Technology Advisor Blog



Five Small Business Cybersecurity Threats You Can't Ignore

Posted by Ann Westerheim on 10/18/24 4:12 PM

Five Small Business Cybersecurity Threats You Can’t IgnoreCybersecurity threats are a major concern for small businesses, especially through phishing emails and ransomware attacks.  No! You're not too small.  These harmful strategies can result in severe outcomes, including monetary setbacks, business interruptions, and harm to your company's reputation.

Understanding how these threats work and putting strong security practices in place can help you safeguard your company's valuable assets. This approach also enhances your business operations by seamlessly supporting the shift to more online activities.

Taking action now to protect your small business from cyber risks is a smart investment in your company's future.  Before a cyber incident, there are a lot of smart and affordable things you can do to help reduce risk.  After a cybersecurity incident event occurs, the repercussions are expensive.

1. The Phishing Menace: A Small Business Cybersecurity Nightmare

Phishing eMail - Threat for Small BusinessThere is a lot of money in cybercrime, and cybercriminals will keep coming up with new ways to make money off people. Phishing emails are one of the biggest small business cybersecurity nightmares. A cybercriminal can send out millions of emails at virtually no cost, and they arrive in mailboxes all over the place.

What is a Phishing Email?

A phishing email is a fake message that looks real but is designed to trick you into giving away personal information, like passwords or financial details.  It might be a fake email from your bank asking you to log in for some problem like a low balance, and then all you've done is give away your credentials. It could also be an email tricking you into paying for something. The term "phishing" comes from the idea of "fishing" for information. Just like a fisherman uses bait to catch fish, cybercriminals use fake emails or websites as bait to "hook" people into giving up sensitive information, like passwords or financial details. The "ph" spelling is a nod to early internet culture, where hackers often replaced "f" with "ph. Given that the cost of sending out emails is just about nothing, cybercriminals get away with a lot.

The Evolution of Phishing Emails

The problem is that we often tell our people in cybersecurity awareness training to watch out for suspicious emails. However, the threats have evolved, and the most clever phishing emails don't look suspicious at first glance. Often, you can look for a sense of urgency. If there is a sense of urgency and it is something like you have to act fast, it will be from a spoofed (faked) recognized brand.

Consider this example: "Your package delivery has been delayed. Please update your delivery details immediately to ensure it reaches you as soon as possible." Think about all the online shopping these days. People are pretty much always expecting a package to arrive.

I was in our local post office recently, and a woman came in and said she got a text message about a missed package.  The postmaster assured her it was a scam and there was no package for her.  During the 2023 holiday season, the number of malicious queries actually outweighed the legit traffic to the real post office site.  https://www.pcmag.com/news/usps-phishing-scam-package-cannot-be-delivered-texts

 

Educating Your Team to Spot Red Flags

As the first line of defense, it’s crucial to step back and consider how people think. Human reactions are shaped by evolution.

Imagine this: if a lion is about to attack, you react instantly—you don’t have time to analyze the situation. This fast, instinctive thinking is great for survival but not for every decision. Then there's a more deliberate, analytical way of thinking.

In moments of urgency or danger, that instinctive reaction kicks in—and that’s exactly what cybercriminals exploit. Training people to pause, even briefly, is incredibly powerful. The phrase "think before you click" matters because that simple pause engages the analytical mind, helping people make better decisions.

When you pause to "think before you click" you may slow down just enough to realize you're looking at a scam.

  • "Wait a second. I am waiting for a package, but it is not from the post office. I think it will get delivered via UPS."
  • "Yes, I do bank with Bank of America, but I just logged on to the account earlier today and everything was fine."

Getting people to be aware of that reactive type of thinking versus that more analytical thinking would help them. Creating a culture of security consciousness is also important. Talking to people about the different threats out there gives them a better example of what they might want to look for. Having an open conversation about cybersecurity and not a "gotcha" kind of culture lets people learn from each other.

The Benefits of Simulated Phishing Exercises

Running simulated phishing exercises has a real benefit. Everyone thinks they would never click on one of those links. However, when you run a simulated phishing test where you send out a fake phishing email and see who clicks on it, it is a real eye-opener for folks. People realize they never thought they would click on something like that, but they did.

