Small businesses and startups face a unique challenge in the realm of cybersecurity: They don’t see themselves as a target, but in the eyes of bad actors, they are sitting ducks. For example, in 2017, Russian state threat actors breached small suppliers to the utility industry and used that trust to then break into nuclear power plants’ IT networks. In another story, a single proprietorship helping investors analyze SEC documents nearly lost his entire business due to a ransomware attack. Further, in the wake of major ransomware attacks on high profile businesses and subsequent law enforcement action, threat actors began targeting more small and medium-sized businesses at the end of 2021.
There’s a lot at risk for the small organizations threat actors target. Not only is there potential to incur major financial losses, but you’re also dodging irreparable damage to your brand while simultaneously trying to protect your customers.
In this post, we’ll address examples of common cyberattacks on small businesses as well as measures to safeguard against threats and improve your cybersecurity posture.
Small Business Cybersecurity Challenges
For context, we’ll refer to the U.S. government’s definition of “small business:” Any business with firm revenue ranging from $1 to $40 million, and from 1 to 1,500 employees. The key to remember is that small businesses may look different depending on industry, revenue, and employment. Of these small businesses, many are startups and some are franchises of larger businesses.
As noted earlier, small businesses have unique cybersecurity risks. For some, a lack of available manpower means there is no dedicated employee to monitor for and address digital risks. Others may be a one-man-operation, handling everything from social media and marketing to managing finances and inventory. Opportunistic cybercriminals know that businesses of all sizes experience security skills shortages, and because many small businesses have fewer resources to dedicate to security, it’s more challenging for them to identify and fix security gaps.
In-house expertise is a common challenge, but effectively managing scalable growth relative to the widening risk gap of growth can introduce even more risk. While you’re focused on growing your business, maturing your security program may – and probably will – take a back seat.
This is what threat actors are counting on.
It’s not just small businesses being targeted, but the vendors that small businesses use as well, putting your customers at risk as well. Consider the damage an attack on Paypal or Square could have on a small retail business.
The trend of third-party compromises is here to stay. ZeroFox predicts third-party compromises will continue on an upward trajectory in terms of frequency, scale, and sophistication while threat actor targeting is likely to focus on smaller, third-party vendors within larger supply chains and key events in 2022 according to our 2022 Threat Intelligence Forecast.
4 Examples of Small Business Cyberattacks
A cyberattack can cost small organizations thousands of dollars and result in hours of downtime – and that’s not including indirect costs such as remediation, preventative training and technological upgrades, or the reputational damage following a public cyber-incident. The first step to defending against cyberthreats is recognizing that no business – big or small – is immune to threat activity.
Let’s cover four common examples of cyberattacks that small and medium-sized businesses should look out for.
Whether a retailer uses a private website or a shop hosted on a third-party site such as Etsy, a bad actor can cause major problems using compromised credentials. If they gain access, cybercriminals can change the banking information in an e-payment portal to route legitimate sales to a fraudulent account. They could also steal sensitive customer data.
Let’s look at a more complex attack on a small business that can tarnish a company’s brand. Cybercriminals can copy a website, including unique content, and trick customers into thinking they are visiting the legitimate site. Domain spoofing can apply to company websites or email addresses, and if successful, businesses will lose sales and customer trust.
To take it a step further, threat actors can also create fake social media accounts that replicate legitimate pages, with some even paying for ads on Facebook. Over time, the imposter pages may build trust with customers and divert traffic to their site where they can not only steal information and money, but tarnish your brand’s reputation. All the while, other false profiles may be creating negative reviews on your legitimate social media pages.
Mobile App Scams
Threat actors may also create fake coupons and promotions targeting franchises, like chain restaurants, using lookalike mobile apps. For example, a cybercriminal might create an app that looks exactly like the McDonald’s app, even selling it in app stores. Not only will sensitive customer data be at risk with these apps, but the franchise will not be paid for orders made using that app and untrained employees could fall prey to honoring fake promotions and coupons.
These external cybersecurity attacks operate outside the corporate perimeter, but they can cause devastating damage to your business and brand.
