the top social engineering lures from 2014, according to Trend Micro:
- Big news: Malicious links were hidden behind stories involving the Malaysian Airlines flight 370 crash and the World Cup.
- Celebrity gossip: People can’t get enough juicy information about celebrities, so malicious social media links and e-mails are easy methods of attracting victims.
- Movies: People looking for the inside scoop on soon-to-be-released blockbusters may find they’ve been lured to a malicious site.
- Tech and games: As more people are using technology, scammers are finding easy pickings for people who know how to use their tech, but not how to stay safe while using it.
- Social media: Entry-level tech, where it’s easy to be fooled into thinking you’re following a real person and you trust that their links are legit.
- Scare tactics: With the threat of the Ebola virus weighing heavy on people’s minds (in many cases unnecessarily), scammers found success misdirecting people to download malicious content.
In all of these methods, the cyber criminal only has to “set it and forget it.” They no longer need to be a cyber mastermind and invest the time and effort to actively hack through a heavily fortified firewall. With minimal knowledge and clever wording, today’s cyber criminal can wreak havoc.
Why is cyber security more important than ever?
It’s not hard to figure out why cyber crime is a “growth industry,” according to many industry experts. More and more of our daily lives are happening online and in the cloud. Just this past Sage Summit, Sage announced that three of its largest products, Sage X3, Sage 100, and Sage 300 would be available in the cloud. Combine that with the fact that the internet is now ubiquitous in the business world, and the numerous reports of just how many people use the internet at work for personal use, and it makes for a recipe for a cyber disaster.
But this isn’t just about cyberslacking. What if one of your employees legitimately needed to search Google for business purposes, but accidentally clicked a malicious link? What if they receive an e-mail that looks like it came from your bank and the instructions were followed before the phishing was found?
If someone tries to tell you their system, their cloud, their network, or their protection is completely secure, you may as well buy the Brooklyn Bridge from them. The other night, I saw a commercial for LifeLock, which used to guarantee their customers they will prevent identity theft. It’s no coincidence that after the FTC tagged LifeLock a second time back in July for not adhering to the ruling from five years ago, all of a sudden, the commercials are singing a new tone: The phrase “nobody can guarantee 100 percent safety” (or something like that) was not only repeated verbally, but appeared at the beginning of every block of fine print that was shown.
Don’t get me wrong: I’m not saying don’t use cloud-based business systems or shut down all internet usage at your company. All you have to do is look at the No. 1 tip from the Forbes.com article: Educate everyone. From the owner down to the lowest-paid person on the payroll: If you have internet access and/or receive company e-mails, then you need to question the source of everything you see. And never be afraid to double-check to see if an e-mail or a link came from a legitimate source by picking up the phone and calling.
You wouldn’t get behind the wheel of a car and head out on the highway before learning about safe driving. It’s just as important to be safe on the information superhighway, too.