Hackers target SMEs too
Technology is enabling small businesses to operate more efficiently, but with greater connectivity comes greater risk, and many SMEs do not have adequate cybersecurity.
When it comes to cybersecurity threats, SMEs are more at risk than bigger businesses, and those operating in the property sales and rental space have come under attack recently, says BUI’s Handre van der Merwe. Forbes lists the top threats facing the property sector as:
1. Business e-mail compromise
2. Mortgage closing wire scam
4. Generic malware
5. Cloud computing providers
When successful cyber attacks are reported in the news, it’s generally larger enterprises that are affected. This often creates the impression that cybercriminals only target big companies. However, this is not the case, according to Van der Merwe.
He says: “Hackers are deliberately targeting smaller businesses, like estate agents, because they’re generally not well informed about the risks that are out there, and often don’t have adequate cybersecurity practices in their business.
“You might think that an SME doesn’t have much to interest a hacker, but if you consider the property sector, estate agents have access to their clients’ personal information, including their banking information. The agents manage large transactions and some agents might manage 100 properties, each with different banking details, including those of landlords and tenants. In addition, they hold deposits in trust accounts, so we’re not only talking about personally identifiable information, there’s also a significant amount of risk within the transaction component of the business.”
SMEs are an easy target because they frequently don’t have a lot of money to spend on security. Van der Merwe says that based on recent conversations with people working in the real estate industry, it has become clear that security awareness and training is not a top priority for many organisations. This has resulted in companies and real estate customers being cleaned out, or losing their life savings to a Man in the Middle attack.
Businesses that have their own IT departments, or even SMEs that belong to a larger group, are slightly better off from a cybersecurity standpoint. But SMEs consisting of 20 or so people are sitting ducks for cybercrime. SA is a particularly attractive proposition for cybercriminals. The global Cyber Exposure Index ranks SA as third on the list of most-targeted countries for cyber attacks. One global study suggests that 58% of all breach victims were categorised as small businesses.
SMEs make easy targets because they often send confidential information over e-mail without encrypting that information. In the case of an estate agent, this makes it easy for cybercriminals who are monitoring the SME’s e-mails to intervene before the client transfers funds. The criminals intercept the e-mail and change the banking details therein, then e-mail the client, pretending to be the estate agent, and ask for immediate payment. They tend to do this on a Friday or over a long weekend. By the time Monday arrives, they’ve had time to get away with the money.
Van der Merwe explains: “It can be harder to trace the transaction because possibly three or four days have already passed since the scam, banks don’t operate at full capacity over the weekend, and the bad guys will have moved the money around multiple times by the time the alarm is raised.
“The SME is awaiting payment, the client says they’ve paid and the cybercriminal gets away scot-free. The lines can become very blurred when it comes to finding someone to blame. In a worst-case scenario, the real estate agent could be held accountable if legal action is pursued and if they’ve failed to adequately protect the customer’s information. However, with new cybercrime laws imminent, this will be less of a guessing game in the near future.”
It must be said that the implications of cyber attacks on SMEs goes beyond just the inconvenience factor. There are legal implications, and massive fines, that business owners need to be cognisant of. SMEs that process the data of EU citizens have to comply with legislation such as Europe's General Data Protection Regulation (GDPR) and, once it comes into effect, SA’s Protection of Personal Information Act (POPIA), as well as King IV, which applies to companies listed on the JSE.
Tips to avoid it happening to you
Van der Merwe says: “There are a couple of things that SMEs can do on their e-mail accounts to try to prevent this from happening. These include using a cloud solution provider with enterprise-grade security features that will protect your e-mail and data from interception and other attacks. There are a number of basic things you can do to protect your e-mail, but hire a professional company to audit your environment and ensure you are set up correctly and securely.”
Just enabling the Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) on their e-mail service can help prevent spoofing and phishing attacks. Companies should also encrypt their information as best practice. A quick Google search for five top tips with regard to e-mail security advises the following:
- Don’t click on links in e-mails;
- Don’t open attachments from unfamiliar sources;
- Scan for viruses and malware;
- Use strong passwords; and
- Train staff on e-mail security.
Van der Merwe has four pieces of advice for SMEs wanting to protect their data and networks against cybercriminals:
1. Create awareness within the business about the risks.
2. Have disaster response and business continuity plans in place, should a cyber attack occur.
3. Leverage the power of the cloud for continuous cyber defence (threat detection and mitigation), real-time visibility and actionable data (via SIEMs and customised alert notifications).
4. Hire a professional to come and audit your environment and set-up.
In addition, he advises that SME employees refrain from using their work e-mail to sign up for services like Facebook or online games. “You must separate your personal and work identities as this is where many companies are targeted.
“There are basically two types of business in SA: those that have been hacked and those that have been hacked but haven’t realised it yet. The onus is on businesses to educate themselves about cyber security and take the necessary precautions.”
To read more about cyber security for the real estate industry specifically, click here.