Is my business too small to be hacked by a nation-state (or should I worry)?

Small businesses have their hands full these days in light of a down economy, tightening budgets and the steepening pace of business, but with nation-state hacks front and center in the threatscape, should you worry about those too, or are you (and your customers) safe?

Nation-state hacks bring to mind images of large defense contractors, big government offices, and/or high profile financial institutions. After all, if a bad actor overseas stole the cutting edge design of a new nuclear reactor, it would be quite a haul for that government and its cronies – and worth their time, money and effort to go after. But you’re a small business, too small to garner that kind of attention, right?

Architect firms in Peru no doubt thought along those same lines, up until the time that critical design documents started   magically  exfiltrating out over the Internet. The malicious software called ACAD/Medre.A, which we wrote about here, and which was doing that exfiltration, taught us that even if you’re small, you still might posses critical data, and losing that data can have a real impact on your viability as a business. Suppose your bid to build a skyscraper includes highly detailed designs reflecting much hard work and due diligence, which are then stolen by a competitor with close ties to government and significantly undercuts you because they don’t need to spend and recoup the cost of preparing the bid. You could see an eerily-familiar-looking building when the contractor is finished, just like the one you designed.

What if you had some dealings with a government entity on small contracts? Georbot, which we wrote about here, taught us that remote spy software was searching for key government terms on users’ computers, and then silently attempting to exfiltrate them to far-flung regions to be data mined for nuggets.

What if you’re a small systems integrator that works on electrical plants? With the recent rash of SCADA angled attacks, your small business might be worth scouring around for access credentials to critical infrastructure controls, as a platform for ransom schemes or other nastiness.

The sad reality is that the typical small business doesn’t have in place adequate defenses against this type of threat. We’re talking well-financed, well-orchestrated attacks, that specifically target you (or similar targets in your market segment). That means the attackers have the time to do it right. And if they’re after information that could be worth a lot, they can spend to get it.

So how do you protect yourself? The first part of a nation state attack is likely to be intelligence gathering. They want to know and understand your network. Think of it like getting a blueprint of the bank prior to a bank robbery, you’re not primarily interested in the blueprint, but what information it provides to facilitate your endeavor.

In a cyber-assault on your company the first stage of a nation state attack might be to try to pierce your perimeter network defenses and look around. So here’s the part that’s critical: rogue processes that suddenly appear and start scouring your internal networks are a red flag that someone’s trying to gather intelligence. Stop them here and you’ll go a long ways toward fending off successive stages. Without a map of what they’re looking for, it’s much tougher for them to find it.

Second, watch outbound attempts to transfer data to strange places, especially at strange times, and more especially in large spikes of traffic. Those are several key indicators that bad things are happening, and your network sensors should alert you quickly.

Third, the endpoint tends to be the weak point and most frequently exploited. Someone lets in the bad guys accidentally or they get in because someone is not using adequate endpoint security. This breach of defenses may come in the form of a rogue attachment on an email, or in a social network message. If a user doesn’t know better and clicks on the wrong thing, and they are not running anti-malware, then your troubles may just be starting.

The good news? With a few pieces of network hardware and time spent educating users (and good endpoint security), you can go a long way toward stopping nastiness. Many modern business routers have intrusion detection defenses built in. These can be enabled by simply checking boxes on the router control panel. They also support notifications via email if bad things appear to be happening. This hardware is well within the reach of most small businesses, budget-wise.

Yes, there are better (and more complex/expensive) defenses, but that’s a good start and males you more secure than many businesses that don’t even have the basics in place yet. These steps can go a long ways toward keeping you safe, particularly if your users also know how to spot a malicious scam attachment in their email and not click on it.

Author , ESET

  • Ari Goldstein

    Just catching up with the archves. I have clients who use the 'Why would they want access to my little business??' as a reason to ignore problems. I am very glad you put together a subjective and informative piece.  Thanks!
    PS  "but that’s a good start and males you more secure that many businesses"
    I think there is a typo there.

    • David Harley

      Thanks, Ari. Fixed. :)

  • Andrea Ebbing

    This is exactly what makes the ESET Endpoint Antivirus and/or Security a necissity. This solution allows for the "Army of 1" entrepreneur to focus his or her last waking moment on finally updating that market analysis before getting back to building their business 3 hours later. It is also a great solution for companies who have reached their tipping point and are in the process of either going public or selling. Who has the time to worry about malware when there are millions on the table? As a former marketing agency owner, I am keenly aware of the intensity and "actual priority" in terms of ones mental and physical bandwith during the build out phase. Eating and sleeping are a luxury, and walking to Starbucks to fuel up for a second shift is a vacation. While even the "techiest" of business owners could "technically" attempt to dissect and determine their unpatched software vulnerabilities, chances are, the task would remain on the list of "To Do's" for months to come. Since time IS money, this is such a great way to give back the gift of time to those who truly utilize every second of it. Not only for the speed and predictability of the product (which has very little impact if any on the speed of your computer), but also for the time spent trying to determine the best way to protect your personal information and business venture.

  • Andrea Ebbing

    necessity. Ahh human error :-)

Follow us

Copyright © 2017 ESET, All Rights Reserved.