IT SECURITY GUIDECyber Security for SMB Executives

Top 3 Threats, Key Statistics & IT Security Checklists

Is Your Business Protected?SMB cyber-attacks are growing at an exponential rate. Hackers and scammers are getting more sophisticated in their methods and the purpose of the attackers is simple: profit. What used to be hackers in their parent’s basement has turned into complex cyber-criminal enterprises that specialize in scamming / extorting for money, thrill or brand and business destruction.

Could You Recover from an Attack?Having technical resources, expertise and controls in place to protect your business are critical with ongoing exposure and access to mobile, cloud services and relationships with larger value chain players for business.

3 Top SMB IT Cyber Security Threats

Impostor EmailsRansomwareCloud Security

Cyber Security in Canada 2017 Report

sales@s3tech.ca 1-888-573-8324 page 1

of the Canadian economy is SMBs.

of data breaches happen to small businesses. (Stayonline.org)

of all small businesses have been the victim of a cyber attack.

50%

98%

71%

The Canadian Chamber of Commerce

Increase in identifiedcases of imposter emails

270%in 2015, and

1000%in 2016

1. IMPOSTER EMAILS

Threat DescriptionImpostor emails trick people into sending money, or sensitive corporate data, usually via wire transfers, bitcoin transfers or otherwise. Scammers make the email appear to come from high-ranking executives (like a CEO) and often urge the recipient to keep details confidential.

How to Recognize the ProblemImpostor emails succeed for three key reasons:• They look and feel legitimate.• They do not include a malicious link or malware

attachment.• They do not arrive in high volumes to raise red flags in most

anti-spam tools.

Because threats do not use malicious attachments or URLs, impostor emails can evade solutions that look for only malicious content or behavior. The table below outlines how to recognize imposter emails.

Targets Types Tactics

• Both large and small companies are increased targets for imposter emails.

• 60% of imposter emails target CFOs& Finance groups and 25% target HR departments.

• Most imposter emails use wire transfers or tax information requests and have an urgent message or tone to them.

• Scammers send an email with a spoofed, or look-a-like email address from the CEO, or other high-level management executive.

sales@s3tech.ca 1-888-573-8324 page 2

IT Security Guide

Business Impact Examples• April 2015 – Mattel: A finance executive of the US toy maker

transferred USD $3 M to a Chinese bank account after scammers faked an email from new CEO Christopher Sinclair.

• March 2016 – Snapchat: The payroll department of social media giant Snapchat gave over personal details of 700 employees to scammers posing as Snapchat CEO Evan Spiegel.

• August 2015 – Ubiquiti: Large technology company, Ubiquiti disclosed a loss of USD $46.7 M in a quarterly report for Impostor Email.

• A direct S3 client almost transferred $400 K in an Impostor Email scheme.

IMPOSTER EMAIL Protection Checklist

• Create a company policy stating all wire transfers to new accounts must be authorized, or verified, in-person or via phone (not by email).

• Implement a mail security system with advanced features (impostor defense).

• Enforce user education and training.

• While no technology will fully protect a company against this threat, education and internal policies will greatly reduce the likelihood of an incident.

Proofpoint, Guntrip & FBI

35%of Canadian companies

report having employees in their organizations

targeted by ransomware. 2017 Scalar / Ponemon

Institute Survey

2. RANSOMWAREThreat DescriptionRansomware is a type of malware that is most commonly spread using phishing emails with contagious attachments or hyperlinks to fraudulent websites. The emails and websites are disguised as authentic communications, however once clicked, or accessed, ransomware encrypts files and blocks access until a ransom is paid in exchange of the encryption key. While the United States is reported to be the most affected region for ransomware attacks over the last year at 28%, Canada ranks fourth at 16%.

How to Recognize the Problem

Targets Types Tactics• Small & large

businesses.• 60% of

ransomware attacks originate from email.

• 20% ask formore than $10,000.

• 40% of companies pay ransom demands.

• Crypto is the most common type of ransomware – it prevents access to files and data, usually through encryption.

• Ransomware gains access to a system when a user clicks on unfamiliar links or attachments.

• Ransomware looks for files on a computer, then encrypts them to limit access.

sales@s3tech.ca 1-888-573-8324 page 3

Business Impact Examples • Of 125 anonymous Canadian companies, that participated in

a global ransomware survey in 2016, 72% reported being the victim of a cyber-attack in the previous 12 months, of those, 35% were identified as ransomware attacks.

• Attacks can lead to downtime, data loss, damage to an organization’s reputation and significant expense.

RANSOMWARE Protection Checklist

• Closely monitor backups and keep an offsite copy of data.

• Keep operating systems and office suite products up-to-date as well as key applications such as Flash Player and Java.

• Restrict access to data as much as possible and isolate production environments.

• Deploy a firewall with next-generation security features.

• Implement centrally managed anti-virus protection on all devices.

