Industry insights

The most common cyber threats facing SMBs and how to prevent them

Jack Koziol for Forbes Advisor
November 8, 2021 by
Jack Koziol for Forbes Advisor

While it doesn’t often make the evening news, small- and medium-sized businesses (SMBs) have been hammered by ransomware this year — and this trend isn’t new. Last year, more than a quarter of breach victims were SMBs, according to Verizon.

More concerning—of the breaches studied in the report, the majority of incidents took days, weeks or even months to be discovered.

One of the biggest challenges small businesses face is simply a lack of awareness and resources to defend against the threat actors who come knocking. As enterprises increase cybersecurity budgets and resources to defend against the ever-increasing onslaught of cyberthreats, attackers have shifted their sights to small businesses with smaller staffs and budgets.

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

With the rise of automated attacks and supply chain attacks, cybercriminals are now looking at small businesses as an easy access point to make their way into larger enterprises. Automated tools allow attackers to quickly increase their scale without much additional effort, causing small businesses to be caught in the line of fire. Therefore, your security strategy must be prepared to encounter the same challenges as enterprise organizations.

In order to overcome these challenges, we first need to know what we’re up against. As one would expect, the vast majority of cyberattacks against SMBs are financially motivated. These attacks typically involve the use of ransomware as a way to demand a cash payment. Additionally, several other attack types may be used in tandem in order to execute the breach.

There’s no substitute for good security practices and training when it comes to keeping your data safe. However, many of today’s top antivirus vendors offer useful features for keeping your devices safe and assessing threats. For more information, check out our guide to the top antivirus platforms on the market. You can also check out our guide to our favorite VPNs to keep your web activity private.

The top four cyber threats facing SMBs

1. Ransomware

Ransomware can come in many shapes and sizes, but it all functions with the same basic concept: You must pay a ransom in order to gain access to your data. Oftentimes, attackers follow with a second ransom in order to keep stolen data from being sold online.

If you’ve been following cybersecurity news, then you’ve probably heard of one of the many high-profile ransomware attacks. The Colonial Pipeline attack was the most recent example of this, with a nearly $5 million ransom being paid in order to regain access to files and data. Similarly, the city of Baltimore was hit by ransomware in 2019, forcing the city to stop processing all payments in and out.

Ransomware is typically the final step in the cyberattack process. It is the payload that is deployed after an attacker gains access to the victim’s network. The first step into a network typically involves some sort of phishing, social engineering or web application attack. As soon as they have a foothold in the network, they can start to deploy ransomware to all the endpoints they can reach.

How to protect yourself

While there is no one-size-fits-all approach to ransomware prevention, a strong defense against this attack is to prevent that initial breach. Research shows that small businesses received 94% of their detected malware by email. Educating your workforce about these attacks and how to identify them is vital to preventing financial loss and downtime due to ransomware.

Ransomware prevention is a difficult task, and usually involves a combination of several mitigation techniques. Unless the attacker is feeling particularly virtuous that day, not much can be done to prevent a ransomware attack after the network is compromised. However, there are several strategies that can limit the damage of a ransomware attack.

Network segmentation, frequent backups and a strong incident response process can limit the number of systems affected by a ransomware attack. This can be the difference between paying a hefty ransom and simply restoring the few encrypted systems from backups.

Network segmentation is the practice of separating the branches of your organization’s network, typically through the use of firewall rules. For instance, many organizations disallow the printers on their network from initiating traffic with workstations and servers. This prevents an attacker from taking hold of your entire network if a single device is compromised.

Backing up your data and maintaining a strong incident response policy are always good ideas, regardless of the context. When it comes to ransomware mitigation, keeping good backups in a safe location can be the difference between paying a ransom of thousands of dollars and quickly identifying a breach and restoring your data after a brief period of downtime.

2. Misconfigurations and unpatched systems

Security misconfigurations arise when security settings are not defined and implemented, or when default values are maintained. Usually, this means the configuration settings do not comply with the industry security standards such as CIS Benchmarks or OWASP Top 10. Misconfigurations are often seen as an easy target, as they can be easy for attackers to detect.

Misconfigurations can be much more than an accidental firewall rule. Some of the most common misconfigurations are unpatched systems, broken access control, sensitive data exposure and vulnerable and outdated components. Attackers can purchase tools from deep web marketplaces to scan for these vulnerabilities, much like a penetration testing contractor could do for your organization.

How to protect yourself

Addressing misconfigurations requires a multifaceted approach across your entire security stack. Patch management is a great first step to clean up the “low-hanging fruit” that these automated attacks look for. Many automated tools can scan for outdated applications and missing patches, making remediation more efficient.

