Small businesses are just as at risk from cyber security threats as large enterprises. Many small business owners may believe in the notion of “security through obscurity” – that their team is too small to be a valuable target for cybercrime. But unfortunately, this often turns out not to be the case.
Generative AI and new malware models, such as Ransomware-as-a-Service, now mean attackers can increasingly automate their attacks and target hundreds, if not thousands, of small businesses in one go. This means businesses of all sizes are at risk, and while there is of course huge value in going after big corporations, small businesses can also be lucrative targets for cybercriminals.
Small businesses often do not have a dedicated cybersecurity team or enterprise-grade defenses. They often do not conduct regular cybersecurity training and are less likely to have robust security tools likemulti-factor authenticationorpassword managers. This often makes them easier targets for cybercriminals.But, at the same time, even the very smallest businesses can deal with large sums of money, or have access to huge amounts of customer data, which, under regulations such as GDPR, they are obligated to protect.
Attacking small businesses can also be an effective way for attackers to target larger corporate organizations. Supply chain attacks, or “island hopping” attacks, involve cybercriminal gangs actively targeting a large enterprise’s smaller partners in order to gain a foothold into that larger organization’s data, which can be costly to both organizations.
SMBs also arguably have the most to lose from being hit with a cyberattack. Although exact data is very difficult to calculate, a recent report revealed that businesses with less than 500 employees lose on average $3.21 million per attack. Losing this amount of money in a cyber breach can be devastating to small businesses, and that’s not to mention the reputational damage that comes from being hit by a cyberattack.
For these reasons, small businesses need to be aware of the biggest threats they’re facing and how to stop them. This article will cover the top five security threats facing small businesses, and how organizations can protect themselves against them.
1) Phishing And Social Engineering
For several years now, phishing and social engineering have been one of the most widespread and most effective cyberattacks facing small businesses. Phishing, and its associated variants such as spear-phishing and business email compromise, is themost prevalent cyberthreatin the US. Since 2020, 81% of organizations around the world have seen an increase in phishing attacks, and it’s estimated that 82% ofalldata breaches can be traced back to an original phishing attack.
Phishing attacks occur when an attacker impersonates a trusted source in order to entice a user to click a malicious link, download a malicious file, or give them access to sensitive information, such as payment information or credentials. Phishing attacks have grown much more sophisticated in recent years, with attackers able to execute highly effective, finely-tuned phishing campaigns.
Phishing is an effective tool for attackers because it’s cheap, low-effort, and effective. It can also be a gateway for further attacks, as compromised inboxes or downloaded malware can lead to further business disruption, such as ransomware. As Zscaler’s Global CISO and Head of Security ResearchDeepen Desai told Expert Insights: “Phishing continues to be one of the top vectors. That’s where the attacks start. We’re no longer living in an era where the attacks involve sending malware through an email and calling it done. It’s multistage attacks. Phishing is where it starts.”
Business email compromise attacks are a particular risk to SMBs. These attacks involve threat actors compromising email accounts (usually via stolen credentials) in order to send fraudulent invoices and payments requests internally or to trusted partners. These attacks can be highly effective as the messages seem to come from a legitimate, internal contact, rather than someone external, and they often lead to financial loss, which is very hard to recover.
How To Stop Phishing Attacks
There is no silver bullet to stopping phishing attacks and a multi-step strategy is required. Part of what makes phishing attacks so effective is that they’re very difficult to combat. They target humans within a business, using tactics of fear, uncertainty, and doubt to entice users into making a mistake. However, there are some key tools we recommend implementing to prevent successful phishing attacks.
The first is a “phishing-resistant”multi-factor authentication tool. Steve Dispensa, VP of Product Management for Microsoft Intune,told Expert Insightsthat when it comes to stopping phishing: “MFA universally in the organization is step one…it really is a proven way to cut out over 99% of identity-based attacks.” With MFA in place, users must verify their identity with two or more “factors”. For example, using a biometric identity check, along with a username and password. This ensures that even if a user’s password is compromised, guessed, or stolen, the attacker would not be able to access the account.
