According to SCORE, the US association for small businesses, a survey conducted for National Cybersecurity Awareness Month shows that 43% of cyberattacks are targeted at small businesses.
Despite the devastating WannaCry and NotPetya malware outbreaks that quickly swept the globe in 2017, many small businesses are still indifferent about security. While FedEx and Maersk hit the headlines as the big victims of malware in 2017, Malwarebytes reported that 1 in 5 small and medium businesses were forced to halt operations completely and 1 in 3 were infected with ransomware.
The SCORE report says that macro-based malware was the principal means of infection, with online banking and ransomware attacks following up behind. Businesses can protect themselves from macro-based malware by running the latest versions of Office 365 and the Office suite, educating users to only download attachments from trusted senders, and disabling macros for users that don’t require the them.
For more information about managing macro security in Microsoft Office, see Managing Macro Security in Office 2016 and Code Signing Microsoft Office Macros and Visual Basic for Applications on Petri.
Online Banking and Ransomware
Online banking customers should make sure that multifactor authentication is enabled for their accounts. Many banks force the use of multifactor authentication by default, usually with the help of a separate mobile application. Employees should be particularly aware of emails requesting personal information or login details. It’s often possible to spot fraudulent emails because of poor grammar or spelling. If in doubt, use a bookmark or type your bank’s website URL before entering log in details instead of using a link provided in an email. However you get there, make sure you carefully check the URL in the browser address bar before entering any details.
Similar advice applies to avoiding ransomware attacks. Users should beware of embedded links in emails requesting they ‘log in’, provide personal information, or download software. Businesses should make sure that Windows stays up-to-date with patches and that other software is also patched promptly. Updating to Windows 10 and using modern hardware can also help protect against ransomware and other forms of malware, including Advanced Persistent Threats (APTs).
Windows is Complex to Manage
Data collected by SCORE and other organizations shows that small businesses are losing the battle against malware. Windows remains the most popular choice for small businesses, but its complexity also comes with risks if unmanaged. Unlike Chrome OS, which is a lightweight OS restricted to running mainly apps in a browser, Windows is far more capable and comes with a lot of legacy baggage to ensure backwards compatibility.
S Mode and Core OS
Some devices come with Windows 10 in S Mode, which is a version of the OS that restricts users to installing software from the Microsoft Store. S Mode goes some way to providing the security that large enterprises can achieve by managing Windows with Active Directory, Group Policy, and other management solutions like Mobile Device Management and System Center Configuration Manager. But while S Mode is a good idea in principle, there aren’t enough quality apps in the Store and some websites aren’t compatible with Microsoft’s Edge browser.
Windows Core OS is a project that Microsoft is reportedly working on to modularize Windows so that it can run seamlessly on desktop PCs, mobile, tablets, HoloLens and new types of devices with the help of a composable shell. It isn’t designed to run legacy Win32 apps natively, but Microsoft could provide a solution using virtualization or remote desktop. Windows Core OS is built from the ground up to be lightweight and secure. Whereas S Mode is full Windows with some restrictions added to make it more secure and less complex to manage.
Windows Security Best Practices
But while we wait for Microsoft to produce a lightweight computing solution that works for small businesses, following best practices, like removing administrator privileges from users and configuring application control so only trusted apps run, can significantly increase your security posture. But these measures are not always easy to implement, especially in cases where there’s no IT department to hand.