Cyber Risks Facing Small Businesses
It doesn’t really matter whether your business is a “one man shop” or an international mega-corporation — if you have a website, email address, or internet connection, hackers will target your business.
And if the hackers successfully breach your company’s systems, the damages can be severe. Data breaches cost businesses globally an average of $4.24 million a year, according to data from IBM and the Ponemon Institute’s 2021 Cost of a Data Breach Report. And the average data breach cost for U.S. businesses is more than double that: $9.05 million!
But there’s good news: most cyberattacks are predictable and can be prevented, and you don’t even need a huge budget or 24/7 cybersecurity team to protect your business.
In this article, we’ll show you several of the most common cyber risks businesses face, highlight real-life businesses that were impacted by them, and then provide 10 steps you can take to avoid being the next victim.
What Is a Cyber Risk? Cyber Risks Explained
Cyber risks are the potential damages or devastating outcomes that result from cyber threats exploiting vulnerabilities. Much as the name implies, cyber threats are elements or entities that are poised to cause harm to your company or customers in some capacity (accidentally or intentionally). Basically, it’s something that you must protect your organization against by mitigating vulnerabilities.
Cyber threats are typically divided into three main categories:
- Internal threats (intentional or unintentional compromise)
- External threats (hackers and other cybercriminals), and
- Non-human threats (such as natural disasters).
Vulnerabilities are weaknesses that exist within your IT environment. Bad guys use them to gain access to your network to find other weaknesses they can capitalize on.
Why Cyber Risks Are a Big Deal for Every Business
Of course, their specific goals vary — but in general, they typically aim to:
- Steal or destroy your data.
- Damage your reputation.
- Embarrass you or your organization.
- Carry out a political or social agenda.
- Cause general havoc for other purposes.
As you can imagine, all of these things are threats that pose risks to your business. They can result in:
- Reputational damages
- Loss of consumer trust
- Loss of business and future revenue
- Noncompliance fines and penalties
- Lawsuits and other related issues
But now that we know what cyber threats and risks are and how they relate to cyber threats. Let’s explore five preventable cyber risks and 10 steps you can take to avoid them.
Cyber Risk #1 to Avoid: Falling for Phishing Attacks
If you’ve ever gotten an email claiming to be from a respected company or organization (like Amazon or Microsoft) that was clearly a fake — congratulations, you’ve gotten a phishing email. Here’s an example of one I’ve received recently:
It’s no secret that phishing is a favorite cyber attack tool of cybercriminals, yet companies around the world continue to fall prey to phishing tactics every day.
Verizon’s 2021 Data Breach Investigations Report (DBIR) data shows that phishing was involved in 36% of the breaches their researchers analyzed in 2020. Needless to say, you’d think that companies and their employees would take these attacks more seriously and step up their security game.
Sending phishing emails, for example, is a way that bad guys can trick or manipulate employees into giving up their login credentials. It’s also a way to get malware onto their devices — and, by proxy their employers’ networks — by getting users to engage with infected attachments or click on malicious links.
Let’s explore a recent phishing attack to see what happened and how it could have been prevented.
A Real World-Example of This Preventable Cyber Risk: UC San Diego Health
On July 27, 2021, the University of California San Diego Health System announced that an attacker had access to the personal data of the institution’s employees, students and patients. Their security notice said that an attacker gained access to employee email accounts that contained a wide variety of sensitive information, including:
- Personally identifiable information (PII) such as names, social security numbers, dates of birth and contact information.
- Login information such as usernames and passwords.
- Personal health information relating to diagnoses, conditions, and treatments.
- Payment and bank-account-related information.
How This Situation Occurred: One (or More) Employees Got Reeled In via Phishing
According to a report by Bleeping Computer, an unnamed attacker gained access to the institution’s network for more than four months because of a successful phishing attack.
According to UC San Diego Health’s statement, attackers gained access to “some” employees’ email accounts, although they don’t specify how many accounts were compromised or how the unauthorized access occurred.
The healthcare institution states that they carried out remediation efforts to enhance their security procedures and processes, but those things should have ideally been done before the attack to have prevented it from happening in the first place.
Doing it after the event is like waiting to install a lock on your door until after your home has already been burglarized.