4 Tips to Safeguard Small Businesses and Startups
Safeguarding your business against cyberattacks takes a multipronged approach. Although there are several best practices to follow, we recommend starting with the following:
- Take a Comprehensive View of All Possible Attack Surfaces
Cybersecurity teams often focus on traditional corporate perimeters when establishing organizational security measures to adopt. This is a fundamental step, however, to effectively secure your business, It’s important to catalog all possible attack surfaces that threat actors could target and exploit. These can include what traditionally comes to mind – software, servers, applications, laptops, hardware, mobile devices, shared drives, etc. It also includes third-party vendors, emerging technologies such as virtual reality and augmented reality devices, email tools, and social media sites.
Once you’ve identified all possible attack surfaces, you can work to identify and address those gaps. This is an integral part of Digital Risk Monitoring, which combines human and artificial intelligence to continuously monitor and defend those attack surfaces.
- Limit Employee Access & Enforce Strict Password Protocols
When an employee has unfettered access to all accounts and information, you’re at greater risk of someone misusing or losing it. Limit employee access to the applications they need to do their job.
Let’s say an employee has access to banking information, website logins, and payroll data but only needs access to payroll data. If their device is compromised, your company has incurred unnecessary risk by providing access to tools the employee doesn’t need.
Combined with limited access, it’s important to enforce strict password protocols. Strict password protocols help protect those who need a wide range of access. Although the security industry historically recommended periodic password changes, research shows that regular change requirements lead to poor passwords. Long, memorable, unique passwords or passphrases should be adopted but never be reused. To manage a long list of complex login credentials, use a reputable password manager. We also recommend using an authenticator tool, single sign-on, or two-factor authentication for an extra layer of security.
- Train Employees on Cybersecurity Measures in Place
Securing your data and devices requires active planning and ongoing education. Unfortunately, we often hear about organizations implementing these strategies only after a cyberattack has occurred. Competing priorities can postpone proactive security planning, but in the long run, having an action plan and informed staff will save time, money, and frustration.
Before an attack, communicate the expectation of continual device and software updates, data encryption, and security apps for mobile devices. These simple steps can help prevent threat actors from exploiting vulnerabilities that security patches and updates aim to address.
Employees should also be trained to recognize common tactics criminals use to extract personal information or corporate credentials. See that Facebook post asking about your first pet? Or that online quiz that will tell you what celebrity you’d pair with? This type of content leverages commonly used themes individuals use for security questions and password creation.
Phishing and spear phishing attacks aren’t technologically sophisticated. Instead, they rely on human behavior and psychology to manipulate people to share information that seems innocuous but often allow threat actors to obtain private data. Because these scams are so ubiquitous, employees should also undergo frequent phishing email training and tests.
- Keep Your Ear to the Ground
You need to be where your customers are and see what they are seeing. Setting up Google Alerts for your business is a good place to start. Include relevant names, including misspellings, of your business entities and employees.
Keep an eye on your social media channels, and monitor for impersonations beyond your own pages. Although the Metaverse is still evolving, our Cyber Intelligence Team is seeing threat activity across the technologies and components that make up this virtual environment .
It’s easy to get caught up in your day-to-day operations and firefighting and forget to check in on your social media accounts for unusual activity or comments. The reality is continuous monitoring – whether in-house or outsourced – helps protect your brand from damaging posts or imposters.
Monitoring regular intelligence news can also help defend against large-scale attacks on third-party vendors. For example, if your online conference tool is breached, as a customer, understanding the situation and how it could impact your business will help inform what additional security steps, if any, need to be taken.
Put Knowledge to Work for Your Small Business
In the words of the Sci-Fi book Dune, “Fear is the mind killer.” Adversaries count on businesses to procrastinate when it comes to cybersecurity. They exploit fear and a sense of urgency to push people to act impulsively. Unfortunately, humans make mistakes, and it’s difficult to stay guarded 24/7/365. Fortunately, businesses of all sizes can implement strong security hygiene and regular employee training to defend against these common tactics. Protecting yourself and your organization in the ever-expanding digital world should be a key part of your business strategy, whether you are a startup, established company, or are experiencing rapid growth.
Knowing how to create that strategy when the adversary is a moving target can be trickier. Check out the ZeroFox library of Threat Intelligence reports to keep up with emerging risks.
To understand your unique risk, you can also check out our online Digital Risk Assessment to start planning how to better protect your organization.