The most secure authentication tools are completely phishing resistant. They may remove the password entirely (passwordless authentication) or leverage hardware tokens or browser-based tokens (more on “Passkeys” to come). We recommend implementing an authentication tool that follows the now industry-adopted phishing-resistantFIDO2 authentication standard.
The second layer of security against phishing is to implement a phishing protection solution for the email inbox. Having a strongemail security gatewayorcloud integrated email security(ICES) tool can be a highly effective way to stop phishing messages from reaching your users. ICES solutions use AI to identify indicators of phishing, such as suspicious domain names, typos, urgency of tone, and more. These tools also often extend protection to instant messaging apps, such as Slack and Teams. Key features of these tools to protect against phishing include warning banners on malicious email messages, automated quarantine of suspected phishing, and phishing reporting tools.
Our final recommendation to stop phishing is to implement asecurity awareness trainingsolution. Phishing attacks target the people in your organization – people who typically aren’t focused on security issues in their day-to-day lives. Security awareness training tools allow you to provide dedicated security training, informing users about key security issues and promoting better security hygiene across the organization.
In particular, we recommend implementing aphishing simulation tool. Phishing awareness training tools deliver simulated phishing emails directly to users, tasking them with reporting suspicious content, and alerting them to the security risks of clicking on harmful phishing links.
2) Ransomware And Malware
Malware, and in particular ransomware, is one of the most common and most damaging cyberattacks for small businesses. Malware is a varied term for malicious code that hackers create to gain access to networks, steal data, or destroy data on computers. Malware usually comes from malicious website downloads, spam emails or from connecting to other infected machines or devices. Ransomware is one of the most common and harmful types of malware, and iscurrently surging.
“Some folks are saying the number of ransomware attacks have plateaued,” Deepen Desai, Zscaler’s Global CISO and Head of Security Research & Operations tells Expert Insights. “Based on what we are seeing, it’s a 38% year-on-yeargrowthin ransomware attacks and a 37% increase in double extortion attacks. And more and more ransomware operators are moving to a Ransomware-as-a-Service model. That is how they are able to launch large scale, sophisticated attacks.”
Ransomware attacks typically involve encrypting company data so that it cannot be used or accessed, and then forcing the company to pay a ransom to decrypt the data. This leaves businesses with a tough choice – to pay the ransom and potentially lose huge sums of money, or to cripple their services with a loss of data. Increasingly ransomware groups are shifting their approach to leaking or withholding data, which can be just as damaging.
Small businesses are especially at risk from these types of attack. Reports have shown71% of ransomware attackstarget small businesses, with an average ransom demand of $116,000. Attackers know that smaller businesses are much more likely to pay a ransom, as their data is often not backed up and they need to be up and running as soon as possible. The healthcare sector is particularly badly hit by this type of attack, as locking patient medical records and appointment times can damage a business to a point where it has no choice but to close, unless a ransom has been paid.
In order to protect against these advanced ransomware attacks, organizations need to build out a comprehensive zero trust strategy, Desai explains. “The fundamentals of zero trust architecture are going to significantly help organizations in defending against these types of ransomware attacks.”Zero trustis a security model that recommends not trusting any users, devices, or systems within your network, until they have been authenticated to be genuine. In practice, this means continuous authentication of internal users and devices to reduce potential security risks, alongside enforcingthe principle of least privilege.
How To Prevent Ransomware
For small businesses, security tools such as cloud-based DNS web filtering solutions, secure endpoint protection, extended detection and response, enterprise VPNs, and multi-factor authentication can be an important way to prevent ransomware and other malware attacks. Leading endpoint protection tools will provide dedicated ransomware features, such as device ”roll-back” in the case of a ransomware attack.
Another critical step to mitigate ransomware is to implement data loss prevention strategies. Data backup and recovery tools can securely store data in the cloud, ensuring that if a critical ransomware incidentdoesoccur, data can be quickly recovered. The benefit of implementing data backup and recovery is that in the event of a ransomware attack, IT teams can quickly recover their data without having to pay any ransoms or lose productivity. This is an important step towards improved cyber resilience.
