Biggest Cybersecurity Threats Facing Small Businesses

Stay-at-home orders for more than 40 states due to the coronavirus pandemic have forced millions of businesses to establish remote workforces that rely solely on Web applications and internet-based software services (SaaS). The remote workplace is now a way of life and comes increased cybersecurity concerns for small business owners. But many do not have remote work policies to address online security threats.

Employees working remotely need specific protocols to ensure they do not fall victim to fraud and risk infecting your networks. Some 63 percent of businesses surveyed by Upwork said they regularly hire remote employees; 57 percent do not have remote work policies to ensure security. In fact, many businesses didn’t have best practices in place before the pandemic shook the world.

Cybersecurity threats are a worry for companies of all sizes but small and medium-sized businesses (SMBs) are especially vulnerable and attacks are much more of a financial hardship. Just one incident could put many small firms out of business.

There is a common misconception that SMBs are too small to be a target of nefarious hackers. Cyber thieves are increasingly automating attacks, making it easy to target hundreds of thousands of SMBs at once.

It’s also not unusual for SMBs to have less comprehensive technological defenses against attacks. Often, small business owners are not always aware of the latest threats. This makes SMBs an easier target for hackers than bigger enterprises but not necessarily less lucrative for thieves.

The FBI’s Internet Crime Complaint Center (IC3) released its annual Internet Crime Report in February 2020 for 2019. It shows that collective business losses due to cybercrimes topped $3.5 billion. The year 2019 saw the most complaints and the highest dollar losses reported since the center was established in May 2000. The IC3 received 467,361 complaints in 2019 — an average of nearly 1,300 every day.

The agency didn’t see an uptick in new types of fraud but rather saw criminals deploying innovative tactics and techniques to carry out existing scams. As criminals get more sophisticated, it’s getting harder for victims to spot the red flags.

A research report from the insurance carrier Hiscox indicates that cyberattacks cost companies of all sizes $200,000 on average, and 60% go out of business within six months of being victimized. The number of firms reporting cyber incidents has risen from 45% in 2018 to 61% in 2019 and this number is already trending upward for 2020.

On the flip side, the report also says that 66% of SMB executives don’t think they are vulnerable to a hack or will be a target. Further, 6 in 10 SMBs have no digital defense plan in place at all and digital threats tend to be undetected for an average of 101 days.

Hacking Threats Versus Human Error

It is estimated that there are upwards of 500 new hacking threats per minute but human error and employee carelessness are often to blame as well. Just 3 in 10 employees get annual cybersecurity training. Some companies don’t institute best practices when it comes to cybersecurity and some don’t even have a baseline level of security around internet-facing assets like web servers.

A survey by the worldwide document destruction company Shred-It found that 25 percent of employees leave their computers unlocked and unattended. This behavior can give fraudsters access when employees step away.

According to the Verizon 2019 Data Breach Investigations Report, employee or contractor negligence is the root cause of 24% of data breaches. The top human errors that lead to vulnerability include:

  • Emailing data to the wrong recipient

  • Emailing sensitive documents

  • Accidentally posting confidential data online

  • Misconfiguring an asset to allow unwanted visitors

More businesses than ever have been impacted in some way by a cyber incident year-on-year and the risk is indiscriminate when it comes to the size of a business or the sector. More than half of all small businesses have suffered a breach within the last year and 4 in 10 have experienced more than one attack, according to the report.

To successfully fight against malicious intent no matter the cause, it’s imperative that SMBs make cybersecurity awareness, prevention and best practices a part of their business culture. In addition, cybersecurity training should be prioritized to reduce risk.

The 2019 Travelers Risk Index indicates that cybersecurity is now a top business concern across all sectors. The risk to small businesses is up 200% and to medium firms, 100%. Cybersecurity protocols must be constantly maintained in order to remain effective. If you put a security system in place and then forget about it, your business will be vulnerable to an attack. As technology evolves, methods for protecting data have to keep up.

The top cybercrimes reported to the FBI in 2019 were:

  • Phishing – scammers attempt to grab personal data by sending people deceptive e-mails and websites.

  • Vishing – a type of phone fraud that defrauds people by using social engineering to tap personal data.

  • Smishing – a method of phishing that uses text messages.

  • Pharming – a digital hijacking that redirects your website traffic to a fraudulent site.

  • Non-Payment – merchandise is sent but payment is never sent.

  • Non-Delivery –  goods never arrive even though payment was sent.

  • Extortion – fraudsters use intimidation to grab money or property.

What to Know About Phishing and Malware

Many scams start with an email sent to employees with email attachments or links that when clicked or downloaded triggers malicious malware that crawls through your network. Phishing attacks account for the majority of all breaches that SMBs face, growing 65% from 2018-19 and accounting for over $12 billion in business losses. The Verizon study found that 94 percent of malware attacks were delivered via email.

Phishing attacks occur when a fraudster pretends to be a trusted contact and entices a user to click a malicious link, download a malicious file, or give them access to sensitive information, account details or credentials.