Technical Safeguards Against Phishing

Technical safeguards against phishing, such as email filtering and anti-spam solutions, are really important. We generally recommend that the mail gets filtered even before it gets into your environment, basically keeping it out of the environment. Multi-factor authentication for email accounts is also crucial. One of the most common phishing emails is one saying there is something wrong with your Microsoft account. Microsoft estimates 99.99% of security incidents that happen with Microsoft 365 involve accounts that don't have multi-factor authentication.

A Real-Life Example

We got a call from a local business a while back who was looking to put more security in place. They are in the greater Boston area and had been hit with a cyber incident. The organization had a solid focus on technology, but lacked robust cybersecurity safeguards. Their goal was to strengthen that area and build a more secure foundation.  The first thing we did was to start monitoring their Microsoft 365 environment for any possible signs of compromise.

2. Ransomware: The Growing Threat to Small Business Data

Ransomware is a growing threat to small businessRansomware is one of the biggest threats to small businesses. In a ransomware attack, hackers gain access to your systems and either encrypt your data or lock you out of it. A message pops up on the screen demanding payment in cryptocurrency to regain access to your data. These days, there's also secondary extortion where the criminals threaten to leak your data or contact your clients if you don't pay. It's a nightmare for any business.

Why Small Businesses Are at Risk

Small businesses are at greater risk because most cyber attacks are random, not targeted. Millions of phishing emails are sent out, and if one of them leads to someone letting a hacker gain access to an account, the business is vulnerable. Many small businesses don't have the basic cybersecurity safeguards in place, making them an easier target for these high-volume attacks.

The Attack Process

The attack process typically starts with phishing emails that come into an account. Once the hackers gain access, they encrypt the data, make ransom demands, and the business is basically shut down while this is happening.

Protecting Against Ransomware Attacks

To protect against ransomware attacks, there are several important steps you can take:

  • Regular data backups and offline storage: If the hackers get in and hold your data hostage, your backup is what's going to save you. However, if your backup is connected to the same network and isn't well-protected, the criminals will look for it and try to wipe it away. Your backup needs to include some sort of offline storage that can't be directly accessed from your network.

  • Network segmentation strategies: This means that if the network is ever accessed, the hackers can't easily move from one department to another. While it may make collaboration harder, it keeps the data safer.

  • Employee education: This is one of the most important things any small business can do to protect against cybersecurity threats. As a Boston IT solutions provider, I work with businesses in the area, but this applies to small businesses anywhere. Too many small businesses think they're not a target because they're too small, but they don't realize that many modern cybersecurity risks are indiscriminate and random.

The Importance of an Incident Response Plan

Having an incident response plan for a ransomware attack is also essential. By creating a comprehensive response plan, you'll be able to better function in times of great stress.

Here are a few things to consider when creating your plan:

  • Make sure you have a list of alternative communication points for all of your employees, such as a cell phone list, in case you can't access your computers.
  • Have a customer list separate from everything else.
  • Think about what you would do if everything were locked down for a week, what you would tell clients and employees, and what your communication plan would be.
  • Understand ahead of time what order you need to bring systems back up and what your critical assets are.

We recently worked with a local business that called us after a cyber incident.  Their firm was entirely down for a week after a Ransomware attack. Employees didn't know what was going on and thought they should be getting their resumes together to look for another job. Everything just sort of fell apart. The principals in the firm were working frantically to keep relationships with the top clients so they would not go under. That whole incident, - all that stress, all that pain, and almost to the point of being wiped out of business - started with somebody falling for a phishing email. These things really do have big consequences.

The good news is that there are many smart and affordable things any small business can do to protect against cybersecurity threats. It doesn't have to be expensive. By implementing regular data backups with offline storage, network segmentation, employee education, and an incident response plan, you can significantly reduce your risk of falling victim to a devastating ransomware attack.

3. Weak Passwords: The Achilles' Heel of Small Business IT Security

Is your password PASSWORD or 123456Weak passwords are a significant weakness that many small businesses face when it comes to cybersecurity risk. Many people and small businesses falsely believe that they are too small to be attacked, so they become lazy about some of the basic cyber hygiene points.

The Dangers of Weak Passwords

The dangers of having weak passwords are that any common password could be easily guessed by a hacker. If you have a three-character password, a hacker can get into it through the process of trial and error.