There are various methods of data backup available to organizations, so it’s important to research the method that will work best for your organization.We recommend implementingdata backup and recovery for M365orGoogle Workspaceif you are a cloud user, as well as considering more comprehensivebusiness continuity and disaster recovery softwarefor protecting against malware and ransomware risks.
3) Weak Passwords
Weak passwords are a symptom of poor cyber hygiene that can weaken an organization’s resilience against cybercrime such as phishing. Many small businesses today rely on multiple cloud-based services, for which users must create and manage different accounts. These services often can contain sensitive data and financial information. Using easily guessed passwords, or using the same passwords for multiple accounts, can cause this data to become compromised.
”Weak password” usage can take many forms. Employees could be using easy-to-guess passwords, such as ”Password123”. Or they could be using the same password across multiple accounts. Or indeed, they could be sharing passwords across team members with no restrictions or protection. Anaverage of 19%of enterprise professionals use easily guessed passwords or share passwords across accounts.
Businesses are often at risk from weak passwords, due to an overall lack of awareness about the damage they can cause. These practices make it much easier for cybercriminals to obtain passwords via brute force, for example by using ”password-spray” malware (malware that tries the same common passwords on hundreds of accounts at once).
Passwords can also be compromised via phishing attacks, which we have covered earlier in this article. Phishing attacks target passwords as they are literally the keys to your data kingdom, and in a small business environment a single compromised password for something like Microsoft 365 can make it much easier for attacks to compromise further accounts and access critical company data.
How To Prevent Password Compromise
To improve cyber hygiene around passwords, organizations can look to deploy abusiness password manager. Password managers provide an encrypted, secure ”vault” for employees to store, manage, and securely share their passwords. They also auto-generate strong passwords for new accounts and services. Password managers also give admins the ability to manage password policies to ensure team members are not putting critical data at risk.
As we have already covered,user authentication and access managementis also an important way to protect against account and password compromise. MFA doesn’t solve the issue of weak passwords, but can improve account security and ensure that unauthorized users cannot access company accounts, even if they do correctly crack a weak password.
It’s important to note here that passwords by their nature are not secure, and even the most secure password can be compromised or guessed. For this reason, many security experts are recommending that organizations considerFIDO2-based Passkeys, which replace the password entirely. When you set up an account with Passkeys, a pair of cryptographic keys are generated; one public and one private. The public key is stored by the online app, while the private key is kept secure and secret by your chosen authenticator (e.g., your iPhone). The user never needs to create a password at all.
John Bennett, CEO of leading password security firm Dashlane, told Expert Insights: “Passkeys are designed to be phishing resistant, and a replacement for passwords,” Bennett explains. “Their intent is to provide not only a more secure, but a faster and more seamless login to websites and applications across user devices… What I’m really excited about Passkeys is, if we can really make this a seamless, delightful user experience, it’s going to make people’s lives so much more secure.”
4) Poor Patch Management
Patch management is the process of ensuring all of your endpoint devices (laptops, PCs, smartphones), networks, applications, and more are up-to-date with the latest security updates. Out of date operating systems and software can be at risk of known vulnerabilities that cybercriminals actively look to exploit with ransomware and malware attacks. Poor patch management therefore can ultimately put your business at risk of data breach.
Software vulnerabilities are often made public when they are found. Developer teams may quickly push out patches, but it can then take a very long time for these security updates to be downloaded by end-users. This gives cybercriminals a prime opportunity to exploit vulnerabilities within applications before security patches have been installed. In fact, Microsoft have reported that most breaches it sees occur in unpatched systems that patches were made available for years ago, and research indicates that18% of all vulnerabilities are caused by unpatched software.