Cyber Risk #2 to Avoid: Publishing or Otherwise Spreading Malicious Software
Malicious software, or what’s commonly known as malware, is nasty software or code that bad guys use to do everything from steal account credentials (usernames and passwords) to encrypt, steal or destroy your sensitive data.
Verizon’s 2021 DBIR data shows that malware was involved in more than 70% of data breaches involving system intrusions.
Malware is a common attack method that helps cybercriminals access your company’s IT infrastructure and larger network. There are seven common ways that attackers use to install or spread malware:
- Embed malware into malicious ads (malvertising) on legitimate websites.
- Use watering hole attacks that auto-downloads malware onto unsuspecting users’ devices.
- Hijack legitimate websites and installing malware.
- Send malicious attachments or links in phishing emails and text messages (smishing).
- Install malware directly onto your endpoint devices or network by exploiting known vulnerabilities.
- Carry out supply chain attacks to hijack legitimate software, patches and updates.
When small businesses and startups consider malware, you’re likely to think about it in terms of being the target of the attack. However, as the last bullet point on the list above indicates, sometimes your organization is simply the means to an end for attackers rather than the larger goal. Having this happen can actually be far worse than being the main attack target.
As an unwitting accomplice to the crime, your company stands to lose customer trust and you can probably expect to find yourself slapped with a nasty lawsuit!
A Real-World Example of this Preventable Cyber Risk: SolarWinds
The SolarWinds SUNBURST cyber attack is the perfect example of a far-reaching supply chain attack. Cybercriminals were able to use the company’s legitimate updates for its Orion Platform software as vehicles to install malware on other organization’s computers.
The updates were pushed to more than 18,000 customers — organizations that include U.S. federal agencies, Department of Defense (DoD) contractors, and numerous Fortune 500 companies.
Bad guys were able to access the company’s network and development server, allowing them to insert malicious code into their software updates on the back end. By doing this, they were able to infect SolarWinds’ software updates before the company signed them using code signing certificates.
According to the Associated Press (AP), the attackers’ access to SolarWinds’ IT systems is thought to date back to as early as January 2019. If true, this means the attackers had access several months earlier than previously reported by SolarWinds.
How This Situation Occurred: Weak Password Security Measures
It’s thought that the hackers gained access to the SolarWinds update server by exploiting a weak password, solarwinds123, which had been set by an intern years before and uploaded to a GitHub Repository.
It’s easy to blame the unnamed intern for making such an egregious mistake — which SolarWinds’ former CEO Kevin Thompson most certainly did during a joint Oversite and Homeland Security Committees hearing.
But the reality is that an inexperienced intern isn’t the only one at fault — they should have caught this mistake because it’s likely that the student wasn’t the only one with access to that password.
What makes this situation worse is that a cybersecurity researcher named Vinoth Kumar did catch it and reported it to the company in Nov. 19, 2019. However, as ZDNet reports, that password had been in use since 2017 — two years before Kumar discovered and reported the vulnerability — and the password was published on GitHub since June 17, 2018.
Suppose the company had taken steps to secure its server by enforcing their security policies and procedures that would have blocked the creation of such a weak password. In that case, it’s likely that this situation could have been avoided.
Supply chain attacks involving large organizations are serious, but they’re not the only ones being targeted. These attacks often target small to medium-sized enterprises because they have fewer security resources and make great attack conduits. This is why all businesses — large and small alike — need to do everything within their power to keep their systems as secure as possible.
Cyber Risk #3 to Avoid: Having Data Altered, Stolen or Published via Data Breaches
Whether it’s your customers’ personal information or your intellectual property, there’s information your company never wants to have fall into the wrong hands. Data breaches are a big and costly issue. In the U.S. alone, IBM and the Ponemon Institute report that the average cost of a data breach for U.S. businesses is $9.05 million — more than double the average total costs faced by businesses globally.
Data breaches cause a litany of issues for companies and their customers:
Stolen proprietary data can be used by the attackers, sold to your competitors, or published online to cause additional harm to your brand name and reputation. There’s also the issue of being non-compliant with privacy and data security regulations.
Stolen personal information can be used to carry out a slew of cybercrimes ranging from fraudulent purchases to identity theft. This takes an obvious toll on the trust they place in your company and may lead them to take legal action against you.
A Real World-Example of This Preventable Cyber Risk: Microsoft Exchange Servers
In March 2021, Microsoft announced that a group of Chinese hackers named Hafnium gained access to the company’s Exchange 2013, 2016 and 2019 servers.