Whenever there is a major breach, one of the things that gets published is a list of the most popular passwords. People absolutely know their password should not be the word "password", yet that is what they actually do. It is interesting to look at these lists and see that the most popular passwords are often:

  • "123456"
  • The word "password"

The Rise of Credential Stuffing Attacks

There is also a big rise in credential stuffing attacks. Imagine your credentials are breached through no fault of your own because the bank or credit card company you work with gets breached. If you use that same username and password at a different bank or organization, hackers could try to break into your other accounts within seconds using automation.

It is important for any small business to keep in mind that while big businesses who make the national news have pretty deep pockets to recover from a cybersecurity event, having a weak password can lead to an account breach which can lead to enormous financial and reputational risk for a small business.

Implementing a Robust Password Policy

Having a robust password policy means using longer passwords of 12 characters or more, with complexity requirements like uppercase letters, lowercase letters, etc. You should also change passwords regularly and be on alert for when there is a major incident, like with Chase Bank, and make sure you change those passwords even if it was through no fault of your own.

If you start thinking about how each person needs about 50 to 100 passwords, it becomes clear that no one can remember that many strong and unique passwords. This is why you really have to implement password managers.

The Importance of Multi-Factor Authentication

Multi-factor authentication is the next layer of security. No matter how good your password is, it could be broken. But if you have multi-factor authentication, a hacker would need both your password and a second form of verification, such as:

  • The annoying six-digit code you have to put in after your correct password to gain access
  • Biometric data like a fingerprint or face scan
  • A physical security key

Every small business should be implementing multi-factor authentication wherever possible.  Help your employees understand the connection to securing the company so they'll realize the inconvenience is a small price to pay.

A Real-World Example

We once worked with a local business in the Greater Boston area to improve their cybersecurity. Despite our efforts to raise awareness, some employees were digging in their heels on using short, easy-to-remember passwords. It was an uphill battle to get them to understand why that simply wasn’t safe.

In one particularly memorable conversation, a key individual with significant responsibility revealed their password was just three characters long—and was the name of a common household pet. It really underscored the challenge of changing old habits in cybersecurity

The Growing Awareness of Small Business Cybersecurity

Over time, there are more conversations happening and more people are talking to each other about cybersecurity for small businesses. While we may not see small business incidents appear in the national news, in aggregate we are seeing more articles about the risks.

Weak passwords are one of the simplest, most basic things you can fix to greatly improve your small business's cybersecurity posture. Implementing stronger passwords and multi-factor authentication with the help of IT solutions providers who specialize in cybersecurity for small businesses in your area, like those in Boston, can make a big difference.

4. Remote Work Security: Safeguarding Small Business Data Beyond the Office

Remote Work - a Major Cybersecurity Risk for Small BusinessThe trend for remote work has introduced significant cybersecurity risks to small businesses in Boston and beyond. When the pandemic hit and more people had to work remotely, there was a mad scramble to get everybody set up, which was a disaster from a security perspective.

Vulnerabilities in Remote Work Environments

Remote work environments come with a host of vulnerabilities:

  • Unsecured home wireless networks
  • Personal devices used for work purposes
  • Increased phishing and social engineering risks

As people work in isolation, they may be at greater risk for social engineering attacks without a co-worker next to you to take a quick peak at an email to help you sort it out.

Mitigating Remote Work Risks

To mitigate these risks, you can set up a virtual private network (VPN) to privatize communication to your computer systems. Secure cloud-based collaboration tools are also essential. Without proper setup, employees might resort to using personal accounts like Dropbox to share files, potentially exposing highly confidential information.

Another important aspect is securing remote desktop access to prevent unauthorized access.

Employee Training and Awareness

Training employees for remote work is crucial. You can start by creating a home office security checklist and ensuring that everyone in the organization understands what they need to do. Educating people on the safe handling of sensitive data outside of work is also important.

For instance, employees should know to use a VPN when working from a coffee shop or airport. Encourage employees to speak up about cybersecurity risks in an open environment, rather than penalizing them for mistakes. This approach leads to greater awareness and a reduction of risk for your small business.

Real-Life Examples and Stories

When I conducted security awareness training at a local organization, I found that getting people to share their stories was highly effective. Instead of lecturing about rules, engaging in interactive discussions about real-life scenarios helps employees understand the nitty-gritty of what puts them at risk.

Here's an example: one client called to report that their work laptop got infected after letting their kids use it for computer games. These split-second decisions can lead to significant risks for small businesses.

