One thing that small and medium-sized businesses have in common with large enterprises is that cybersecurity remains a persistent and complex problem.
Hackers understand that SMBs are vulnerable when connected to the internet and that there is a market to monetize stolen data.
The proof is in the numbers released on Oct. 20 in the 2022 Small Business Cybersecurity Report by Comcast Business, which presented a window into the cybersecurity threats its small and medium-sized business customers face daily.
Research in its first annual cybersecurity report was based on data from the company’s Business SecurityEdge software and included security insights from its partner Akamai.
In the 12 months from July 2021 to June 2022, 55% of Comcast Business customers experienced botnet attacks, while nearly 50% had to contend with malware and phishing attacks. According to internet activity the researchers monitored, financial and high-tech brands were the most targeted by phishing scams at 41% and 36%, respectively.
“Attackers do not just target large enterprises. Recent reporting shows companies with less than 100 employees are three times more likely to be the target of a cyberattack — yet, often lack sufficient cybersecurity measures and resources to manage their risk,” said Shena Seneca Tharnish, VP for cybersecurity products at Comcast Business.
Still, all is not lost for SMBs despite the disturbing escalation in digital attacks, according to Ivan Shefrin, executive director at Comcast Business. They have several strategies to use besides business-strength software security platforms.
“These attacks are not ransomware and email compromise; they are not things experienced by just large government organizations or corporations with highly valuable secrets to steal. This is really in the face of every business today,” Shefrin told the E-Commerce Times.
Why SMBs Are Prime Phishing Targets
By educating employees and implementing tools like anti-virus programs, firewalls, and network security solutions, SMBs can help protect their employees and customers from the mercurial array of cybersecurity threats. But turning on a firewall or plugging in a network security platform alone will not fully help all businesses stay safe, warned Shefrin.
His company’s business security software secures employee and guest devices when connected to the network, automatically scanning and refreshing every 10 minutes to identify new risks, making it simple for SMBs to get foundational protections that are effortless to use, he maintained.
Jonathan Morgan, vice president of Network Security Product Management at Akamai, said, “Cybercriminals are always looking for ways to target and disrupt businesses. Unfortunately, small and mid-size organizations are especially vulnerable because they may lack the security resources and expertise to combat these threats.”
One of the top catalysts in the rise of attacks against SMBs is email phishing, which today is a common path leading to a data breach and ransomware, Shefrin offered.
Stolen credentials often result from bad actors getting user details from responses to email inquiries that trick users into clicking links leading to compromised websites designed to appear legitimate.
“You can go on the dark web and buy stolen credentials at very low price points. It is very easy to buy, and you do not have to have any technical experience to do this,” he asserted.
Successful phishing attacks can also damage or disrupt devices or provide unauthorized access to a company’s network to install bot software on computers secretly. Once installed, bots can be remotely controlled or installed on other computers. Networks of bots can find and steal valuable information, launch distributed denial of service (DDoS) attacks, and perform other malicious activities.
Safe Computing Practices and Education
Although small businesses lack the resources large enterprises enjoy to defend themselves online, SMBs can avoid becoming cybercrime victims by following proven, safe computing practices.
Start with avoiding commonly exploited vulnerabilities, suggested Shefrin. Regardless of the operating system used — Windows, macOS, or Linux — they all get regular software updates that patch discovered code vulnerabilities. Leaving your system unpatched is like leaving a hatch opened on a submarine.
“If you do not keep those patched and up to date, they are vulnerable to being exploited and letting the bad guys and botnets, which are remote networks, into your computers,” noted Shefrin. “There are thousands or even millions of compromised computers unpatched. The bad guys got in to install something.”
He added that SMBs could sidestep nearly all attacks by bad actors by following two primary areas of safe computing.
One, every business, no matter what size, should require its employees and contractors to go through cyber awareness training or cybersecurity awareness training that revolves around email phishing and how to avoid it.
Secondly, solutions exist for everything in cybersecurity technology. Find the proper tech security controls to scan emails and attachments for viruses, malware, and spam to protect against data loss.
‘No-Distraction’ Rule for Email
On a personal note, Shefrin shared that one of his primary behaviors with email is not to open files and click on email links when attending meetings or being distracted.
“Opening an email while you are in meetings or otherwise distracted is equivalent to driving while texting,” he said, adding that he rarely sees that tip presented in cyber awareness training.
His reason for following the no-distraction rule makes sense for businesses. Reading emails has to involve determining real versus fake senders and whether the sender is within your organization or from an external source that might be unreliable.
“This requires actually looking at the sender domain name and address or deciding whether to open the email header message because it is a similar-sounding domain,” explained Shefrin.
Prevalent Phishing Tactics
Spear phishing is particularly productive for digital thieves looking for a way into business computers. Masquerading as a trusted person or familiar business, criminals target specific individuals in a company to try getting access to information that makes it easier to slip into the network, cautioned Shefrin. When you doubt a sender’s authenticity, pick up the phone and call to confirm.
Another trick hackers use is to embed images, logos, or video links with hidden code. When you click on the content, you unleash all sorts of coded miseries that snoop through files or do worse things to acquire or destroy your content.
Most email platforms have the option to load images by default. That can be deadly for businesses. Turning off the show images feature prevents any curiosity clicking that would activate rogue code, Shefrin advised.