As the business tech stack grows so does the attack surface for cybercriminals to exploit. Contrary to popular belief, relying on the default security settings may not always protect businesses and with the growing sophistication in attack patterns, small businesses are learning it the hard way. After decades of working with SMBs, we know that the lack of security awareness and personal vigilance enable cybercriminals to unleash maximum damage.
If you’re not sure whether you need to take cybersecurity seriously, here are some numbers you should check out:
- $4.35 million was the global average cost of a data breach in 2022. In the United States, it was $9.44 million—the highest in recorded history – IBMÂ
- 83% of organizations experienced more than one data breach in 2022. Not all of them had extensive threat monitoring resources to bounce back – IBM
- $10.5 trillion will be the global annual cost of cybercrime by 2025 – Cybersecurity Ventures
- 42% of American small businesses don’t have the plan to address cyberattacks – CNBC
The last statistics in particular paints a grim picture for businesses that don’t have the budget to deploy expensive security suites used by enterprises. But that doesn’t mean your business should be exposed to hackers. Here are 6 cybersecurity pitfalls you should be aware of:
1. Social Engineering
Hackers now spend more time gathering information and executing very targeted attacks. Social engineering attacks are a growing threat to businesses, as they manipulate or deceive individuals into divulging sensitive information or performing certain actions. Part of the reason why hackers are opting for social engineering instead of brute force attacks is that businesses now have several endpoints and not all of them are equally protected.Â
These attacks can take many forms, such as phishing emails, phone scams, or pretexting, and can result in the loss of sensitive data, financial loss, or damage to the company’s reputation. A UK-based energy company became the victim of an innovative social engineering attack back in 2019 when an employee transferred €220,000 to a dummy account after the scammer mimicked the CEO’s voice and mannerisms to fool the employee over a phone call.Â
While it’s difficult to completely prevent social engineering attacks, businesses can take steps to protect themselves by educating employees about the risks, implementing security protocols, and monitoring for suspicious activity. It’s crucial for businesses to stay vigilant against these types of attacks and to take proactive measures to mitigate the potential damage.
2. Phishing
In the middle of last year, customer engagement platform Twilio faced a major phishing attack that left hundreds of business account data vulnerable to criminals. The hackers sent fraudulent SMS posing as Twilio IT department, encouraging employees to reset their passwords. The embedded link led to fake domains and subpages that allowed hackers to breach Twilio servers. This is known as SMS phishing (smishing) and is a highly effective tactic used by cybercriminals.Â
Apart from smishing, hackers also use phishing emails to steal sensitive data and inject malware into devices. In this case, the email appears to be from a legitimate source, such as a bank or executive within the company and asks the recipient to click on a link or download an attachment. This link or attachment will then infect the recipient’s device with malware. Only employee education and training can help you mitigate phishing risks.
3. Malware
Malware is a type of malicious software designed to harm computer systems, networks, or devices. It includes viruses, worms, Trojan horses, adware, spyware, and ransomware. Apart from social engineering and phishing attempts discussed above, malicious software can be deployed in two other ways: drive-by downloads and supply chain attacks.Â
Drive-by downloads are a type of malware attack that occurs when a user visits a compromised website or views an infected online ad. The malware is automatically downloaded to the user’s device thanks to malicious JavaScript and it doesn’t require any action on the part of the user, making it difficult to prevent.
Supply chain attacks, on the other hand, involve targeting a third-party vendor or supplier to gain access to a company’s network and install malware. This type of attack allows the attacker to bypass traditional security measures and exploit pre-established privileges to target sensitive systems.
In 2020, hackers used supply chain vulnerabilities to exploit SolarWinds Orion users. It took about six months for hackers to first inject malware in Orion and SolarWinds to push the malware-infested update to 18,000 customers. Companies such as Intel, Cisco, and Deloitte suffered from the attack.Â
4. Ransomware
Speaking of malware, ransomware is a major security headache for modern businesses because it’s a type of malware that encrypts a victim’s files and demands a ransom payment in exchange for the decryption key. Since the significance of data stored and dependency on devices have increased, criminals exploit the desperation of victims. According to Verizon’s report, ransomware breaches increased by 13% in 2022, covering 25% of all data breaches.Â
Hackers typically use phishing emails and exploit kits (tools used by attackers to take advantage of vulnerabilities in software) that are often sold on the dark web. Once the ransomware is installed on a victim’s computer, it encrypts the victim’s files. On top of that, some variants may also exfiltrate sensitive data from the infected systems and threaten to release it publicly if the ransom is not paid on time. However, paying the ransom does not guarantee that the attacker will provide the decryption key, as some attackers simply take the ransom payment and sell the sensitive data on the dark web.Â
5. Password Hacking or Keylogging
Keylogging is a method of tracking and recording keystrokes on a computer or mobile device. It’s mostly used for parental control, IT assistance, and employee management but hackers have found a way to exploit the tool.Â
Software keyloggers are typically deployed through malware, such as viruses or Trojan horses, while hardware keyloggers are small physical devices that can be connected to a computer or mobile device to record keystrokes.
