Even though cyberattacks are not showing any signs that they will be slowing down any time soon, many small business owners do not seem to be fazed by the threats they pose, as well as the possibility that their small business might one day be the victim of a cybersecurity attack. Many people are under the impression that malicious actors are only targeting larger businesses over smaller ones.

The misconception of the smaller the business, the smaller the risk, is often the driving force behind the downfall of small businesses. Many small business leaders miss out on the most vital part that discusses the size of the impact of an attack and the repercussions. For any small business, even a minor threat can prove disastrous. This is why cybersecurity threats/risks are no longer a problem that small business leaders can ignore.

Many small business leaders operate businesses with a target on their backs. At least, that is how malicious actors may see it. ''The absolute biggest mistake companies make about cybersecurity insurance and cybersecurity, in general, is that they don't need it and that they are not a target. And even worse, they think they are already protected'', said Founder and CEO of Integral Networks, Bryan Badger.

Why Do Small Businesses Face More Cyber Security Threats?

Small businesses will always be a vital part of the world's economy, and cybersecurity threats/risks are a growing threat against small businesses. Small businesses will always be a target because they have critical information that malicious actors can use to their advantage, and small businesses typically lack the security infrastructure of larger businesses.

Said President of Teamspring (https://www.teamspring.us/it-company-in-atlanta/), James Sanford, ''I think that a couple of the most glaring issues I see in business that I go to for sales meetings is the lack of internal resources to keep up with the wide array of threats that are bombarding businesses.  Many of these smaller businesses haven't been told to invest in the proper firewalls.  In addition, I see no policies relating to the onboarding and offboarding of staff which leaves the door wide open for hacked credentials.  The net result is because nothing has happened so far, it's not prevalent on the business owner's radar.  The time to plan is before the explosion of an attack.''

Cyber Security Threats That Small Businesses Face

Small business leaders face a variety of cyber threats, but they can be separated into three categories, said Alexander Freund, Co-Founder, President, & CIO of 4IT, Inc.

Email account breach/takeover - We have seen many of these over the course of the last 2 years.  Typically, stolen credentials are used to gain access to the email account and all of the data from the mailbox is exfiltrated for further analysis.  The breached mailbox can be used in a variety of ways, and I will highlight those that we have seen.

• Phishing emails are sent from the breached mailbox to internal and external contacts in an attempt to get more stolen credentials or have the target download malware of some kind.
• If HIPAA or PCI (News - Alert) data is found inside the breached mailbox, the bad actor will attempt to distribute the data to customers and internal employees of the organization unless a ransom is paid.
• After looking through the entire mailbox, the bad actor will attempt to use the stolen credentials to get into any other websites or cloud services that the breached email user signed up for.  This is a good way to take advantage of password re-use.
• After looking through the entire mailbox, the bad actor will add rules to the mailbox so that email can be sent/received without the mailbox owner knowing about it.  Once completed, the bad actor will attempt a thread takeover with a customer or vendor to try and get them to wire money or change the bank account they have been sending money to.

''What we are seeing on the frontline of the helpdesk requests is the published basics are not being followed and would limit the surface area for attacks. Email is still the primary form of attack and 2MFA combined with cyber training is not enabled on most we see having issues.  It is not about just links either, emails asking the user to call a phone number to dispute a fake charge is getting past enterprise spam protection'', said Robert Giannini of Giaspace.com.

Ransomware – There is certainly no shortage of small, medium, and large organizations that have had well-publicized ransomware attacks.  Small businesses are particularly vulnerable to ransomware attacks as they often lack the cybersecurity tools and expertise to recover quickly if a ransomware attack occurs on their infrastructure.  Ransomware will continue to be a thorn in the side of small business IT.

Disruption of IT Services – Although this often involves Ransomware, one of the new developments over the past 2 years that we have seen is bad actors whose goal is to disable a small business by damaging or reconfiguring their IT infrastructure, and then demanding a ransom in exchange for putting it back.

