Small business malware

Small Business Malware Attacks

By Georgina Donovan - October 12th, 2020 Posted in Information Security

If you are a small or micro business, it’s likely that your attention will be focussed on developing and marketing your product or service and all things cyber security related sit further down the never-ending priority list. There’s always something more pressing or less boring to attend to just like when your meant to be revising for exams and suddenly doing household chores become an appealing diversion.

According to research by the charity ‘Business in the Community’ (BITC), a third of small businesses in the UK have no cyber security strategy; could this be you?

The topic of cyber security can be covered from a number of angles. Today however, I am focussing on a specific area of cyber incident and that is malware.  Because it’s easier to put any sort of advice into context if you understand the reason, I’ll start by explaining, the the most common types of malware.

Types of malware

Hackers use a range of different types of software or ‘malware’ which is an amalgamation of ‘malicious’ and ‘software’ to infiltrate businesses and individuals, sometimes for fun but usually for financial gain.  Here are some key types of malware to get you started:

Ransomware – locks your computer and systems and holds it hostage usually insisting you pay a ransom via bitcoin in exchange for its release.

Spyware – hides on your computer and logs everything that you do online including sites you visit and passwords you enter.

Viruses – are so called because of the way they behave.  They spread through a system infecting clean files, corrupting or deleting them.

Trojans – look like legitimate software or are hidden in legitimate software and are usually part of a two-pronged attack creating a back door for other malware to gain access.

Worms – infect devices and entire networks, either locally or across the internet, by using network interfaces. A bit like a virus in one machine, a worm infects connected machines and devices without you necessarily clicking on/or downloading anything.

Adware – is not malicious but thoroughly annoying. It is included in a bundle of other legitimate or seemingly legitimate software that you download. It does infiltrate your security but with the purpose of serving you lots of adverts.

No business is too small either, in fact many hackers look for the easiest targets. Big cases like the recent ransomware attack on Travelex are the ones you hear about of course but according to a report by CybSafe, nearly half small of businesses in the UK have been hit by phishing attempts in the year covering 2018 and 2019 and of those, 66% became victims.

Malware attacks

The methods hackers use to plant malware are varied. Some hackers look for a vulnerability in software, the infamous WannaCry is an example of this.  It was a worm designed to infiltrate a vulnerability in Windows software. There was however a patch available for this vulnerability which had been issued by Microsoft two months previously, so the lesson here is to ensure that software updates are installed as soon as they come through.

Links sent via email and subsequently clicked on, can send the recipient to a bogus website which looks legitimate and then ask to input sensitive information like passwords or bank details, these can be from legitimate looking sites like HMRC or TV Licencing.

Some emails will encourage you to download a file. Again, they will try to look legitimate, but the file will download the malware on to your PC and potentially infect the network you are connected to.  Sometimes malware is designed to target removable drives like external hard drives and USB sticks, which infect every computer they are subsequently connected to.

In some cases, malware is planted on suspect or even legitimate websites that have themselves been hacked.  This was the case with the British Airways data breach in 2018, where customers were diverted to a fraudulent site designed to harvest personal details. This is known as form jacking and it’s on the rise. Incidentally, it is the responsibility of the business owner to ensure their website has not been infiltrated.

Finally, malware is sometimes bundled in with other software packages.

Defending against malware

Some of the steps you need to take will cost time and money but not necessarily as much as you think. Researching and installing reliable anti-virus software, ensuring your firewalls are switched on, setting your security systems up so that system updates with security patches occur automatically are all reasonably simple steps if you’re cyber savvy but if you’re not, a cyber security firm could do all of that very quickly.

A lot relies however on human behaviours, so knowledge, awareness and vigilance are key. To that end, documenting the rules for safe use of IT systems and emails in a Cyber Security Policy and communicating them regularly with your employees is the best place to start.  It will include guidelines for safe use of email and internet; for example, only browsing secure websites, not downloading any software without permission and having its authenticity verified first, not using external devices, not using employer IT equipment for personal use and rules for generating strong passwords and managing them.

This will limit the chances of your business becoming another cyber victim but of course there is still a chance you could be targeted despite all your best efforts. For this reason, make sure all or at least all of your critical data is backed up regularly in an area unconnected to your main your business systems. Ensure confidential data, be it internal intellectual property or external personal data, is encrypted and limit access to data to those that use it and have a plan in place so you’re ready to spring into action should an incident occur; we have a good blog on incident response planning here.

Need help?

If you need help or advice on how to manage your businesses cyber security, we’re here to help.  We can advise on your security vulnerabilities, select the right security technology and check your systems are configures correctly.  We can also put policies in place run staff training exercises. Contact us for a friendly chat.

GET IN TOUCH