For almost a quarter of a century now, the React Computer Partnership in Woodbridge, Suffolk, has acted as right-hand man for small to medium size companies in need of an IT department.
Specialising in the supply, installation and support of business IT systems, last summer the family behind it, the Pledgers, were anointed Family Business of the Year at the East of England FSB Celebrating Small Business Awards.
No-one is immune to the threat of cyber hacking, no matter how big or small their business operation.
But there are simple defence mechanisms you can put in place to hugely reduce the risk of becoming a victim, said React Computer Partnership director Francis Pledger.
The starting point is to wake up to the risks in the first place – to become aware of just how hackers work and what they are after.
“People can’t be complacent and think ‘I’m only small, it wouldn’t be worth bothering with me’, because just last week there was an example of a man, a solo-operator, who had to pay thousands to get his data back,” he said.
“But in any attack, it could be that the individual is not the final intended victim – they could just be the stepping stone, the entry point into their organisation.”
Hackers are commonly using one of two approaches: a spray attack, in which they cast their net widely in the hope of catching at least a minnow, and/or the very targeted spear phishing, in which case they have the biggest of fish in their sights.
A spray attack will begin with the harvesting of as many usernames in an organisation as possible. That isn’t hard, given the standard ‘first firstname.lastname@example.org/com’ format and the availability of staff profiles on company websites and LinkedIn.
Francis said: “Once they have usernames, they will carry out the spray attack picking a common password, and unfortunately people still use the same password over and over again – ‘password’ and ‘123456’ are still the most common ones.
“They will try all of the usernames, working through a list of common passwords, until they get a hit. Then all they’ve got to do is log in and take over that person’s account.
“From there, they will begin generating emails effectively from that person, often saying ‘I’ve just shared a document for you to review’ and the recipient will have to log in to review it, thereby giving the hacker their account details too.”
And so it goes on, with the hacker usually trying to move as far up a hierarchy as they can, to the most senior people with the highest level of privileges.
Once they think they’ve reached someone with enough authority, they will strike, sending a ransom ware bomb into the IT system to encrypt the organisation’s data. “Shortly after that, the company will get an email saying, give us ‘x’ thousands of pounds or we’ll delete it all,” he said.
If and when the hacker gets to chief executive or, say finance director, level, it turns into spear phishing, big game hunting style. By now, the stakes are high.
“If they have managed to harvest the CEO or finance director’s account details, they won’t do anything for a while, just sit and watch their email correspondence,” said Francis.
“Then at the right time, when say the CEO has gone on a business trip abroad, the finance director will get an email saying something like ‘Sorry, I’m in a meeting at the moment, but I said we’d pay this person this amount – can you make the payment now’.
“When the CEO returns, he/she knows nothing about the email, of course, but it’s too late, the money’s gone.”
React Computer Partnership makes a point of ensuring its clients employ the three basic lines of defence against cyber-attack.
One, secure IT infrastructure by ensuring staff use strong passwords. Microsoft Office 365 also offers a two-factor authentication before allowing a log-in, presenting hackers with double the trouble.
Two, put staff on the alert, teach them what to look out for.
Three, know in advance how you would restore data and, importantly, how long that would take, should the worst happen.