You don’t think about a small business in middle America being targeted by hardened Russian cybercriminals, but that’s exactly what happened in the case of Smile Zone. This Missouri dental office caters to children, looking for ways to provide them with a higher comfort level with dental procedures. Smile Zone had not yet invested in any aggressive cybersecurity measures, because they didn’t expect to become the target of malicious attack from overseas. Unfortunately, they were wrong, and their lack of planning for cybersecurity cost them over $200,000 due to a simple phishing scam — money that Smile Zone has never been able to recover.
Determining the Attack Vector
It didn’t take long for investigators to determine the attack vector, as it was a simple phishing email that was launched on the computer that Smile Zone used to conduct their banking business. With the information stored on that computer, the Russian cybercriminal and his associates were able to tap into the bank account of Smile Zone and create a transaction for $205,000 that looked perfectly legitimate to the bank. Unfortunately, that also meant that the bank would not accept liability for the transaction — something that they would have done if the account were a consumer account instead of a business account. What’s worse, the cybercriminals left the back door of the business open so they could help themselves to more funds in the future if the vulnerability was not addressed in time.
Why Russian Hackers Target Small Businesses
It’s hard to imagine, but why would a well-known Russian hacker who was on the FBI’s Most Wanted List waste their time attacking a small business for “only” a few hundred thousand dollars? The answer is simple: small businesses are less likely to have invested in cybersecurity. Not only are the businesses perceived to be less secure, but cybercriminals are looking for an ongoing payday — not a one-time bankroll. Small to mid-size businesses may not even notice relatively small amounts being shifted around until the dollars add up to a significant amount of money. This allows these nation-state actors to slowly siphon away funds that could otherwise be used to fund payroll or grow the business. Even if small businesses do have passive cybersecurity, they may not be actively monitoring their transactions and systems in a way that would allow them to see the fraud happening in near-real time. Symantec defines the time between the injection of malware or a data breach to the discovery time as “dwell times“, and they average 191 days before many businesses discover that their systems have been compromised.
Are There Legal Avenues for Recourse?
The unfortunate reality is that it’s difficult for the government, local police or anyone else to help regain access to your funds once they’ve been exfiltrated to a remote location. Hackers are extremely savvy, in taking just enough money that they can easily move it around without a lot of notice from others. It’s difficult for law enforcement to prove that there has been a crime, much less track down a slippery individual thousands of miles away from the crime. When your business suffers this type of loss, it’s unlikely that the money will ever be recovered — a devastating blow for a small business.
Are There Ways to Protect Your Business?
Fortunately, you don’t have to simply wait for your business to be hacked, and you don’t have to invest in over-the-top security solutions that are meant for enterprises instead of small to mid-size businesses. Your trusted technology services partner can help you understand the various options that are available to help protect your organization. This could include a variety of solutions:
- Endpoint protection and monitoring of WiFi hotspots that are available to customers and employees
- Rigorous password policies
- Ongoing employee and contractor security training and testing
- Active monitoring of your network by knowledgeable security professionals
- Proactive notification systems so your technology partner can immediately begin remediation in the event of a breach
- Email and website security software that helps filter out malware and spam before it reaches your staff
- Robust backup and recovery procedures, to ensure your business can continue functioning even if you’re under attack
- Systematic review of all potential fail points within your infrastructure on a regular basis
- Rigorous management of user accounts and logins, to ensure that accounts are inactivated quickly when they’re no longer needed
Each business is unique, and working with your trusted IT managed services provider will offer more direct and detailed recommendations that will fit the unique needs of your business.
No one is expecting to be the target of a Russian hacker, and small businesses may be even less prepared than larger ones. No business is truly safe from cybercriminals unless your business is fully protected by a suite of cybersecurity measures that include active management of your infrastructure. It pays to invest a small amount upfront to protect your business from what could be a disastrous cyberattack in the future.