When a keylogger is installed on a device, it begins recording all keystrokes made on the device, including passwords. The keylogger can then send the recorded keystrokes to the attacker, who can use them to gain access to the user’s accounts, such as email, social media, or banking—leading to identity theft, financial loss, and other forms of fraud.
It’s important to be aware of the signs of a keylogger infection, such as sluggish performance on your computer, unexpected pop-ups, or strange programs running in the background. Also, be cautious of suspicious emails or links that may contain malware that could install a keylogger on your device.
6. DDoS
Distributed Denial of Service (DDoS) attacks are a type of cyberattack that aim to overload a website or online service with a flood of traffic from multiple sources. This can cause the website or service to become unavailable to legitimate users, effectively shutting it down. Hackers use several methods to carry out DDoS attacks, such as amplification attacks where attackers use botnets to amplify traffic, application-layer attacks targeting specific pages, and network-layer attacks, targeting the network. DDoS attacks can have a significant impact on a business, causing loss of revenue, damage to reputation, and even legal liability.Â
Last year, Imperva, a security intelligence company mitigated a large-scale DDoS attack that launched 25.3 billion requests in the span of 4 hours on a Chinese telecommunication company.
Steps to protect your business from cyberattacks:
Securing both cloud-first and legacy businesses is difficult but not impossible. To avoid cybersecurity pitfalls, you’ll want to implement a comprehensive strategy that includes multiple layers of defense. Here are a few key steps you can take to bolster your cybersecurity posture:
- Implement strong security protocols: Firewalls and database encryption can thwart a good chunk of cyberattacks. When you have a firewall activated, it acts as a barrier between your internal network and the wide-open internet, while encryption ensures that transmitted data is unreadable to users who don’t have the correct decryption key.
- Keep software and operating systems up-to-date: Software vulnerabilities are a common entry point for cybercriminals which is why they shouldn’t be ignored by employees. By regularly updating your software and operating systems, you can ensure that critical vulnerabilities and zero-day attacks are patched quickly.
- Train employees on cybersecurity best practices: As the Twilio incident shows us, your employees are the first line of defense against cyberattacks. When the workforce is educated and trained on the best practices for cybersecurity including password management, identifying phishing scams, and social engineering tactics, they can help you reduce the risks.
- Use multi-factor authentication: Regardless of how strong your passwords are, they’re often compromised, either by keyloggers or device theft. By adding a second layer of authentication, such as fingerprints, facial recognition, or trusted devices, you can help ensure that only authorized users have access to your systems.
- Monitor networks and systems: On top of implementing best practices, you should also introduce security vigilance to weed out anomalies. Regularly monitoring your networks and systems for signs of intrusion or suspicious activity can help you detect and respond to cyberattacks quickly.
- Have an incident response plan in place: When you prepare for the worst, you tend to avoid it. Cyberattacks can happen at any moment, so it’s essential to have a plan in place to respond quickly and effectively. An incident response plan should include protocols for identifying and containing a breach, as well as reporting the incident to the stakeholders.
Beyond the cybersecurity best practices: the need for a cybersecurity consultant
In 2020, a security researcher found a smart coffee machine that could be used as an unencrypted WiFi access point to the companion app and reverse-engineered the firmware to create ransomware. This was a mere experiment but it gave a sneak peek into a world of security nightmares.Â
When cyberattacks can be triggered by almost anything, it’s important to work with a cybersecurity consultant, especially if your business doesn’t have the in-house expertise or resources to address issues.Â
A cybersecurity company or a team of experts can provide a wide range of services such as risk assessment, compliance assistance, incident response planning, penetration testing, cybersecurity training, and ongoing support. They can help identify and prioritize potential vulnerabilities, ensure compliance with industry regulations, create a robust incident response plan, test the security of the systems, train the employees and continuously monitor the systems for any potential threats. On top of that, security consultants can provide guidance and expertise to organizations that lack the internal resources or expertise to fully address their cybersecurity needs. If you want peace of mind and to secure your business against cyber threats, get in touch with MyTek.