Cybersecurity for
Small Businesses and Nonprofits
Copyright © 2016 by Excelsior College
Published by arrangement with
Excelsior College’s National Cybersecurity Institute (NCI)
All rights reserved.
The information provided within this book is for general, educational, and informational purposes only. There are no representations or warranties, express or implied, about the completeness, accuracy, reliability, suitability, or availability with respect to the information, products, or services, for any purpose. Mention of specific products is for purposes of illustration. The authors have no affiliations with or vested interests in any named products. Any use or application of information is at your own risk.
No part of this book may be reproduced in any form or by any means electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without permission in writing from the publisher.
Hudson Whitman/ Excelsior College Press
7 Columbia Circle
Albany, NY 12203
www.hudsonwhitman.com
Printed in the United States of America
Book design by Sue Morreale
Cover design by Philip E. Pascuzzo
ISBN 978-1-944079-90-1
eISBN 978-1-944079-10-9
Contents
Acknowledgments
Chapter 1 Cybersecurity Threats
Chapter 2 Unique Cybersecurity Issues Impacting Small Businesses
Chapter 3 Cybersecurity Laws and Policies
Chapter 4 Workforce Skills
Chapter 5 Best Practices
Chapter 6 Future Trends
Chapter 7 Cyber Tools for Small Business
Glossary
Sources of Further Information
References
About the Authors
Acknowledgments
This book on cybersecurity for small businesses and nonprofits was a pleasure to write, but a book of any sort is never written alone, and that is certainly true of this one. The authors wish to thank everyone who contributed their time and efforts bringing this work to fruition. Without their guidance, assistance, and never ending patience, it would never have happened. Thank you.
Chapter 1
Cybersecurity Threats
Cybersecurity threats continue to expand, with hackers targeting small businesses and nonprofit organizations as well as large corporations. Cybercriminals want financial information, customer information and business secrets. Sales of stolen digital data are estimated to be a multibillion dollar market—equal to if not greater than the illegal drug market (Schmid, 2015).
What Hackers Are Doing
Regardless of the type of business or organization, key threats from hackers include:
Ransomware
Ransomware is a general name for malware that is designed to lock data files via encryption and demand payment to receive a key to unlock the files. Common versions of ransomware include CryptoLocker and CryptoWall. Police ransomware is a variation that tells the victim a law enforcement agency, such as the FBI, caught the victim performing an illegal act on the Internet and demands payment (Zetter, 2015).
Cyber Economic Espionage
The FBI is highly concerned about the increase in cyber economic espionage (Bruer, 2015; FBI, 2015). Nation-states and possibly individual criminal hackers or organized gangs increasingly target businesses to steal company secrets (Goodman, 2015; Zetter, 2015). They penetrate a business’s network and steal blueprints, sales strategies, merger plans, product designs, patents, and formulas. The stolen information is used for gain in another company to improve the other company’s competitive advantages.
Sophisticated Malware
Hackers continue to make their malware more sophisticated. They target specific audiences to improve their odds of success. The attacks are more secretive, with hidden coding and paths of entry.
The criminals are endlessly releasing new mutations and variants of malware. As of June 2015, approximately 40,000 new malware variants were identified (McAfee Labs, 2015).
Website Malware
Businesses are susceptible to malware attacks on their public websites. The intent is often to use the website as a distribution point for malware. Commonly called “drive-by downloads,” a visitor to the site is unknowingly infected with malware that is then added to the visitor’s PC for future attacks or theft of information.
Access via Mobile Devices
Many businesses allow employees to use their personal mobile device for work. The practice is called “Bring Your Own Device” (BYOD). While this allows for great interaction by employees between their work life and their personal life, it creates potential cybersecurity risks. The most commonly used mobile devices operate with the Android operating system. Many applications designed for Android smartphones include malware. The malware on the device can steal company information stored on the device such as passwords, client information, and other business details. When the device is connected to a network, the device can transfer the malware to the network, allowing hackers to penetrate the company’s network.
Cyber Theft of Personal Private Information
Cyber criminals steal many types of personal private information from system networks that have access flaws. Personally identifiable information, frequently referred to as PII, can include any information that is not commonly available (Ashford, 2015). Types of information include Social Security numbers, personal identification numbers (PINs), health records, and financial information (BakerHostetler LLP, 2015).
The criminals sell the information on the Dark Web for other criminal use, such as fraud and impersonation activities.
How Cybercriminals Hack
Cybercriminals have numerous ways to perpetrate their crimes. They may use technology flaws, human behavior patterns, or penetration attacks. They may need to gather intelligence to further their efforts, or they may attack broadly, knowing that volume will work in their favor. The criminal hacker’s end-game is to either plant malware for future access or gain knowledge to penetrate a business’s network system. Once they have access, the criminal can steal valuable data, customer information, company secrets, or other digital data (Rainie, Anderson, and Connolly, 2014).
The following are a few of the more common methods used by hackers.
Spear Phishing
It is estimated that over 50 percent of all e-mail contains malware (National Small Business Association, 2013). In June 2015, over 57 million new malware variants were identified. By spear phishing, hackers target employees with an e-mail that contains either an infected document or URL that spreads the malware into a company’s network if opened. With spear phishing, the e-mail includes information that creates the illusion that the e-mail is from a known source, either by personalizing the e-mail, by including reference to a senior management request, or by including specific knowledge. The recipient is led to believe the e-mail and any attachments are safe.
Social Engineering
Cybercrime social engineering is often described as a way to get a victim to do something a hacker wants, often without the victim realizing it. The hacker uses tactics such as pretexting, manipulation, and authority. Pretexting is a form of social engineering that includes a plausible lie, or pretext, to make the scam believable to the victim. Manipulation is when a victim is simply tricked by the social engineer to provide information, and authority is when scammers act as if they are in a position of authority, such as stating the hacker is an agent from the home office or tech support and demand information from the victim, as many people seek to please those in authority. The hacker’s objective is to elicit information from a source that can help the hacker learn how to penetrate the system.
A social engineer hacker may build rapport with an employee and then send him an e-mail with a photo embedded with malware. Or the hacker intimidates a staff member into paying a fraudulent invoice by impersonating approval from a senior manager. An example of physical social engineering is when a hacker poses as a repair person to gain entrance to a secure area and installs physical key loggers on a computer to capture passwords and other data from the computer.
Because many people want to please others and perform well, social engineers can find ways to infiltrate without the victims realizing they have been leveraged for access or information.