Microsoft’s Exchange systems, which businesses globally use for everything from email to websites, typically operate within individual companies’ networks.
This gave the attackers the ability to access the companies’ sensitive emails and other sensitive information. It also allowed them to install malware that they could use to spy on those companies. Once Microsoft’s Threat Intelligence Center (MSTIC) realized what happened, they worked quickly to release security updates to fix the issue for customers running Exchange servers.
How This Situation Occurred: Undisclosed Vulnerabilities
According to Microsoft’s announcement, the attack was carried out by a Chinese hacker group known as Hafnium. The group’s distinctive attacks typically follow involve the following three steps:
- The attackers fraudulently gain access to admin accounts. The attackers use weak or stolen administrator passwords, or they exploit zero-day vulnerabilities to gain access to privileged accounts. In this situation involving the breach of Microsoft’s Exchange systems, the attackers exploited four vulnerabilities — all of which Microsoft quickly fixed — to gain access to the company’s server.
- They deploy web shells to access the compromised server remotely. In general, a web shell gives attackers remote access to your compromised system. They can use this access to execute malicious code, steal data, deploy malware, or gain access to other devices on the same network. In this situation, the attackers used the vulnerabilities to deploy web shells onto the compromised Exchange servers to have access in the future.
- They use that remote access to exfiltrate data from the compromised company’s servers. With access to the compromised servers, Microsoft reports that the attackers had the ability to steal data, including offline address books.
Microsoft says they were notified about the hacking activity by researchers at Volexity and Dubex. However, according to research and attack timeline by Brian Krebs, Microsoft knew about four zero-day exploits in their Exchange systems two months before the attacks occurred.
If Microsoft had addressed the reported vulnerabilities when they were first notified about them, they likely would have avoided this breach altogether.
Cyber Risk #4 to Avoid: Having Your Website Hacked
Sitelock’s 2020 Annual Security Review reports that websites sustain an average of 95 attacks a day!
Their research, which analyzed seven million websites, shows that website attacks are up 52% over their previous year’s report. And for some businesses, it only takes one successful attack to close their doors indefinitely.
Here’s an example of a website that was hacked, with the information not only being altered but also used to carry out a cryptocurrency scam:
Bad guys are always looking for chinks in your website’s armor — vulnerabilities that they can use to gain access to your site’s back end. Four of the most common vulnerabilities include:
- Outdated versions of software, plugins and extensions.
- Security misconfigurations.
- SQL injection vulnerabilities within web apps and forms.
- Poor password security (i.e., easy-to-guess credentials that can be brute forced).
Of course, even if you think things are settled after an initial website hack, that may not be the case. Threat actors sometimes install malware onto the website’s servers to create backdoors that they can use to access your website in the future.
A Real World-Example of This Preventable Cyber Risk: Local Government Bill Payment Websites
If you’re like many people nowadays, online billing is now a regular part of your financial routine.
What happens when someone hijacks your home’s online utility payment transactions? This scenario is happening more frequently.
Everything from ecommerce websites to city government sites have experienced Magecart attacks. In June 2020, Trend Micro reported that eight undisclosed cities in three U.S. states were the targets of digital skimming attacks targeting their bill payment systems.
Magecart refers to both digital skimming attack techniques as well as the groups of threat actors that use them. Digital skimming entails injecting malicious code into hacked websites’ forms to steal customers’ PII and credit card information.
How This Situation Occurred: Hackers Inject Code Into Click2Gov Payment Forms
This trigger would cause the skimmer to capture select information from the payment form. The data is then exfiltrated to external servers includes:
- Residents’ PII (names and addresses), and
- Payment card data (card numbers, CVVs, and expiration dates).
The company reports that all of the payment transactions were processed using Click2Gov, a utility bill payment processing software that many local governments across the U.S use. It appears that the code was written specifically to target Click2Gov payment forms and required no anti-bugging or obfuscation tactics.
Although this cyber risk example focuses on local governments’ websites, digital skimmers are frequently used to steal information from large and small organizations. While large enterprises make appealing targets, they’re often more difficult to compromise than small businesses and startups that have fewer security resources.
If your company isn’t aware of IT security best practices and credit card skimmer attacks, you may find yourself the next victim of a Magecart attack.