Partnering with IT Solutions Providers

By implementing secure remote work practices, providing comprehensive employee training, and fostering an open dialogue about cybersecurity risks, small businesses in Boston can safeguard their data beyond the office. Partnering with a reliable IT solutions provider can help navigate the complex world of remote work security and protect your business from potential threats.

5. Outdated Software: A Small Business IT Security Blind Spot

Old tech doesn't protect against new threatsKeeping your technology up to date is one of the most important things you can do to safeguard your small business from cybersecurity risks. Old tech doesn't protect against new threats, and there are a lot of hidden dangers when software gets outdated.

The Constant Battle Against Vulnerabilities

Hackers are constantly exposing vulnerabilities and figuring out ways to exploit them. It's a cat and mouse game between cybercriminals and security providers. The good news is that when a vulnerability is detected, security companies will patch the systems free of charge. As long as you install that patch, you're going to be kept up to date.

Current software will protect against current threats, so having a comprehensive patch management strategy is important. You should prioritize critical updates and be on the lookout for security patches.

Testing and Reporting: Key Components of Patch Management

When working with small businesses on cybersecurity, it's important to test patches before deploying them. Occasionally, a patch may have unintended consequences.

Here's an example: A few years ago, Microsoft released a security patch that ended up wiping out network connections for systems. That was a really painful time for a lot of folks.

Testing, automating, and reporting are key components of a strong patch management strategy, especially if you want to qualify for cybersecurity insurance. You'll have to show that you're actually doing all these things.

Balancing Security and Business Continuity

Balancing security and business continuity is also important. Consider the following:

  • Doing updates offline
  • Using staged rollouts
  • Not doing everything all at once
  • Having a rollback plan in case there is ever a bad patch

Some people may be hesitant to patch their systems because of a bad experience in the past or because they're really busy. However, the risk of not keeping your tech up to date is far greater. There are just so many situations, even major incidents you read about in national news, where an unpatched system led to exposure to a huge amount of cybersecurity risk.

The Importance of Rebooting

Another thing to be aware of is that many security patches, such as those on your own laptop, are sequential and require reboots. It's extremely important to fully reboot your system, not just hibernate your laptop.

Hibernating is when you close the lid and it takes a moment for it to come back to life, but that's not actually a reboot. Microsoft likes to have their software perform really fast, which is why this whole hibernation thing is in effect.

However, you should get in the habit of rebooting every week because some patches require reboots and some security patches are sequential. You won't be protected until the previous patch is in place.

By keeping your technology up to date and following these best practices for patch management, you can significantly reduce your small business's exposure to cybersecurity risks. Don't let outdated software become a blind spot in your IT security strategy. Work with a trusted IT solutions provider in Boston to ensure your systems are always protected against the latest threats.

Strengthen Your Cybersecurity: Take Action Today

Are you ready to boost your small business's cybersecurity? Our expert team can guide you through the challenges of protecting your digital assets. We provide custom solutions to safeguard your data, secure your networks, and educate your staff on best practices.

Proactive measures are key to preventing cyber incidents. Reach out today for a consultation, and let's work together to create a strong security plan for your business. This approach will help protect your company and give you confidence in your digital operations.  There's no obligation after the initial consultation.  Ask your questions and we hope you learn something, and if it feels like a match, we look forward to working with you.

Take action now to secure your company's future. Contact us to begin building a more robust defense against cyber threats.

About the author:

Ann Westerheim - Ekaru - Cybersecurity

Ann Westerheim, PhD is the Founder and President of Ekaru, a Technology Service Provider of cybersecurity and IT services for small and medium businesses in the greater Boston area.  Ann is an accomplished technology innovator and leader with three engineering degrees from MIT.  She has twenty years of high tech experience in research, advanced development, product development, and as an entrepreneur. Her career has spanned a vast range of technology endeavors including research in thin film semiconductors and superconductors, microprocessor fabrication, development of early Internet medical applications, and now focusing on the application of technology in business. She has an avid focus on the "last mile" of technology and decreasing the digital divide.

https://www.linkedin.com/in/annwesterheim/ 

 

Subscribe by Email





    Most Popular Posts



    Browse by Tag

    See all tags...


    Posts by Month

    See all months...


    Connect With Us



    Older Blog Posts

    For older Ekaru blog posts, go to ekaru.blogspot.com.