Every minute of every day, cybercriminals are getting smarter and developing new tactics. It is nearly impossible to keep up with the constantly evolving landscape of cyber threats you face when protecting your business.
What are the most common cyber threats to small businesses?
- Phishing
- Malware
- Ransomware
- Remote Work Vulnerabilities
- Credential Stuffing
- Human Error
- Smishing
- Business Email Compromise Scams
- Insider Threats
- Weak Passwords
The rest of this article is dedicated to explaining how each of the cyber threats above can impact your business. We then follow up with what you and your IT security team can do to protect your organization.
Most Prevalent Cyber Threats to Small Businesses in 2022
1. Phishing
Phishing has and continues to be one of the most significant cyber threats to small businesses. This is the practice in which cybercriminals try to trick you into giving up information via electronic communications. The most common objective of a phishing attack is to obtain login or financial information.
Your company likely receives thousands of emails and social media messages every day. Hackers know how easy it is to slip in amongst the deluge of legitimate correspondence. All it takes is one risky click and you’re smack in the middle of a data breach.
Phishing emails and messages often imitate legitimate senders. They can use contact photos, closely copy contact emails, and use company logos or graphic design elements.
It’s important to ensure that you and your staff know how to recognize phishing attempts. You should consider implementing a system for reporting and documenting said attempts. Regular training exercises and reporting on pass/fail rates for those exercises can help instill a culture of cybersecurity in your organization.
2. Malware
Malware is an all encompassing term for malicious software designed by cybercriminals to infiltrate and harm a network or system. It is popular with hackers because it’s a set it and forget it strategy that they can use to gain access.
These software programs can encrypt, delete, or copy and distribute your business’ data without your knowledge. They can track you and your employees’ activity or remotely hijack your company devices as well.
Fortunately, there are a number of comprehensive anti-malware solutions. Both standalone applications and ones that are bundled with other cybersecurity protective measures. If you don’t have anti-malware coverage, you are extremely vulnerable to an attack that could devastate your business.
3. Ransomware
This increasingly common threat is a type of malware. Ransomware is a form of malware specifically designed to infiltrate your network and encrypt your essential data.
Once your data is encrypted you lose all access to it. The cybercriminal then asks you to pay a ransom to receive the key to decrypt your data, or lose it.
Enterprise companies may have massive amounts of valuable data, but the security they have in place is usually more robust. Small businesses are the number one target of ransomware for two reasons: ease of access and lack of data backups.
Bad guys prefer small businesses because they can hack more of them with less effort. Added to the sense of urgency they can create for a company with no data backups, it’s a profitable scam.
Antivirus software should help you to avoid becoming a victim of a ransomware attack. Having a secure and regular system for backing up data will render such an attack useless. You’ll always be one restore away from getting your data back.
4. Remote Work Vulnerabilities
Whether your staff has stayed work-from-home or you travel frequently, the ability to work remotely is crucial for modern businesses.
Unfortunately this flexibility comes with cyber threats to small businesses. Transporting company devices exposes them to theft, which can result in your data being stolen too. Public wifi networks can expose you to all kinds of hacking and tracking risk as well.
Installing and maintaining a Next Generation Firewall is the most thorough and cost-effective way to protect your company data. These often include a VPN, which secures and encrypts your internet connection so you can use public wifi networks safely!
5. Credential Stuffing
This has become one of the bigger cyber threats to small businesses who often use the exact same username/password across multiple applications or websites. Credential stuffing is when a cybercriminal finds out one of your login credentials, and then tries it across multiple applications.
This may occur after a phishing or malware attack. The initial attack serves to secure one username/password combo. Then the credential stuffing occurs in order for the bad guys to see what else they can access with that one login.
Proper password policies can go a long way towards preventing this, as well as encouraging good cyber hygiene company wide. Every employee should have their own login for each application or website. Make sure that everyone in your organization knows not to share their usernames and passwords electronically.
6. Human Error
We’ve all hit “send” on an email with an attachment before we actually attached the file we intended to send. Or clicked “reply all” instead of “reply” and accidentally sent everyone on the email thread a personal response. Don’t lie.
Most of the time these mistakes or oversights are totally harmless, if a little embarrassing. But sometimes these mistakes are costly.