Cyber Risk #5: Becoming the Victim of a Ransomware Attack
Ransomware attacks are becoming more commonplace every year and target everyone from private individuals and small businesses to large corporations. The FBI’s Internet Crime Complaint Center (IC3) reports that ransomware accounted for adjusted losses of nearly $30 million in 2020.
But this is only for known and reported attacks and losses — this number doesn’t account for losses resulting from unreported attacks or reports that didn’t include losses.
Ransomware attacks are cyber attacks that typically involve bad guys infecting company’s systems and networks via malware. Malware is commonly deployed via one of the following three tactics:
- Direct attacks (e.g., by using compromised credentials to carry out remote desktop protocol attacks),
- Tricking employees via phishing and spear phishing attacks into engaging with malicious software or links, or
- Using third parties’ platforms to deploy ransomware via supply chain attacks.
Data from Verizon’s 2021 DBIR also indicates that ransomware was present in 10% of the data breaches their researchers analyzed in 2020, which is double the previous year’s count. Why the jump? Because threat actors are increasingly stealing and publishing victims’ data online now instead of “just” encrypting it like attackers commonly did in years’ past. Verizon also reports that ransomware accounted for 5% of the total cyber incidents they studied from 2020.
A Real World-Example of This Preventable Cyber Risk: Colonial Pipeline
In May 2020, critical infrastructure at Colonial Pipeline, the U.S.’s largest fuel pipeline, was taken offline due to a Darkside ransomware attack. According to Bloomberg, the DarkSide ransomware group, now rebranded as BlackMatter, is also thought to have exfiltrated 100 gigabytes of data the day before the attack.
The following day, they used malware to lock the company out of its computers and made a ransom demand.
According to Colonial Pipeline’s May 8 statement:
“On May 7, the Colonial Pipeline Company learned it was the victim of a cybersecurity attack. We have since determined that this incident involves ransomware. In response, we proactively took certain systems offline to contain the threat, which has temporarily halted all pipeline operations, and affected some of our IT systems. Upon learning of the issue, a leading, third-party cybersecurity firm was engaged, and they have launched an investigation into the nature and scope of this incident, which is ongoing. We have contacted law enforcement and other federal agencies.”
The company started to bring specific parts of its pipeline back into operations over the next week, returning to full operations and transportation levels by May 17.
According to a U.S. Department of Justice press release, the U.S. government seized 63.7 bitcoins (valued at approximately $2.3 million) from a crypto wallet that is thought to have been controlled by the ransomware group.
There is a silver lining from this situation — the U.S. Department of Homeland has since released two Security Directives for pipeline owners and operators that define new cyber security requirements.
How This Situation Occurred: Compromised Credentials
Not much is known for certain regarding how the ransomware attack occurred, although there’s lots of speculation. A May 13 CNN article says the attack resulted from a spearphishing attack.
Almost a month later, another Bloomberg article reports that it was caused by attackers using a compromised password for an account that gave them access to the company’s network.
The password had been previously published online in a data breach, and the compromised account lacked additional authentication security measures such as multi-factor authentication (MFA).
Regardless of whether the attackers gained the password via a spear phishing attack or if they simply found the breached credentials published online, the takeaway here is that the resulting ransomware attack and data breach likely could have been prevented had the company’s “human firewall” been stronger and if they’d used better account security measures.
10 Ways to Protect Your Organization Against These Cyber Risks
The good news here is that there are steps you can take to prevent each of these cyber risks. And don’t worry, these preventative measures don’t require you to have a massive cybersecurity budget. Rather, they require implementing a handful of basic cybersecurity precautions and changing how your organization regards cybersecurity in general.
1. Make Cybersecurity & Cyber Risk Management a Priority from the Top
IBM’s 2021 Cost of a Data Breach Report shares that the average cost of lost business was $1.59 million. This constituted the largest share of data breach-related costs (38%) in 2020.
These numbers underscore the importance of having strong cyber defenses in place to help prevent many of the security issues that result in these costs.
But for cyber security and risk management to be effective, they must:
- Be a leadership priority of your organization. If security initiatives lack support at the top, they’re less likely to get the financial support and resources they need to succeed.
- Be an organization-wide initiative rather just an IT one. Cyber risks have far-reaching implications and pose significant threats to your business in terms of compliance, your reputation within the industry, and your ability to foster customer trust.
