Small Business Cybersecurity
With large companies installing ever-more-sophisticated defenses against evolving cyber threats, hackers are shifting their focus from the largest of companies to the smallest.
According to cybersecurity surveys, a third of data breaches annually target small businesses. Statistics aside, there’s little doubt that online security threats for small businesses are growing and becoming harder to manage.
Small Business Vulnerabilities
Small and medium businesses are generally considered to be easier targets than larger enterprises for a number of reasons. For instance, small businesses typically lack dedicated security professionals or sophisticated tools designed to protect companies from unauthorized access.
Similarly, not every small business keeps its security software current, making it vulnerable to known security flaws that can be exploited by hackers using automated discovery and exploitation tools.
These comparatively softer defenses mean small businesses are often targeted by hackers using automated scans to capture online banking log-in credentials, passwords for vendor accounts, employee Social Security numbers, or other sensitive data.
In most instances, hackers are not targeting specific businesses, but types of information. This emphasis means a small business cannot assume it is not worth targeting.
The most common online security threat targeting small businesses comes from “ransomware,” malicious programs that encrypt files on a computer or mobile device and demand payment in exchange for the decryption key.
Computers are typically infected with ransomware when a user clicks on an email message containing a malicious attachment. In many attacks, these are disguised as shipment notifications, invoices, or other types of email attachments people are likely to open. In other instances, malware is transferred when users visit infected websites that deliver the malicious software while loading the web page.
The COVID-19 pandemic increased the ransomware risk for many small companies that were dealing with supply chain disruptions, unfamiliar vendors, and other interruptions to normal processes and routines. In this chaotic environment, employees were more likely to click links in emails in the interest of getting their jobs done quickly under challenging circumstances.
Some headline-making ransomware attacks affected major companies including a pipeline, a large meat-packing company, a computer manufacturer, two insurance companies, a variety of state and local governmental agencies, and healthcare providers.
Attacks on larger organizations tend to involve ransom demands in the millions, usually in difficult-to-trace cryptocurrencies, as ransomware attacks become more sophisticated.
It’s difficult to estimate how many smaller companies are affected, in large part because most attacks involve the discreet payment of relatively small ransoms and the incidents are never reported.
Phishing Threats Expanding
Another common form of cyberattack against small businesses comes in the form of Business Email Compromise, which can include several forms of threats aimed at small businesses and, in some cases, specific companies.
In one common scam, hackers will send emails designed to mimic messages from large companies that small businesses are likely to have accounts with. These messages will typically ask someone to update their account details so any payments are sent to the hackers instead of the legitimate vendor.
In other scams, an email purporting to come from a company owner or leader directs someone to send an emergency wire, with the funds going to accounts controlled by hackers.
Similarly, a related security threat known as “phishing” refers to hackers trying to get personal information under false pretenses. Phishers may try to capture usernames, passwords, bank account information, credit card details, and similar data from their victims.
Phishing attacks usually occur through an email that looks like it’s from a legitimate source such as a bank, credit card company, or a social networking site. Thinking the source is legitimate, the victim will then answer questions or enter information (such as login credentials) that gives the phishers their personal details.
Today’s professionally designed phishing attacks are often hard to distinguish from legitimate messages without careful examination, making it important for users to understand the risk of clicking on links that appear in email messages.
In a variation known as “spear-phishing,” hackers will research a specific person— usually a business executive or someone with a high net worth — to learn personal details or the names of connections to help legitimize their attack messages.
The best approach to defending against these attacks comes as much from process as from technology. Employees need to understand the importance of not trusting emails at face value, and companies should have policies mandating that workers call to verify any transfers or bill payments over a predetermined amount.
Building Your Defenses
As the cybersecurity threats to small businesses increase, the most important thing you can do is install security software your company’s computers and make sure it is current.
You also want to make sure employees are using strong passwords to access company resources. A lot of automated hacking tools look for easy-to-guess or common passwords, such as “password” or “qwerty,” so you’ll want your team to avoid using them.
Similarly, don’t allow people to share passwords for cloud accounts, or to use the same log-in credentials for more than one online account. You don’t want a security breach at one software provider to expose your credentials on another.
It’s also surprisingly common for companies to avoid changing passwords for a number of years, which means a number of former employees or contractors can access their cloud accounts and services without detection.
To reduce the risk of information that is accessed by hackers being exploited, it’s helpful to take advantage of automated encryption tools installed in your computers’ operating systems.
Finally, invest in automated online backup software services to protect your company’s computers and mobile devices. These programs automatically upload files to cloud servers so you can recover files if your computer is hacked or damaged in a natural disaster.