Data breaches don’t just come from bad guys outside your company, unfortunately. It can come from hard-working employees who make a simple mistake, because they’re human.
Maybe someone attaches a report containing sensitive data belonging to Company A to an email intended for Company B. Perhaps someone taps “reply all” and sends confidential internal information to external vendors. Or someone makes a controversial social media post from a work account instead of a personal account.
A security savvy business owner should have recovery plans in place for both accidental breaches and malicious ones. Regular coffee talks or cyber lunches can instill a culture of cybersecurity within your company and help keep everyone vigilant.
7. Smishing
Smishing is the practice of phishing via text message (also known as SMS message). Just like phishing, it involves the cybercriminal impersonating someone known to you in order to obtain financial or login information.
When employees who had a company cell phone leave your organization, you could experience a smishing attack. A hacker just has to spoof that phone number and speak to your staff as though they are the former employee.
Smishing texts often include links and calls to action. They may impersonate package carriers to get you to click a link to schedule a delivery that never takes place. They can also impersonate banks and ask you to enter your SSN/TIN.
It can also happen any time you or another high level employee changes your phone number. It’s important to disclose numbers that will no longer be in use to your staff. Also, encourage them to carefully examine phone numbers they get texts from about work.
8. Business Email Compromise Scams
While not one of the most publicized cyber threats to small businesses, Business Email Compromise (BEC) scams accounted for 19,954 complaints and a total of $2.4 billion in losses last year, according to the FBI’s Internet Crime Report of 2021.
BEC scams take place when a cybercriminal gains access to a business’ email account and then con the business’ contacts into transferring the hacker money.
You might think that such a scam would be obvious, but they involve in-depth research in which the criminals learn everything about you. Your writing style, publicly available information on social media, insider knowledge gained by reading private emails in the business account… you name it, they’ll use it.
Multi-factor authentication at login is the best way to prevent your business becoming a victim of a BEC scam. If you involve another layer of authentication that goes straight to each employee’s cell phone, it becomes difficult for scammers to access your email. Even if they have somehow obtained a username and password.
9. Insider Threats
As much as you may hate to admit it, someone within your company could intentionally cause a data breach. Despite a thorough vetting and interview process, sometimes we hire the wrong people. We’re only human after all.
An example is the Cash App breach in April of 2022. A former employee knowingly and intentionally downloaded the data of Cash App customers, including their brokerage account numbers. A whopping 8.3 million customers were affected.
Through webhooks and connectors such as Zapier, anyone can connect to your company’s system and retrieve, transform, or modify data. That data is relocated externally to a third party app before it can be used. This means your security protocol no longer applies.
Having complete logs of who accessed what data and when can be extremely helpful in investigating the source of breaches. Requiring a complex password and 2FA plus a Next Generation Firewall can combat internal threats.
Humans will always be the root of cyber threats to small businesses.
10. Weak Passwords
Let’s face it, it can be really hard to remember complex passwords, especially if you have to change them frequently. But you can’t give in to the temptation to simplify them or use the same passwords across multiple platforms.
If you use duplicate passwords, all it takes for you to be hacked is one of your logins being compromised. Then, through credential stuffing, the bad guys can get into all your other accounts and whatever sensitive information they contain.
Alternatively, if you use different passwords for each application but they’re really simple… you could still be compromised at any moment. Especially if the information in your password (like your dog’s name) is accessible on your social media or blog.
And that is the amount of risk introduced by one person with weak passwords. Multiply that risk by the number of employees you have, and you can see how serious this is. Poor password hygiene is one of the most preventable cyber threats to small businesses.
Educate your staff about good password practices and implement as much automation as you can. This can look like forcing everyone to reset their passwords every 90 days or establishing complex password requirements. These steps are key to ensure that your company’s passwords (and data) are secure.
Need a little more help developing password protocol? Check out our guide The Secret to Good Passwords.
Combating Cyber Threats to Small Businesses
Learning about the threats your company faces and how to prevent falling victim to them is only the first step. Developing or adapting your cybersecurity plan and recovery plans to reflect your newfound knowledge should be your immediate next step.
If you don’t know where to begin, consider scheduling a complimentary preliminary audit with CloudNexus. We’ll take a quick snapshot of your organization’s security and let you know our thoughts. We tend to focus on both your current cybersecurity spend and your vulnerability to common cyber threats to small businesses.