Proper cybersecurity training for your technical staff is also a great way to minimize the chance of a misconfiguration sticking around too long. A well-educated technical team will obviously be less likely to make mistakes, but will continue to make better, more experienced decisions about the organization’s security posture.

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

3. Credential stuffing

Credential stuffing happens when an attacker uses stolen credentials from one organization to access user accounts at another organization. These credentials are typically obtained in a breach or purchased off of the dark web. You may have seen news stories about Disney Plus accounts getting hacked, yet Disney found no evidence of forced entry. This is because credential stuffing simply involves logging into a victim’s account with their own username and password.

Unfortunately, due to the ease of execution, this type of attack is becoming increasingly common. With the rise of dark web marketplaces in the last decade, cybercriminals are able to simply place an order for a dataset of valid usernames and passwords just like you’d order a new book on Amazon.

Once they obtain a list of usernames and passwords, hackers can recruit an automated network of bots to attempt to log in to services such as Microsoft 365, Google, AWS or anything else. If they find a credential set that works, they’ve successfully gained access to that account with little to no trace.

The success of these attacks relies on personal password reuse by an organization’s employees. A 2019 Google survey found that 65% of people reuse passwords on multiple accounts, if not all of them. This only perpetuates the likelihood of a credential stuffing attack.

How to protect yourself

The good news is that this type of attack is preventable if you implement multi-factor authentication and limit password reuse. With multi-factor authentication, the attacker must also have access to the victim’s phone in order to access the account—even if they log in with valid credentials. Likewise, limiting password reuse will nip a credential stuffing attack right in the bud. This introduces more passwords to keep track of, but will eliminate the threat to your vital systems when a popular streaming service suffers a credential breach.

Implementing a security policy that requires the use of a password manager is key to keeping track of all these passwords. Password managers work by storing your passwords in an encrypted vault secured with a “master password” — giving you just one important password to remember. They eliminate the need to remember several strong passwords, which allows you to use a unique strong password for every account.

4. Social Engineering

Social engineering isn’t the breach of a system, but rather the compromise of a person, which causes them to unknowingly release confidential information. This most commonly takes the form of an email phishing attack in which the individual is tricked into downloading malware or giving up their credentials. Typically, social engineering is the first step in a multistep cyberattack.

What’s more concerning is that over 70% of social engineering and phishing incidents are discovered by external parties. This means that when employees are falling for the bait, they usually don’t realize they’ve been hooked. On top of that, attackers are constantly coming up with new ways to evade automated security tools.

How to protect yourself

Social engineering comes in many variations, which makes it a challenge to prepare your organization for everything that gets thrown at it. Luckily, the best way to prevent a social engineering attack is with a strong cybersecurity awareness training program. Engaging and educational security content will not only prepare your employees for what they’ll see, but it can shift the culture of your organization to a security-first mindset.

Bottom line

There is no singular approach to minimizing the human risks that lead to breaches. Employees will need to browse the web, open emails and even answer the phone with a healthy amount of suspicion. An organization with a strong cybersecurity culture is an organization with a small social engineering attack surface.

With 60% of small businesses closing within six months of a cyberattack, improving your security posture isn’t just logical, it’s vital to the survival of the organization. Maintaining up-to-date backups, regularly updating software and adequately training your employees can make the difference between business as usual and closing up shop.

For more information about keeping your organization secure, the U.S. Cybersecurity & Infrastructure Security Agency maintains a collection of resources for SMBs.

ChatGPT training built for everyone

ChatGPT training built for everyone

We've created a training video and supplemental resources to educate every employee on how to use AI tools securely. Meet with a member of our team to get started.

This column originally appeared on Forbes Advisor.

More From Forbes Advisor:

Jack Koziol for Forbes Advisor
Jack Koziol for Forbes Advisor

Jack Koziol is the former president and founder of Infosec, a leading security awareness and anti-phishing training provider. With years of private vulnerability and exploitation development experience, he has trained members of the U.S. intelligence community, military and federal law agencies. His extensive experience also includes delivering security awareness and training for Fortune 500 companies including Microsoft, HP and Citibank. Jack is the lead author of The Shellcoder’s Handbook: Discovering and Exploiting Security Holes. He also wrote Intrusion Detection with Snort, a best-selling security resource with top reviews from Linux Journal, Slashdot and Information Security Magazine. Jack has appeared in USA Today, CNN, MSNBC, First Business and other media outlets for his expert opinions on information security.