• Enforce user education and training around clicking on emails or suspicious communication.

IT Security Guide

In 2016 alone, 62 new ransomware families made their appearance. Attacks on business increased three-fold. And, one in five SMBs who paid a ransom never got their data back states a 2016 Kaspersky Security Bulletin.

“Nearly 60% of all Ransomware attacks in the enterprise demanded over $1,000. Over 20% of attacks asked for more than $10,000, 1% even asked for over $150,000.” – Malwarebytes

CLOUD SECURITY Protection Checklist

• Keep a copy of your data outside your cloud provider.

• Implement a single sign-on with Two-Factor authentications for all Cloud Services.

Spending on Public Cloud Computing in

Canada

$2.3 Billion2016

$5.5 Billion2020

3. CLOUD SECURITYIncreasing Threat“Cloud services are now a regular component of IT operations, and utilized by more than 90% of organizations around the world,” states an Intel Security / McAfee 2017 survey titled Building Trust

in a Cloudy Sky: The state of cloud adoption & security.

Because the cloud contains sensitive data of millions of companies and people, Cloud Services are increasingly becoming a target of attacks from hackers. Services from email to infrastructure have moved into the cloud. On the security side, Canadian IT News

states that, “about one in three SMBs worry about security and privacy in the cloud.”

Ongoing Cloud Security ConcernsBased on a comprehensive online survey of over 1,900 cyber security professionals in the 350,000-member Information Security

Community on LinkedIn, cloud security concerns top the list of barriers to faster cloud adoption. Concerns include protection against data loss (57 %), threats to data privacy (49 %), and breaches of confidentiality (47 %). The table below outlines how to recognize a cloud security breach.

Targets Types Tactics• Cloud

applications and infrastructures.

• Types of systems targeted: CRM, ERP, SCM, Inventory Management, Marketing & Sales, Customer Service and more.

• Hackers gain access to cloud control panels, databases, applications.

sales@s3tech.ca 1-888-573-8324 page 4

IT Security Guide

Business Impact Example The Code Spaces business case demonstrate a cloud security breach. Code Spaces was a company that offered developers source code repositories and project management services. Code Spaces was built mostly on Amazon’s AWS, using storage and server instances to provide its services. Those server instances were not hacked, nor was Code Spaces' database compromised or stolen. According Code Spaces Website, an attacker gained access to the company's AWS control panel and demanded money in exchange for releasing control back to Code Spaces. The company did not comply, the attacker began deleting resources and they went out of business.

IN CONCLUSION

Reality & PreventionThe problem is, most organizations are not in the “IT security business.” It is becoming increasingly complex and costly, even for large companies – with entire IT divisions – to protect themselves against 100% of cyber threats. According to industry guidelines, “a small business should spend anywhere from 3-7% of its IT budget on security. Larger companies, on average, spend closer to 15%.”

S3 RECOMMENDATIONS

• Create an information security strategy. • Put employee training and awareness

programs in place.• Have security baselines / standards for 3rd

parties and data-sharing.• Leverage the cloud properly for back-ups and

security. • Appoint an internal person, or leverage a

trusted 3rd party expert like S3 Technologies, to be responsible for IT Security assessments, back-ups and redundancy plans, frameworks and active monitoring.

• Think about IT security as a continuous process.

Dangerous Disconnect

SMBs

58%are concerned about

cyber-attacksBUT

51%are not allocating any

budget at all to risk mitigation.

Business owners are responsible for

protecting themselves.

sales@s3tech.ca 1-888-573-8324 page 5

“Experts ... openly admit it’s not a question of if an organization will be breached but, whether an attacker is

already within your organization.” - Kevvie Fowler, KPMG Canada

And For Your Business?What is your strategy?

How do you compare to the stats?

Do you have a plan?

IT Security Guide

sales@s3tech.ca 1-888-573-8324 page 6

Page 1 - Introductionhttp://chamber.ca/download.aspx?t=0&pid=45d7b003-3716-e711-b105-005056a00b05

Page 2 – Imposter Emailhttp://www.itworldcanada.com/article/the-alarming-rise-in-imposter-email-calls-for-new-lines-of-defence/384960#ixzz4eYG0gmHR

http://www.theherald.com.au/story/3852049/impostor-email-spike-as-scammers-pretend-to-be-your-boss/?cs=33

http://www.newsjs.com/url.php?p=http://wccftech.com/snapchat-employee-falls-for-a-phishing-scam/

http://fortune.com/2015/08/10/ubiquiti-networks-email-scam-40-million/

https://www.proofpoint.com/us/impostor-email-threats-infographic

https://www.fbi.gov/news/stories/business-e-mail-compromise

Page 3 – Ransomwarehttp://globalnews.ca/news/2641249/ransomware-on-the-rise-in-canada-how-to-protect-your-data/

