The 5 Biggest Cybersecurity Threats Small Businesses Face

March 4, 2024

Small enterprises are equally susceptible to cybersecurity threats as their larger counterparts. The misconception that smaller teams are less attractive to cybercriminals due to “security through obscurity” is often proven wrong. In this article, we’ll take a look at the top 5 biggest cybersecurity threats facing small businesses.

Advancements in quantum computing, generative AI and the emergence of new malware types, like Ransomware-as-a-Service, enable cybercriminals to launch automated attacks against numerous small businesses simultaneously. Consequently, businesses of all sizes face potential threats, and targeting small businesses can be equally profitable for cyber attackers.

Typically, small businesses lack specialised cybersecurity personnel and advanced security measures. Their infrequent cybersecurity training and the absence of sophisticated security tools, such as multi-factor authentication or password managers, render them more vulnerable to attacks. However, even the smallest companies may handle significant financial transactions or possess extensive customer data, which they are legally required to safeguard under laws like GDPR.

Cyber attacks on small businesses can serve as a gateway for targeting larger corporations through supply chain or “island hopping” attacks. This strategy allows cybercriminals to infiltrate the larger partners’ networks, posing risks to both the small business and the larger enterprise.

Small to medium-sized businesses (SMBs) stand to lose a great deal from cyberattacks. Although precise figures are challenging to ascertain, recent findings suggest that companies with fewer than 500 employees suffer average losses of $3.21 million per attack. Such financial losses, coupled with the reputational damage from a cyber breach, can be catastrophic for small businesses.

Therefore, it’s crucial for small businesses to understand the primary cyber threats they face and the strategies for mitigating these risks. This article aims to highlight the top five cybersecurity challenges for small businesses.

Phishing and Social Engineering Tactics

Phishing and social engineering remain among the most common and successful types of cyberattacks against small businesses for years. In the United States, phishing and its variations, such as spear-phishing and business email compromise (BEC), top the list of cyber threats. Since 2020, there has been an 81% global increase in phishing incidents, and it’s believed that 82% of data breaches originate from a phishing attack.

These attacks involve deceiving a user into clicking on a harmful link, downloading a malicious file, or revealing sensitive data, like payment details or login credentials, by pretending to be a trustworthy entity. The sophistication of phishing attacks has significantly increased, allowing cybercriminals to conduct highly targeted and effective campaigns.

Phishing is particularly appealing to attackers due to its cost-effectiveness, minimal effort, and high success rate. It often serves as an entry point for more severe disruptions, such as ransomware, following the compromise of email accounts or the introduction of malware. Deepen Desai, Zscaler’s Global CISO and Head of Security Research, emphasised that phishing is a primary attack vector, marking the beginning of complex, multistage cyberattacks rather than simple malware distribution via email.

SMBs face a significant threat from business email compromise (BEC) attacks, where attackers gain control over email accounts (typically through stolen credentials) to issue fraudulent requests for invoices and payments either within the company or to external partners. These attacks are particularly dangerous because they appear to originate from a legitimate source within the organisation, making them more likely to succeed and result in financial losses that are difficult to recuperate.

Ransomware and Malware Threats

Malware, especially ransomware, poses a significant threat to small businesses, being among the most prevalent and destructive types of cyberattacks. Malware refers to harmful software designed to infiltrate networks, pilfer or obliterate data on computers, and is typically spread via malicious website downloads, spam emails, or through connections with other compromised devices. Ransomware, a particularly virulent form of malware, is experiencing a surge in activity.

Deepen Desai of Zscaler notes a marked increase in ransomware incidents, stating, “While some suggest that ransomware attacks have stabilised, our observations show a 38% annual growth in ransomware incidents and a 37% rise in double extortion attacks. The shift towards a Ransomware-as-a-Service model facilitates the execution of widespread, sophisticated assaults.”

Ransomware attacks generally encrypt an organisation’s data, making it inaccessible and demanding a ransom for its decryption. This scenario forces companies into a difficult decision: pay the ransom, risking substantial financial loss, or suffer operational paralysis due to data unavailability. An emerging tactic among ransomware groups involves threatening to leak or permanently withhold data, compounding the potential damage.