All of these things can have a negative impact in terms of growth and revenue-generating opportunities. This is why organizations need to take a more holistic approach to cyber security across the board and ensure that everyone is doing their part to keep your business and its valuable data secure.
2. Provide Mandatory Cyber Awareness Training to All Network Users
Although there’s no one-size-fits-all way to mitigate human-related risks, education is a critical component of your company’s cyber defenses. Cyber awareness training should be required for all network users to complete — interns, contractors, employees (secretaries and company executives alike).
Basically, if a user touches your network in any capacity, then they need to know how to do so safely and securely. Five key important areas to cover include:
Common types of cyber attacks, including phishing, and how they work.
Cyber security policies, procedures, and compliance considerations that need to know.
Account and password security best practices and protocol, including the use of passphrases instead of passwords, MFA, and other additional account security measures.
Report suspicious activities and issues (i.e., what to do after clicking on a malicious link or losing a work device).
Who they can reach out to with security-related questions or concerns.
In addition to training them, you should also perform regular phishing tests as well to see how well your users are applying their knowledge. This method also enables you to identify user knowledge gaps you can address in future trainings.
3. Use Access Controls to Limit Exposure Risks
Identity and access management (IAM) is a sector of technologies and policies surrounding secure access controls and authentication. Its purpose is to ensure that only authorized users can access sensitive systems and data by first proving their identities (i.e., prevent unauthorized access).
IAM includes using security measures to control:
Physical access (such as through the use of smart ID cards, security systems, cameras, etc.).
Remote access (such as by assigning roles and permissions to specific user profiles that they can use to log in to your systems digitally using their usernames and passwords).
Of course, most access controls are only useful if users take steps to keep those accounts secure. This is where the next tip comes into play…
4. Implement Secure Authentication Mechanisms
Using passwords alone no longer cuts it when it comes to account security. IBM’s 2021 Cost of a Data Breach Report data shows that one-in-five breaches in 2020 resulted from compromised credentials!
Considering that Keeper Security’s 2021 Workplace Password Malpractice Report also shows that 34% of respondents share their work passwords with colleagues (34%), managers (32%), or executives (19%), it should come as no surprise.
This is why you need to add another layer to the authentication process to make your accounts more secure. Two vital layers to add to your authentication process include:
Implementing multi-factor authentication (such as requiring the use of an authentication mobile app that uses cryptography in the background to generate secure one-time security codes).
Using passwordless authentication methods (such as installing client authentication certificates on authorized users’ devices that requires a user to have physical possession of the device).
But what if someone still manages to compromise an authorized user’s account? Say, they managed to trick the user into sharing their password via phishing, or they got lucky with brute force attack. The security measures we mentioned should prevent access in most cases.
5. Implement the Least Privilege Principle
In the event that one of your authorized users’ accounts becomes compromised, you need to ensure that your exposure risks are minimized as much as possible. One way to do this is by implementing what’s known as the principle of least privilege (PoLP).
With PoLp the idea here is that you only give access to your critical IT systems and data to people within your organization who need it to do their jobs.
Geoff in Accounting may need access to specific web apps or databases to perform his job. But it doesn’t mean that he needs access to other sensitive areas such as your website admin dashboard or Active Directory.
6. Secure Your Software Applications, Endpoints, Network & IT Infrastructure
Verizon’s 2021 Data Breach Investigations Report (DBIR) data shows that lost and stolen devices accounted for 1,295 security incidents that they analyzed in 2020. Of those, 84 incidents resulted in confirmed data disclosures.
Your sensitive data is only as secure as the endpoint devices it’s stored on, the software applications that use them, and the network those devices and apps are connected to. If you don’t take steps to secure your infrastructure and network with multiple defense layers, then nothing else you do will matter.
The following six golden tips are typically implemented by SMEs to make their overall IT infrastructure and network more secure:
Use a combination of anti-virus and anti-malware on your endpoint devices and network.
Employ network firewalls to analyze your inbound and outbound traffic for data exfiltration and access from unknown IP addresses or geographic regions.
Use intrusion detection and intrusion prevention systems (IDS/IPS) to identify abnormalities and client-side attacks to respond to them in real time.
Adopt a zero-trust approach to security.