http://www.esecurityplanet.com/malware/types-of-ransomware.html

https://www.bennettjones.com/Publications%20Section/Blogs/Rise%20of%20Ransomware%20Attacks%20in%20Canada%20Businesses%20Beware

https://www.malwarebytes.com/pdf/white-papers/UnderstandingTheDepthOfRansomwareIntheUS.pdf

http://www.theglobeandmail.com/report-on-business/small-business/sb-managing/small-businesses-can-be-easy-targets-for-hackers/article34031321/

http://www.lexology.com/library/detail.aspx?g=954259cf-4c09-4532-a831-76f580783e9f

https://www.datto.com/blog/common-types-of-ransomware

https://securelist.com/analysis/kaspersky-security-bulletin/76757/kaspersky-security-bulletin-2016-story-of-the-year/

http://blog.checkpoint.com/wp-content/uploads/2017/02/H2_SummaryGlobal_Report_170210_A.cleaned.pdf

http://www.dotfab.com/resources/remove-royal-canadian-mounted-police-virus-on-mac-browser-ransomware-removal-guide/

https://media.scalar.ca/uploads/2017/02/Scalar_SecurityStudy2017.pdf

http://www.thewindowsclub.com/ransomware-attacks-definition-faq

Page 4 – Cloud Securityhttps://www.forbes.com/sites/louiscolumbus/2017/04/29/roundup-of-cloud-computing-forecasts-2017/#8e9018831e87

https://www.mcafee.com/us/resources/reports/rp-building-trust-cloudy-sky-summary.pdf

http://docplayer.net/34242416-How-the-microsoft-ecosystem-and-cloud-computing-will-create-110-000-new-jobs-in-canada-from-2015-to-2020.html

https://media.scalar.ca/uploads/2017/02/Scalar_SecurityStudy2017.pdf

http://www.itworldcanada.com/article/only-half-of-canadian-smbs-are-using-cloud-technology-survey/377682

https://www.salesforce.com/ca/blog/2015/02/why-canadian-firms-want-more-cloud-computing-.html

http://www.biztechmagazine.com/article/2017/02/small-businesses-are-embracing-saas-cloud-deployments-survey-says

http://www.csoonline.com/article/2126885/cloud-security/saas--paas--and-iaas--a-security-checklist-for-cloud-models.html

http://www.cybersecurity-insiders.com/portfolio/download-cloud-security-report/

Page 5 – Conclusion & Recommendationshttp://www.theglobeandmail.com/report-on-business/small-business/sb-managing/cyberattacks-an-ongoing-threat-to-canadian-small-businesses/article22653793/

http://www.huffingtonpost.com/joe-ross/the-state-of-small-busine_b_9911704.html

Additional Related Sourceshttp://globalnews.ca/news/2793414/average-cost-of-data-breach-in-canada-is-6-03m-study/

http://blog.checkpoint.com/wp-content/uploads/2017/04/Dimensional_Enterprise-Mobile-Security-Survey.pdf

https://nakedsecurity.sophos.com/2016/12/19/ransomware-payouts-heading-for-1bn-a-year/

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks

http://www.comscore.com/Insights/Blog/Smartphone-Apps-Are-Now-50-of-All-US-Digital-Media-Time-Spent

https://www.welivesecurity.com/2017/03/10/mobile-security-the-reality-of-malware-augmented/

https://hbr.org/2016/09/your-biggest-cybersecurity-weakness-is-your-phone

https://smallbiztrends.com/2017/01/cyber-security-statistics-small-business.html

http://www.biztechmagazine.com/article/2017/02/small-businesses-are-embracing-saas-cloud-deployments-survey-says

GUIDE LINK SOURCES

IT Security Guide

sales@s3tech.ca 1-888-573-8324 page 7

About S3Since 2003, S3 Technologies has accumulated expertise in managing a wide variety of networks, infrastructures and applications with a team of over 60 people. Our focus is on SMB IT Managed Services and Cloud Computing. We are now the largest, long-standing MSP (Managed Service Provider) serving the greater Montreal and Toronto areas.

Contact Information

MONTREAL3445, avenue du Parc, Suite 201Montreal, QC, H2X 2H6

514-284-6262sales@s3tech.ca

TORONTO250 University Ave, Suite 211Toronto, ON, M5H 3E5

416-900-2920sales@s3tech.ca

Why this IT Security Guide?To provide Small & Medium Business Owners and C-Level Executives with a summary of the top cyber-security threats to business today along with must-know statistics.

A description of the threat, how to recognize the problem, its business impact and a protection checklist are provided so you can take active steps to ensure a safe environment. The proliferation of the internet and application access, high mobile usage, remote offices and advances in technology, for both businesses and hackers, have created an environment that drives us to put additional layers, tools and processes in place to stay aware and secure.

Cybersecurity Incidents In Canada Increased by 160% Year Over year According to PwC Canada’s 2016 Global State of Information Security Survey.

IT Security Guide