Welcome to Getting Cybersmart, a 2-part series that looks at top cyber risks and offers some practical tips to help protect your small business.
Cyberattacks are no longer a threat visualized by science fiction writers or Hollywood directors. They’re a clear and present danger, representing the fastest growing criminal activity in the U.S. and the world. Damage from cybercrime is expected to hit $6 trillion annually, according to a report by Cybersecurity Ventures, which cites malicious cyber activity as one of the biggest threats businesses will face in the next 20 years.
We’ve all read about cyberattacks experienced by large organizations. However, a breach that happens to a small-to-midsize business (SMB) rarely makes headlines. That’s not to say that hackers aren’t targeting this segment. In fact, it’s quite the contrary. According to Verizon’s Data Breach Investigations Report, nearly half of the confirmed cyber events in 2019 involved SMBs.
Verizon’s is just one report that highlights the need for small businesses to have a contingency plan in place in the event of an attack, yet many organizations remain unprepared. A survey from InsuranceBee reveals that 6% of small businesses think a cyberattack is unlikely. A quarter of small businesses believe it will happen but aren’t doing much to prevent it. Fifty-four percent don’t even have a plan.
Why are so many businesses unprepared? The simple fact is most think they’re too small to be targeted or lack the manpower to mount a solid cyber defense. In reality, it’s not the size of the organization or the goods or services your company offers. It’s the data you keep, on your business, your workforce, and your customers that hackers are after, and whether that data can be accessed, exploited, and sold to the highest bidder.
Once a hacker finds their way into your network, the devastation that follows can be hard if not impossible to overcome, particularly for SMBs. There’s the direct cost of recovery, which a Kaspersky study indicates is around $120,000. Insurer Hiscox puts it at around $200,000. But there are hidden costs as well, including operational disruption, reputational damage, drops in credit ratings, loss of contracts, and increases to insurance premiums, to name a few. What this means is an attack could cost you more than just time and money. It could cost you your business. So, what can you do to protect it?
While there’s no one-size-fits-all answer, a good place to start is by understanding the most prevalent threats and identifying where your business is most vulnerable. Here, we’ll unpack some of those threats, how they work, and the impact they can have on your business. We’ll follow up with a second post that offers some actionable, practical ways to help mitigate those threats.
The threat is real — and often hidden
We often think of cybercrime as something that’s plotted, dramatic, and sophisticated, when in reality, it can be done very quickly with just a few simple tools that can be deployed to multiple targets at a time. What’s more, most threats are designed to go unnoticed or to hide in plain sight, most notably from a seemingly legitimate email, attachment, or web ad that we’ve clicked on. The point is, it’s deceptively easy to fall prey to a cyberattack. And the road to recovery, even when prepared, can take days, if not months.
Here are 5 of the most prevalent ways hackers are targeting small businesses:
1. Phishing scams
According to data from cybersecurity firm, Retruster, phishing scams are the most popular form of attack hackers can deploy. They come by way of emails masquerading as communications from legitimate organizations such as retailers, payment processors, even streaming services. The email starts by asking us to update our account profiles or banking information and provides a link to a webpage to do so. However, the page you’re taken to isn’t from a company, but a lookalike connected to a hacker’s server designed to collect your information and exploit it. It’s a bait and switch tactic that’s incredibly easy for hackers to employ and incredibly effective, which is why phishing scams are so popular. According to a report from Symantec, one in every 300 emails sent to a small business is part of a phishing scam, with 52% of malicious emails clicked on within the first hour, and 11% within the first minute of receipt.
A contraction of the phrase ‘malicious software,’ malware uses code to infiltrate networks, steal data, or destroy it. It stems from malicious downloads (i.e., downloading an attachment from an email, a software bundle from a malicious website, or connecting your device to an infected device). One of the most popular ways hackers use malware is by sending emails with .zip or Microsoft office attachments to unsuspecting targets. What appears as a legitimate business document is actually infected with code that takes hold once the document is downloaded. This not only cripples a device, but it can also give attackers backdoor access to data, which can put your customers and employees at risk.
Ransomware is a form of malware that encrypts a victim’s files. Just like malware, one of the most common delivery systems for ransomware is through phishing scams that involve downloading an attachment. The difference being, once the attachment has been downloaded and opened, the hacker can take over the victim’s computer and demand a ransom. Small businesses are especially at risk of ransomware attacks. Hackers know that most operate without backing up their data and bank on the fact they’ll be more inclined to pay the ransom to get their business back up and running. To give you an idea of just how much they’re asking for, in 2018, 71% of ransomware attacks targeted small businesses, with an average ransom demand of $116,000.
Research has found that 62% of employees have reported having access to accounts that they probably didn’t need to.Within small businesses, insider threats are growing, particularly as more employees have access to multiple accounts that hold more data.
5. Weak passwords
It’s tough enough to remember one password and its variants, let alone a unique password for every system you use. However, using weak passwords is like giving a thief a single key that unlocks every door in your building. Examples of easy passwords include “swordfish,” “Password,” “trustno1,” “qwerty,” “iloveyou,” and “123456. Other examples include a mother’s maiden name, pet names, and family names, all of which can be easily cracked by a hacker and used to cause a breach. According to Verizon, more than 70% of employees reuse weak personal passwords for business purposes. What’s more, 81% of data breaches have been caused by exploiting passwords that were easy to guess.
Large or small, no business is immune to cyberattacks. And it’s never a matter of if, but when, a hacker will set their sites on your business. To stay ahead of these attacks and minimize business disruption, you need a solid cybersecurity defense. What does that look like? In our next post, Getting Cybersmart part 2, we’ll outline some key strategies and cybersecurity best practices that can help.
Next in series: Getting Cybersmart, part 2: How to protect your business from cyber risks