Malware Threats

Malware refers to software that has been designed to cause damage to a device, server, network, etc. Malware can include viruses and ransomware. One of the objectives of a malware attack can be to convince someone within a small business to unknowingly download malware. ''The emerging cyber threats that small businesses need to be aware of is supply chain ransomware'', said Guy Baroan, President of Baroan Technologies (https://www.baroan.com/it-support-new-jersey/).

Ransomware now accounts for the highest percentage of cyber theft. This is emerging as cybercriminals are now realizing that it is easier for them to try to get into an organization that provides services in the supply chain to a larger company. The larger companies have the resources necessary to protect their assets and data and to be on the lookout for suspicious activity. This is not always something that the smaller businesses can afford. So, if a criminal wants to get into a larger organization, they will start to look at and figure out who that larger organization works with, then they will see if they can find vulnerabilities or holes in their security to get in.

Once in, they may be able to identify data from the larger organization and hold both the small business hostage as well as the larger organization. In the past, cybercriminals were opportunistic. Today they are most targeted by who they go after. Small businesses MUST enhance their cyber security posture and take the necessary steps to be more secure and for them to know if a breach occurred immediately following an incident. This will help them provide assurances to these large organizations that their data being helped by the supply chain vendor is secured. If they did not take this path, there would be lost opportunities for them with the larger companies as they would not offer new work to the small business that is part of their supply chain. An example of this is the Target (News - Alert) breach. The HVAC company that worked with Target was breached, which then allowed the criminals to get to the Target network through back-end connections that were in place to monitor the temperature in the different Target locations.

''2022 seems to be the year of hybrid work environments. Employees and technology will have to work with the business's needs in order to deliver a hybrid environment whereby the workforce can work remotely, as well as in the office when necessary.  Although not a surprising trend to those of us in the tech industry, I predict that the latest vectors for ransomware attacks will be coming through remote users. In particular, those attacked will be working from home on a non-secured workstation. From my perspective, there seems to be the most vulnerable point of attack in there for the weakest link in the security chain'', said Ilan Sredni, CEO & President of Palindrome Consulting (https://www.pciicp.com/it-support-in-fort-lauderdale/).

Cybersecurity Protection Tips Small Businesses Can Implement to Protect Their Business

Small business leaders must take active steps to protect their businesses against cyber threats. Said Joe Cannata, Owner of Techsperts, LLC (https://www.techspertsllc.com/), ''There are multiple steps a business owner can take to help protect their business.  Layering security is what is most effective. Some of these layers include email security, domain and dark web monitoring, cyber security training, endpoint security, and zero access policies to name a few.''

Badger shared 6 basic things businesses should be doing at a minimum and if they are not, they are probably already breached and don't know it yet.

Partner with a Managed Services Provider

• Finding and working with a reputable Managed Services Provider that has experience dealing with and recovering businesses that have been breached is a plus as they can help you navigate what you should put into place based on your business. A good MSP will come with its own toolsets and security software to deploy.

Implement Firewall Protection

• Put a proper security appliance(firewall) into place. If you're not paying an annual license subscription for a firewall device that includes security services, it is worthless and not protecting you.

Implement Email Security Filtering Services

• Link Poisoning & Phishing are real, and employees are the #1 source of breaches.

Implement Multi-Factor Authentication

• This adds a layer of security to all logins and helps to ensure that only authorized people are actually logging in.

Have a Backup Plan

• Have a rock-solid backup and disaster recovery plan that focuses on both Recovery Point Objective(RPO)[how often data is being backed up in order to minimize data loss] and Recovery Time Objective(RTO)[how long will it take to recover systems in the event of a breach]

Have a Cybersecurity Insurance Policy

• Cybersecurity insurance can't prevent a cyberattack, but it can ensure that if a small business experiences a breach, it will have the resources to recover.

While cybersecurity experts often determine other significant vulnerabilities in the open field, the issues addressed today are some of the most common experienced by small businesses everywhere. Small business leaders must look for opportunities to mitigate threats and vulnerabilities to reduce risks.