The first mistake that businesses make when it comes to email is to think that it’s a secure way to share information. So argues Peter Bauer, co-founder of Mimecast, an international security company that handles 145 billion emails worldwide.
“Email was never intended to be used in the way it is now. It’s not really kitted out for all of the risks associated with the internet; it was designed for a more trusting environment,” he explains.
And it’s a mistake to think that SMEs don’t present a worthwhile target. In fact, they present attractive opportunities. By simply setting up a free email address and a LinkedIn account for research, a hacker can go far.
“What does worthwhile mean?” asks Mr Bauer. “It’s relative to the cost of putting on an attack, and to the downside of getting caught.” Both are low when it comes to an attack on an SME, which makes them more appealing than larger corporations.
Each time an attempt to hack your company is made via email, there are one of two aims at play: to steal money, or gain information.
Small businesses should bear those purposes in mind, because they can be key to spotting – and stopping – hacks.
Do you really know who’s asking you for information?
“Hey, are you at your desk?” is often the first question an email hacker will ask, says Mr Bauer.
Having researched a company on Linkedin – or if they are already in the system, having read emails between colleagues to garner a sense of tone and topic – the attacker will build a dialogue and wait a realistic amount of time before sending responses.
The only way to combat this, says Mr Bauer, is to make sure that two-step procedures are in place around transfers of business to confirm a person’s identity (known as a two-step verification). Ways to do this include an SMS message or a phone call with the person in question.
But beware smart hackers’ attempts to overcome security protocols with a carefully-tailored statement. “They will say that it’s confidential; it’s board-only knowledge, so don’t tell anyone. Not breaking those procedures becomes very important,” says Mr Bauer.
And having a process in place is only effective if it’s used every single time, he adds. “Many businesses fail to follow their own protocols.”
Small data leaks can cause a flood
The security costs of letting someone have access to financial or personal data can be epic. Mr Bauer cites Snapchat, which had the equivalent of its entire P60 data stolen. “Someone pretending to be the chief executive emailed the head of HR and said they needed the data for a review. It was just sent over. It was leaked,” says Mr Bauer.
Attackers aren’t always asking for big chunks of data or banking details. The request can be smaller and more subtle. A good example of this, says Mr Bauer, is the recent hacking of an email account of a key person in Hillary Clinton’s presidential campaign. The attacker sent someone an email saying that suspicious activity meant that they needed to change their login details as a precaution.
In this instance, even a cautious user wasn’t safe. “They forwarded the email to their IT department to check it was okay. The expert said it looked fine,” says Mr Bauer. “They followed the email link and entered their password. The attacker got into the inbox and stole emails before the person realised their password change hadn’t worked.”
Get security on the agenda and keep it there
As an evolving and costly threat to business operations, Mr Bauer believes that it’s time to get cybersecurity on the meeting agendas of SMEs. “There should be a [dedicated] section on it. Give a voice to people who know your [IT] vulnerabilities.
“You might not even realise that a laptop was stolen from a worker the week before with unencrypted information on it. Out of sight, out of mind.”
For businesses unsure of where to begin with their email security efforts, a good start is to educate users by showing them what scams look like. This will, he says, teach them to scan for “red flags”.
Any business that is alarmed will also be troubled by Mr Bauer’s prediction for the future cybercrime opportunities posed by the Internet of Things. “The biggest cybersecurity threat that’s coming up is from the number of devices that are being connected to the internet,” he says.
“We’ve grown up thinking of the web as something that’s on servers and displayed on screens, and the security industry has matured around that. But my new car is a computer on wheels. If someone hacks an electric car, which is permanently connected to the internet, they could crash it. It’s entirely plausible.”