Evaluate your website scripts regularly and follow website security tips and best practices,
Evaluate your software for security issues (such as code alterations and new insertions) throughout development process.
If you don’t have these tools in house, that’s okay. Third-party managed security service providers (MSSPs) often provide these services to small and medium-sized businesses whose IT teams don’t have the in-house resources of skills to operate these systems.
7. Keep Your IT Systems, Applications and Website Up to Date
Outdated software applications and firmware are the low-hanging fruit for threat actors love to target. These vulnerabilities are easy to find when cybercriminals can target IP ranges with vulnerability scans to find systems running unpatched tools.
Once they compromise one device on your network, they can use that access to scan other systems on that same network for vulnerabilities they can exploit.
To prevent bad guys from exploiting vulnerabilities, run regular vulnerability scans of your endpoints, web servers and general IT systems. Apply any applicable updates and patches that come from your trusted vendors only and not third parties. A few examples of things you’ll want to regularly patch or update include:
- All software and web applications.
- Firmware, operating systems and drivers.
- Website versions, plugins and extensions.
Also, be sure to replace any unsupported legacy systems and unused software or devices from your IT environment. They’re soft targets in your cyber defenses that cybercriminals can target to gain access to your network.
Although it’s impossible to make yourself 100% secure against all types of cyber attacks, you can at least take unpatched vulnerabilities and outdated software off the table for bad guys to exploit.
8. Implement & Enforce Documented IT Security Policies & Procedures
Documenting your company’s internal policies and procedures is critical for both improving your cyber security and compliance. These resources serve as go-to guides and standards that help your IT team ensure that they’re doing everything within their power to keep your business, data and customers as secure as possible. They also inform users about the rules relating to securely accessing your organization’s sensitive IT assets.
Some of the areas your IT security policies and procedures documentation should cover include:
- IT systems and PKI management,
- User identification, authorizations, permissions and management,
- Password security (for both end users and admins),
- Device and data usage,
- Secure data backup storage and recovery, and
- Incident response.
The National Institute of Standards and Technology (NIST) Cybersecurity Framework is a great resource to help organizations “identify, assess and manage cyber risks.” This framework, which consists of three main components, provides pertinent information to help companies of any size apply principles and best practices that help to improve their cyber security and resilience.
Although this framework was created with critical infrastructure in mind, it’s still useful for everyone from small businesses to major corporations. It can help you develop and implement internal strategies, standards, guidelines, and security practices.
9. Create Business Continuity & Disaster Recovery Plans
A business continuity (BC) plan is a documented set of strategies and information that helps your organization maintain operations during an emergency. A disaster recovery (DR) plan, on the other hand, details what you need to do to enable your organization to recover from an emergency.
These plans are essential when things eventually go wrong — and things will inevitably go wrong at some point. This is why having BC and DR plans in place, and knowing that they’re current and reliable, is crucial to your organization’s security and general operations.
Of course, merely developing and documenting these plans is just one part of the equation. You also need to run through these plans regularly to ensure regularly:
The plans contain updated information regarding roles and responsibilities.
Everyone involved understands their roles and have what they need to perform them.
The plans can be executed to achive the objectives — if not, take the time to update them in advance.
10. Securely Back Up Your Critical Infrastructure, Website and Other Data
Maintaining backups is a general cybersecurity best practice. Backups help you get your business back up and running when your primary IT systems and data are destroyed or otherwise compromised.
NIST offers guidance on secure backup storage in their Special Publication Security Guidelines for Storage Infrastructure (SP 900-209). Backup management involves specifying everything relating to:
What gets backed up and how frequently.
How many copies of the backups you need and in what media formats.
Who maintains and tests the backups.
How the backups are maintained (applicable policies, procedures, frameworks, controls, etc.).
Where you want to store the copies (on-prem, in the cloud, in another geographic region).
How the backups are secured against unauthorized access, theft and destruction.
Cyber Liability Insurance: Your Protection
Of course, there’s another important item to consider that helps to help protect your business in other ways: investing in cyber insurance. Cyber liability insurance helps to protect large and small businesses against many types of liabilities — everything from data breaches to media liability claims.
The costs and liability coverages vary depending on the specific plan you choose based on your company’s needs.
Although this isn’t so much a prevention method, it’s a way to afford yourself some financial protection when things go wrong.