BLOG: Small Businesses Vulnerable To Cyber Attacks

Ransomware and cyberattacks have seen a significant increase in intensity and frequency within the last few years, this has further increased due to a largely remote model during the pandemic. As businesses depend more on technology infrastructure and cloud operations, the vulnerabilities of these systems are being exploited by cybercriminals. While cyberattacks reported in the media mainly focus on large corporations, the reality is small businesses, with fewer resources and less technical expertise, are often seen as easy targets for cyberattacks.

Small businesses often have fewer resources and lack security expertise, which leaves them more vulnerable to spear-phishing attacks, and cybercriminals are taking advantage. 59% of small business owners with no cybersecurity measures in place believe their business is too small to be attacked, but statistics and cyber incidents show us that this is simply not true.

Last year, small businesses were three times more likely to fall victim to fraudulent activity than larger businesses. The average loss from a single cyberattack has exploded from $34,000 (£29,372.09) to just under $200,000 (£172,777.00). In addition to financial hits, these companies have had to shoulder legal fees, compliance penalties, reputational damage and the loss of customers. These are setbacks that many small businesses are unable to recover from, the lifecycle of such incidents can extend up to a year.

In February of this year, it was noted that due to COVID there had been a spike in the number of cyberattacks from hacker groups. Allegedly there was a 600% increase in cyber crimes due to the pandemic, and a whopping 667 million new malware detections were discovered worldwide during 2020.

Cybersecurity researchers found that 42% of small businesses experienced a cyberattack in the last year and younger business owners are 1.8x more likely to be concerned about cyber threats. Small businesses need to be more understanding of their susceptibility to being targeted by threat actors and the benefit of implementing protection against cyberattacks.

There are countless types of cyberattacks, but social engineering attacks like phishing and denial-of-service attacks are the most common types impacting small businesses. Internet Live Stats alleges that more than 145TB of internet traffic takes place each second, this statistic becomes even scarier when we understand that it has also been reported that in 2022, businesses around the globe face a ransomware attack every 11 seconds.

What attacks are small businesses susceptible to?

• APT: An advanced persistent threat is a long-term targeted attack in which a hacker breaks into a network in multiple phases to avoid detection. Once an attacker gains access to the target network, they work to remain undetected while establishing their foothold on the system. If a breach is detected and repaired, the attacker may have already secured other routes into the system so they can continue to plunder data.
• DDoS: A distributed denial-of-service attack occurs when a server is intentionally overloaded with requests until it shuts down the target’s website or network system.
• Inside attack: An inside attack occurs when someone with administrative privileges, usually from within the organization, purposely misuses their credentials to gain access to confidential company information. Former employees present a threat, particularly if they left the company on bad terms. Businesses should have a protocol in place to revoke all access to company data immediately when an employee leaves the business.
• Malware: Types of malware include viruses, worms, Trojans, ransomware and spyware. Knowing this is important because it helps you determine the type of cybersecurity software you need.
• Man-in-the-middle attack: Threat actors using this method install malware that interrupts the flow of information to steal important data. This is generally done when one or more parties conduct the transaction through an unsecured public Wi-Fi network, where the hacker has installed malware that sifts through data.
• Password attack: There are three main types of password attacks: a brute-force attack, which involves guessing at passwords until the hacker gets in; a dictionary attack, which uses a program to try different combinations of dictionary words; and keylogging, which tracks a user’s keystrokes, including login IDs and passwords.
• Phishing: Phishing attacks involve collecting sensitive information like login credentials and credit card information through a legitimate-looking website that’s often sent to unsuspecting individuals in an email. Spear phishing, an advanced form of this type of attack, requires in-depth knowledge of specific individuals and social engineering to gain their trust and infiltrate the network.
• Ransomware: A ransomware attack infects your machine with malware and demands a ransom, this is typically through bitcoin. Usually, ransomware either locks you out of your computer and demands money in exchange for regaining access, or it threatens to publish private information if you don’t pay a specified amount.
• SQL injection attack: Through a successful SQL injection attack on your servers, bad actors can access and modify important databases, download files, and even manipulate devices on the network.
• Zero-day attack: A zero-day attack is an unknown flaw and exploits in software and systems discovered by attackers before the developers and security staff become aware of any threats. These exploits can go undiscovered for months or even years until they’re discovered and repaired.

How can this be helped?

Cybercrime is getting more sophisticated, and businesses need to find suitable solutions. Regardless of the size of the business, taking a laissez-faire approach to protecting your business is not but as the word implies, cybersecurity is designed to keep your business digitally secure.

To understand how Orpheus Cyber can help in implementing procedures to support your business, click here.