Small businesses often lack the resources to ensure all devices and networks are always kept up-to-date. They too often rely on employees to update their devices manually, which can lead to vulnerabilities that can spread across and organization, and even across to supply chain partners.As Steve Dispensa, VP of Product Management for Microsoft Intune, says:
“There is an increasing persistence and severity of attacks that organizations having to deal with, and yet their IT departments are more stretched than ever before, both in terms of you know, personnel and finding qualified folks to fill roles, but also in terms of budget, which has been a big issue over the last year…Working more remotely, changing working times and even countries in some cases, has really put additional pressure on SOCs [Security Operations Centers] and on IT teams to be responsive to a whole new set of needs.”
How To Prevent Poor Patch Management
To prevent poor patch management, we recommend using tools to monitor for software vulnerabilities and enforce deployment of patches across your network and endpoint devices. A robustunified endpoint managementtool or a dedicatedpatch managementtool can provide the capabilities required to ensure your devices and software are secure, updated, and functioning in line with company policies. Key features include downloading patches on the IT team’s behalf and rolling them out to devices automatically in line with admin-defined policies. Patch management tools also alerts admins to unsuccessful patch deployments, and usually offer a roll-back feature to remove a patch if it isn’t working correctly.
We also recommend consideringvulnerability managementtools. These tools automatically scan for new vulnerabilities and enforce patch deployment across the organization. This provides earlier warning of vulnerabilities so you can quickly remediate risks before they can impact your business.
5) Insider Threats
The final major threat facing small businesses is the insider threat. An insider threat is a risk to an organization that is caused by the actions of employees, former employees, business contractors, or associates. These actors can access critical data about your company, and they can cause harmful effects through greed or malice, or simply through ignorance and carelessness. Verizon found that25% of data breacheswere caused by insider threats.
Insider threats are a growing problem and can put employees and customers at risk, or cause the company financial damage. Within small businesses, insider threats are growing as more employees have access to multiple accounts that hold more data.Researchhas found that 62% of employees have reported having access to accounts that they probably didn’t need to.
How To Stop Insider Threats
To block insider threats, small businesses need to ensure that they have a strong culture of zero trust within their organization. A key tenant of zero is the principle of least privilege – the idea that users only have access to the accounts and data they absolutely need to in order to do their job effectively.
We recommend deploying anendpoint protectionorunified endpoint managementtool on corporate devices to ensure they are kept secure, and in regulated spaces we recommend considering adata loss prevention solutionin order to ensure the data that leaves your organization is authorized and compliant. Organizations may also consider implementing a dedicatedinsider threat detection and preventionsolution; tools that use artificial intelligence and machine learning to identify anomalous behaviors and events within your digital environment.
Stephan Jou, CTO of Security Analytics at OpenText Cybersecurity, told Expert Insights: “AI is really good when you don’t need to constrain it with a hard-coded set of rules. I’ve seen some stunning examples of human creativity where someone wanted to steal source code from [a technology company]. And instead of taking the source code and copying it to a USB key, for example, they scrolled through all the source code files screen by screen, they took screenshots of the source code, and then they mailed the screenshots to three separate Gmail accounts.
“They did that to try and sneak around any binary, rule-based system, but the AI that we had built into a product called ArcSight Intelligence at the time, was able to see it because it was basically an unusual sequence of events that happened at an unusual time, with strong connections to—in this case—data exfiltration.”
Summary
There are a range of threats facing small businesses at the moment and there is no silver bullet to stay protected. The best way for businesses to protect against these threats is to have a comprehensive set of security and data backup tools in place, and to also consider having a strongcybersecurity insurance policyin place to protect your business and employees in the event a cyberattack does occur.
Antoine Jebara, Co-Founder and GM of MSP Business as JumpCloudtold Expert Insights, “My advice to any business trying to figure out how they’re going to navigate the years to come is to ask themselves: Are we currently equipped to understand that complexity from an IT and security perspective and are we in a position to keep up with how that market is continuing to evolve. If the answer is no, then my best piece of advice is surround yourself with people that know. These would be managed service providers or managed security service providers (MSSPs). I would say that this is the number one thing that you need to do.”
