There’s an old norm of social etiquette: It’s not polite to point. Well, as it turns out, it’s also not safe to point, at least not with your computer’s mouse or touch pad, at many seemingly innocuous online ads on webpages you happen to be reading.
It’s one more thing for small and midsize businesses and their managed IT services or staff to worry about. Increasingly, pointing passively at online – sometimes without even clicking – can provide a pathway for viruses to enter a small business’ computer systems and networks. Once inside, those viruses can be used to steal key proprietary information and/or private financial and ID data from your company and its customers, partners and vendors.
Such passive pointing hacks are the newest – and hardest-to-detect – ways thieves and menaces are succeeding in their black art. Small and midsize businesses typically lack the sophisticated IT security management used by many big companies. That makes them relatively easy targets for modern hackers. Indeed, a third of all cyber attacks are aimed at small and midsize businesses. Symantec, the big web security software maker, says hacker attacks on small businesses have grown 72 percent in the past few years.
Being well informed is the first step toward lowering a company’s vulnerability. Here’s a quick update on some of the newest and most enduring big threats.
- Drive-bys. An employee, from the lowest clerk to the CEO, visits a legitimate webpage to get some important information for making a decision. While reading, the cursor rolls over an adjacent advertisement. Often, no click is even necessary for a virus illegally piggybacking on that ad to load itself onto the computer. Simply rolling over and/or pausing over it now can be enough for that virus to infiltrate the user’s computer – and the company’s whole network. The best defense is awareness and behavior modification. Employees need to be taught not to roll or hover over ads. Cursors need to rest over white space on the page while users read or scroll.
- Trojans. Malicious old programs with names like “Zeus,” “Citadel,” “KINS” and “SpyEye” are still widely used by hackers to gain remote access to companies’ databases and operating systems in order to pirate data. They often enter through increasingly sophisticated and subtle phishing emails. Anti-virus programs don’t catch all of these, especially newer versions. So user education and strict adherence to safe computing practices should be a frequent point of emphasis in small companies’ employee training programs.
- Ransomware. Typically, a virus attacks a business computer system by locking it up and posting a ransom message on the screen. Sometimes these messages purport to be law enforcement warnings or advisories from Microsoft or some other major software supplier. Never pay the ransom. There’s zero assurance that the hackers will cede control of the computer or system, that they haven’t already mined all sorts of important data, or that they won’t lock up the computer or system again in the future. Keep anti-virus protection up-to-date, but even that won’t prevent every such attack. There are some software applications that can remove most ransomware from your network, but data will be lost. So making sure important data is backed up – either to a secure cloud or to a secure offline data storage device – is critical.
- Traditional web hacking. Cyber pirates learn their trade first by exploiting weaknesses in web-based applications – the kind used by small businesses to communicate with their customers and/or manage their businesses. Shockingly, more than two-thirds of all web-based applications do not meet minimum industry security standards. And anti-virus software, while important, can’t cover all those potential holes into a business’ network. So it is best that businesses and their IT managed services providers proactively assume they are always vulnerable and take steps to close new, or re-opened security holes on a regular basis. Networks need to be tested regularly against malicious programs that rely on “cross-site scripting,” “cross-site forgery,” “SQL injection,” and “authorization” exploits. Businesses also need to make sure the company’s IT security expert – whether that’s a consultant, an employee or the business owner – checks the company’s website against the website security standard called OWASP TOP 10. Brand new systems can be designed from the start to use a new, more advanced security platform called SD Elements. Symantec, McAfee, HP and other providers also offer services that actively check websites for security flaws and monitor business systems in real time to detect attacks before they can do much damage.