Phishing attacks are now more intelligent, with scammers becoming more persuasive in mimicking real business contacts. A Business Email Compromise (BEC) scam steals email passwords from top executives. Then, the fraudster uses these accounts to ask employees for a payment of some type. The FBI’s cybersecurity report indicates that BEC scams now account for in excess of $12 billion in losses.

Phishing is extremely hard to fight, which makes the attacks especially detrimental. Hackers use social engineering — the psychological manipulation of getting people to do something — to target employees or executives, rather than targeting technological weaknesses. Many of these emails can be highly sophisticated, designed to look like a message from one of your business partners or someone else within your company.

The 2020 SonicWall Cyber Threat Report shows that cybercriminals are being more targeted in their phishing efforts. There are more than 153,000 never-before-seen malware variants — a 145% year-over-year increase — and nearly 440,000 malware variants were found. A new phishing site launches every 20 seconds.

Spear Phishing and Ransomware Attacks

Spear phishing is a targeted attempt to gain information from an individual. Phishing emails are convincing, using industry-specific wording and the company’s logo.

One particularly insidious spear-phishing scheme called Whaling involves c-suite executives. The attack revolves around a fake email from the chief executive officer asking the chief financial officer to make an urgent payment.

In a ransomware attack, fraudsters encrypt corporate files so business owners and employees can’t access the data. The hackers then demand a ransom payment from the company in order to unlock the files. Businesses could potentially lose huge sums of money or cripple their services with a loss of data. Attackers know that smaller businesses are much more likely to pay a ransom because their data is often not backed-up.

A well-known and highly distributed ransomware attack was WannaCry, a ransomware worm first identified in 2017. In this kind of ransomware scam, hackers send phishing emails that look legitimate. The email often has an attachment containing malicious code that once launched, infects your network with malware. It then displays a ransom notice, demanding money — usually in Bitcoin — to decrypt the files.

Best Practice for Protecting Your SMB from Cyberattacks

The only way to help ensure cyber resiliency is to institute a security and risk management program with controls in place to reduce vulnerability. It is also critical to continually monitor for changes in risk over time. These best practices can get you on your way to resiliency.

  • Install A Unified Threat Management (UTM) Appliance. A much more powerful security tool than a standard firewall, a UTM is a strong cybersecurity foundation and is your first line of defense against hackers.

  • Document Security Policies. SMBs that do not have a policy in place can not only leave themselves exposed to external threats but could also invite legal issues. Documenting information procedures helps you evaluate when and how tasks are completed. It also has the added benefit of being an effective way to transfer knowledge to new employees.

  • Train Employees in Security Principles. The biggest threat to SMBs is not from the outside. Employees need awareness training about cybersecurity so they can better identify phishing emails and other malicious attacks. Develop rules of behavior that explain data handling best practices to protect business and customer information as well as other sensitive data.

  • Backup All Data. It’s always better to be safe than sorry when it comes to data security. Ideally, you should have two backups — one onsite and the other offsite. Keeping a set of backups in another location is an extra measure of safety in the event of a natural disaster.

  • Install Endpoint Security Measures. It’s vital to plug the endpoints in a network — smartphones, tablets, laptops — which can be an easy entry into your computer system. Endpoint security ensures that every device that is granted network access meets your security standards. Endpoint security is important when it comes to mobile device security.

  • Mobile Device Security. Bring Your Own Device (BYOD) is a common practice in SMBs so it is vital to have a specific security plan just for mobile devices. Employees should be instructed to set automatic security updates on their mobile devices so data is fully protected as well as the network connected to the devices.

  • Implement Multifactor Authorization (MFA). MFA is a security mechanism that requires that a user provides two or more forms of identification before being granted access to a system. Often it’s a password and a cellphone-generated code but the main components include something the user knows; something the user has; or something the user is, e.g., biometric identifiers.

  • Insist on Safe Password Practices. An estimated 60 percent of the data breaches happen just because of an old or a weak password. A password policy should be enforced for every device used within your organization. Passwords should be updated every 60-90 days.

  • Institute Patch Management. Patches and updates cover security holes and keep hackers from exploiting a flaw. These cybersecurity tools are launched to quickly fix bugs and make for a secure computing environment. The WannaCry ransomware was due to a vulnerability that could have been fixed by keeping up with patches.

  • Adopt Identity And Access Management (IAM). By implementing controls, you can minimize unauthorized access to sensitive information. SMBs should have strong access control policies defined for all employees. There are four variations:

      • Discretionary Access Control (DAC) – the data owner controls access. DAC assigns access rights based on a user’s rules.
      • Mandatory Access Control (MAC) – people are granted access based on information clearance and are based on regulations from a central authority.
      • Role-Based Access Control (RBAC) – allows access based on a user’s role and what is considered necessary for their role. It implements security principles like “least privilege” and “separation of privilege.”
      • Attribute-Based Access Control (ABAC) – defines attributes for any element of your system, such as requiring combinations of users and object attributes to perform any action.