Essential Cybersecurity for Small Businesses

Phishing, Vishing, Smishing, and Quishing

Phishing is a generalized term to describe the use of communication media to manipulate targets into performing some task that benefits a cybercriminal, for example, to help steal login credentials.

There are many forms of phishing. Email phishing is the best-known and includes spear phishing that targets specific users. Others include voice phishing, usually via mobile phone (vishing), SMS text and messaging app phishing (smishing), and QR code-based phishing (quishing). SMBs are at risk of all forms of phishing, and credential theft is the most likely outcome of a successful phishing campaign. Once credentials are in the control of a cybercriminal, many follow-on attacks can occur, including ransomware attacks.

MediSecure, an Australian online prescription provider, suffered a massive ransomware attack that lasted nearly four years. The company lost 6.5 million terabytes of personal and health data from 12.9 million Australians. The data ended up for sale on the dark web, putting customers at risk of further attacks.

Data Breaches

Data is a valuable commodity, and cybercriminals use it to demand ransom, sell it to other cybercriminals, and commit fraud and other cybercrimes. A recent breach exposed 184 million logins for apps like Apple, Google, Microsoft 365, and other well-used corporate apps. The breach has left SMBs at risk of further data breaches and network attacks.

Social Engineering

The human element is prevalent in many cyberattacks. Scams, like Business Email Compromise (BEC), prey on human psychology to execute the scam. Fraudsters will impersonate company executives, tricking employees into performing a task for the executive, such as paying an invoice from a "new and important client," with the money ultimately going to the fraudster.

Credential Stuffing

Cyberattackers can use stolen credentials to gain unauthorized access to accounts. They use automation to try millions of stolen passwords against online accounts until they get a match. A PayPal credential stuffing attack affected 35,000 users, compromising accounts.

Malware: Keyloggers and Info Stealers

Malware infects devices and networks using various techniques, including phishing, network vulnerabilities, misconfiguration of web components, and malicious online ads. Keyloggers and info stealers are popular forms of malware that are often available to cybercriminals on an as-a-Service basis; cybercriminals rent phishing templates, spoof websites, and malware to carry out attacks.

Recently, Ducktailmalware was used to steal Facebook business accounts. This info stealer malware was used to exfiltrate data from business accounts when users logged on using infecting devices.

Cryptojacking

Cryptojacking malware is used to mine cryptocurrency on behalf of fraudsters. Cryptomining requires large amounts of electricity and computer resources. Any infected SMB will receive large utility bills, and computers will be unusable while infected. Google research found that 86% of compromised Cloud instances were used for cryptocurrency mining. Over 4000 government and public service websites were infected with cryptojacking scripts in one attack. Anyone visiting an infected website was at risk of becoming a cryptojacking victim.

Ransomware

Small businesses are at risk of ransomware attacks, leaving them highly vulnerable to the damage and cost of this insidious malware. Over half (51%) of small businesses that suffer a ransomware attack pay the ransom. Contractor E.R. Snell suffered aransomware attack. The attackers used keylogger malware to gain unauthorized administrative access. The firm's critical services were down for a week, and other services for three weeks. It took the company many months to recover data and fix damaged computers.

AI-Enabled Cyber Threats

Cyber threats are challenging, but with the aid of AI, these threats are expected to become even more dangerous. Generative AI is used to create believable and highly personalized phishing campaigns; malware is developed using AI-based vibe coding; and AI-generated deepfakes are used to create social engineering scams that are almost impossible to identify as fake, a recent spate of invoice fraud using an AI-enabled invoice swapper.

The tool uses AI to search for compromised emails that mention invoices or include attachments with payment details. The compromised email is intercepted, with the tool changing the banking information of the intended recipient to that of the fraudster.

Ransomware Costs

Ransomware is a costly infection that damages computers and steals valuable and sensitive data. Small companies with fewer than 1000 employees were impacted over four times more than larger enterprises. Ransom costs increase year-on-year, with the latest median ransom being $1.5 million. Other costs include downtime, recovery, noncompliance fines, and reputation damage limitation.

Downtime Costs

Malware infections and data breaches require time to recover systems and close security gaps. Estimates for downtime costs per hour for SMBs are $25,620, and for enterprises, they are $540,000.

Loss of Customers and Reputation Damage

Data breaches affect customers and result in the degradation of trust and damage to relationships. Each SMB will have its own view of the cost of broken customer relations. However, the cost of reputational damage after a ransomware attack, for example, is around 20% of the overall cost of the attack.

Fraud and Identity Theft

Data breaches and account takeovers lead to identity theft and fraudulent transactions. Business Email Compromise fraud, for example, costs an average of $137,132 per incident, according to data from the FBI.

Noncompliance Fines

Cyberattacks, such as data breaches, can lead to noncompliance with various regulations, including GDPR, PCI-DSS, HIPAA, and DORA. Fines can be significant. DORA, for example, fines firms that are found to be negligent 2% of their total annual worldwide turnover or up to 1% of the average daily turnover worldwide. Critical third-party ICT service providers can be penalized up to EUR 5 million, or EUR 500,000 for individuals.

Security Awareness Training

Cybercriminals target employees and customers, tricking them into clicking malicious links in phishing campaigns or socially engineering them into performing tasks that benefit the cybercriminal. Security awareness training attempts to redress the balance, teaching employees and customers about the tricks cybercriminals use to manipulate them. The training educates staff on safe internet and mobile use, security hygiene, and how to spot phishing attacks.

Email Security

Advanced email security solutions help prevent phishing and malicious spam from entering employees' inboxes. AI-enabled email security can identify emerging threats, QR-code phishing, and zero-day attacks that conventional email security cannot detect.

Endpoint Protection

Next-Gen anti-virus (NGAV) uses AI to identify evasive malware that can hide on computers and networks for long periods without being detected.

Robust Identity Security

Employee accounts and their identifying data offer cybercriminals a way into a network. A company should deploy identity security measures to prevent account takeover and other identity security issues, like the exploitation of stolen login credentials. These include using multi-factor authentication (MFA) or passwordless authentication and privilege governance.

Ransomware-Proof Backups

A data backup service should be designed to prevent attempts to destroy backup data, stopping any malicious editing, overwriting, or deletion.

Dark Web Monitoring

If your data is stolen, it is likely to end up on the dark web for sale to other cybercriminals and fraudsters. Also, if a cybercriminal is intent on attacking an organization, they will often use the dark web to gather intelligence for the attack.