Small businesses are particularly vulnerable, with 71% of ransomware attacks aimed at them, and an average ransom demand of $116,000. These businesses are more likely to pay ransoms due to the lack of data backups and the urgent need to restore operations quickly. The healthcare industry is acutely affected, as the compromise of patient records and scheduling can be devastating enough to force a business shutdown unless the ransom is paid.

To combat these sophisticated ransomware threats, Desai advises adopting a comprehensive zero trust strategy. “Implementing zero trust architecture fundamentals can significantly bolster defences against ransomware,” he explains. Zero trust operates on the principle of distrusting all users, devices, and systems until their authenticity is verified, advocating for continuous authentication and adherence to the least privilege principle to mitigate security vulnerabilities.

Vulnerable Password Practices

Vulnerable password practices reflect inadequate cybersecurity measures, significantly reducing an organisation’s defence against cyber threats such as phishing. Nowadays, many small businesses depend on a variety of cloud-based services, necessitating the creation and maintenance of numerous accounts that often hold sensitive and financial information. The use of weak, predictable passwords, or the repetition of the same password across several accounts, jeopardises the security of this data.

The issue of “weak passwords” manifests in several ways. This includes employees choosing easily decoded passwords like “Password123”, reusing the same password for multiple services, or sharing passwords among team members without any form of security. Studies show that an average of 19% of professionals in organisations resort to such insecure practices.

The prevalence of weak passwords among businesses stems from a widespread unawareness of the potential risks involved. These habits significantly simplify the process for cybercriminals to crack passwords through methods such as brute force attacks, including the use of “password-spray” malware which attempts to unlock numerous accounts simultaneously with common passwords.

Furthermore, as mentioned earlier, passwords are also vulnerable to phishing schemes. These attacks specifically target passwords as they serve as the gatekeepers to an organisation’s valuable data. In a small business setting, the breach of a single password, such as one for Microsoft 365, can pave the way for attackers to compromise additional accounts and gain access to essential company information.

Inadequate Patch Management

Patch management involves keeping all endpoint devices (such as laptops, PCs, smartphones), networks, and applications updated with the latest security patches. Systems running outdated operating systems or software are vulnerable to attacks because they may contain unaddressed security flaws that cybercriminals are eager to exploit through ransomware and other malware. Consequently, neglecting patch management can expose your business to the risk of a data breach.

When software vulnerabilities are discovered, they are often disclosed to the public. Although developers may release patches swiftly, there can be a significant delay before end-users apply these updates. This delay provides a window of opportunity for cybercriminals to exploit known vulnerabilities in applications that haven’t yet been patched. Microsoft has noted that many breaches occur in systems that remain unpatched, even though fixes have been available for years, with studies showing that 18% of vulnerabilities arise from software that hasn’t been updated.

Small businesses, in particular, may struggle with ensuring that all their devices and networks are consistently up-to-date. They frequently depend on employees to manually perform updates, which can introduce risks that affect the entire organisation and even extend to supply chain partners. As Steve Dispensa, VP of Product Management for Microsoft Intune, points out:

“The intensity and persistence of cyberattacks are escalating, placing greater demands on organisations’ IT departments, which are already stretched thin due to staffing challenges and budget constraints. The shift towards more remote work, flexible working hours, and operations across different countries has further increased the pressure on Security Operations Centers (SOCs) and IT teams to meet a broad range of new requirements.”

Threats from Within

Insider threats constitute a significant concern for small businesses, originating from individuals within the organisation such as employees, former employees, contractors, or business associates. These individuals may have access to sensitive company information and can inflict damage out of malicious intent, greed, or even through mere negligence or oversight. Verizon’s findings indicate that insider threats are responsible for 25% of data breaches.

The issue of insider threats is escalating, posing potential risks to both employees and customers, as well as financial losses for the company. In the context of small businesses, the challenge is magnified as a growing number of employees gain access to an increasing array of accounts containing substantial amounts of data. Surveys have revealed that 62% of employees admit to having access to accounts beyond their necessity, highlighting the widespread nature of this problem.

Summary

Small businesses are currently navigating through a myriad of security threats, and unfortunately, there isn’t a single solution that guarantees complete protection. The most effective defence strategy involves implementing a robust suite of security measures and data backup systems. Additionally, investing in a solid cybersecurity insurance policy is a prudent move to safeguard your business and employees should a cyberattack happen.

Published on 04-03-2024