The Importance of Cybersecurity Awareness for SMBs
By Eric Magill
With October being National Cybersecurity Awareness Month, I wanted to provide some pointers for defending yourself and your clients against cyber-attacks.
In 20 years as owner of a managed IT services business, I have learned this:
- While most of us will be considered too small for hackers to attack directly – yes, like legitimate business owners, they understand efficiency – almost all of us will be attacked by phishing emails.
The consequences of falling victim to such attacks can be devastating for SMBs when they don’t have the resources to recover from a data breach.
According to a National Cybersecurity Alliance report, cyber attacks resulted in:
- 37 percent of small organizations suffering financial losses
- 25 percent filing for bankruptcy
- 10 percent closing their doors.
The NCSA also reported that more than half of businesses must raise prices solely to cover the costs of recovering from a breach.
How do you avoid succumbing to these attacks?
More sophisticated cyber criminals have evolved beyond poorly worded, obvious phishing emails. They, too, now use AI writing tools.
You can, however, spot phishing emails by remaining vigilant.
My Golden Rules for handling emails:
- If you don’t know the sender, do not click any links or file attachments. Delete it.
- If the email is relevant to you, go to the sender’s website in your browser.
- For well-known brands, hover over the link (don’t click) to see if it goes to the brand’s website (e.g. “dell.com” versus “something.com/dell”)
- If you know the sender, but receive an unexpected email from them, do not click links or file attachments until you confirm that your colleague sent it.
- Do this by phone – a hacker could hijack your colleague’s email and make it look like your colleague is providing confirmation.
- If you mistakenly click on a link in an unexpected email and navigate to a page where you are asked to change your password for your bank or other vendor, do not enter your password. Close the page.
Below is a phishing email that incorporates elements of many phishes:
As you can see, this phishing email:
- Uses the International date format (day / month) versus the month / date format that I would expect in the U.S.
- The From: email address is not @intuit.com or @quickbooks.com. It’s @updatessoftware.info.
- The phone number shows up in searches for known scams.
- Hovering over the link reveals it goes to techsales.info instead of intuit.com or quickbooks.com.
- Awkward language
- The text uses fear tactics by claiming the database will be corrupted and backups automatically removed, preventing recovery, if the deadline is missed.
What would I do with such an email?
This email caught my attention because I knew that Quickbooks is requiring desktop software customers to upgrade before September 30 if they want to continue using the desktop software instead of Quickbooks Online.
The International date format, however, gave me pause initially. The fake From: email address sealed it.
Had the hackers spoofed a legitimate Quickbooks email address, the other elements would have still confirmed this as a phish.
You also want to protect your passwords:
- Use a password manager such as one of these.
- Do not send passwords in emails and text messages unless they are encrypted
- Do not use the same passwords for business and personal use
- Do not store passwords in word processing files or spreadsheets
- Do not share your passwords with anyone, including co-workers
If you want more in-depth information about cybersecurity awareness, visit the Cybersecurity and Infrastructure Security Agency (CISA) website at https://cisa.gov.
Eric Magill performs Vendor Risk Assessments to help small businesses select critical Software as a Service providers, using his experience in Research, Reporting, Writing, Editing, Publishing, Creating, Analyzing, Managing, Handling, Storing, and Securing information in a 40-year career in the Private and Public sectors.
