Technology Advisor Blog

Cybersecurity and AI have become inseparable forces that create immediate risks to local businesses, regardless of size. Small organizations are now prime targets for criminals who use artificial intelligence to automate attacks, making every business vulnerable.

Major corporate breaches grab headlines, yet the silent wave of cyber attacks on local companies goes unreported, leaving many business owners with a dangerous false sense of safety. Your organization needs basic protective steps that could prevent most attacks, along with cost-effective solutions to shield your business from financial losses and reputation damage. The stakes are high - companies that fall victim to these attacks often struggle to keep their doors open.

The Hidden Value of Local Business Data to Cyber Criminals

You may think that cybersecurity is not a concern for your local business. After all, you've been operating for 20 years without any issues, so why spend money on it now? This sentiment of being too small to be a target or relying on "security by obscurity" puts small businesses at risk.

The False Sense of Security

When a major cyber incident occurs, such as the Colonial Pipeline Ransomware Attack, it appears on national news and raises awareness for cybersecurity. However, this can give a false sense of security to smaller organizations, reinforcing the idea that they are too small to be targeted. In reality, cyber criminals are increasingly targeting local businesses with 200 employees or less because they often lack the resources and budget for strong defenses.  Small businesses are the backbone of the US economy, and while cybersecurity concerns are a top threat for 60% of small business owners, just 23% say they are well prepared to handle an incident, according to the a recent report by Mastercard.

The Unseen Incidents

In our line of work, we see the incidents that do not make the national news. We've been called in to help with incident response after various local companies have been hit with cyber incidents. A few key points about these incidents:

• The cleanup process is long and expensive
• Many of these incidents could have been prevented with simple measures
• Similar incidents are happening all over the place but at a scale that does not make national news

The AI Factor

The situation is about to accelerate and get worse with the introduction of AI. Cyber criminals can now access DIY cybersecurity kits to target a large number of businesses at once. They're not going after the big fish because they have strong defenses. Instead, they focus on low-hanging fruit - small businesses with limited resources - and make up for it with scale.  Technology Review recently reported on AI agents being used to identify vulnerable targets, hijack their systems, and steal valuable information from unsuspecting users.

Consider this: it costs nothing for a cyber criminal to send out a million phishing emails and potentially gain access to personal information, financial data, or trick employees into providing sensitive data.  With AI agents, they can even save on labor costs!

Real-World Examples

Let's look at a couple of prominent cases in the Boston area. Arlington schools lost half a million dollars due to a business email compromise scam in which international hackers impersonated a vendor. The money stolen, designated from taxpayers to build a new school, is gone.

Schools in New Hampshire were also a victim of a cyber attack with the Nashua School District Superintendent saying "There was a letter in every printer in the district saying that we're under attack.  Superindency 101, this isn't like in our playbook.  Fall River Schools in Massachusetts were also recently impacted by a cyber attack.  

These examples are schools, but keep in mind that not all organizations will report a cyber incident.  Schools are often required to report cyber incidents due to public accountability and regulations, while private business may quietly recover to protect their reputation.  The key point is these are LOCAL cyber attacks.

Cyber criminals are going after volume, targeting hundreds of small organizations  at once for gains that add up. They may harvest all sorts of information from various places on the web and piece together profiles using AI for more efficient and sophisticated attacks.

The Threat of AI Agents

The rise of AI agents poses a significant threat as they can be used to generate cyber attacks with the same sophisticated abilities that make them helpful assistants. As a local business owner, it is crucial to prioritize cybersecurity and take proactive measures to protect your organization from these evolving threats.

Don't fall into the trap of thinking you are too small to be a target. Invest in the necessary resources and training to safeguard your business, customers, and reputation in this era of AI-powered cybercrime.

AI Agents: The Next Wave of Cyber Threats

AI agents are the talk of the AI industry right now, and you will see a lot of interaction between AI and cybersecurity. AI agents are capable of planning, reasoning, and executing complex tasks, such as scheduling meetings and ordering items. Cyber criminals will use this technology too, along with AI-powered attacks.

AI-Powered Attacks

Imagine this scenario: someone could harvest your voice from an online video and use it to create a deep fake, sending out a fake voicemail to someone. People can create fake videos right now, so we are living in a time of accelerated change.

Affordable Cybersecurity for Small Businesses

Working with smaller organizations can be tough, as there are not infinite budgets. However at Ekaru, we want to make sure that when you're thinking about cybersecurity and AI, there are many smart and affordable things you can do that will make a big difference and can be done on a small business budget. We understand that nonprofits, for example, have to work with very tight budgets. But just doing a few things can really help local businesses strengthen their cyber defenses.

AI and Ransomware as a Service

Criminals are using AI in many different ways. With AI agents, they can set them loose to do the work for them, so they don't even have to hire hackers anymore. Criminal organizations have launched Ransomware as a Service (RaaS) kits, where you just buy a package like any other software and can launch ransomware attacks. The big ransomware groups have:

• Customers
• Customer support
• Negotiating teams for ransomware payments

But now with AI, you could step that up even more with personalized scams because it's so easy to gather a lot of information.

The Dangers of Information Scraping

By scraping information you might have on Facebook, LinkedIn, Instagram, and other social media, if they can identify your name and maybe a third party breach that was in no way your fault (like a bank or social media account) but your name was included with an email address, a physical address, and some purchasing histories from online shopping, they can piece together a lot of information on you quickly. We are going to see that increase, so now is not the time to sit on the sidelines.

The Costs of Incident Response

On the flip side, incident response in our line of work can be very expensive and painful. Oftentimes, smaller organizations haven't even done incident response planning - they don't have a communication plan or revenue for weeks. What do you do about paying your employees with no money coming in? Reputation damage is something that smaller organizations really have to think about. If you're a non-profit, as an example, you don't want that donor list to be leaked. People will think, "I have other places I can put my money. I don't want to work with an organization that's not keeping my information safe."

The Convergence of Cybersecurity and AI

Cybersecurity and AI are really coming together to accelerate things. AI agents are going to be the interesting new thing to watch - I see that as ransomware as a service 2.0. Local businesses DO need to be concerned about this and should devote some time to talk to their team.

The Challenge of Spotting Fake Messages

AI tools can create highly convincing phishing emails because they can gather all the information from social media messages and even phone calls that can synthesize voice. If your voice is out there anywhere on the internet, your voice can be picked up from that. We train users not to click on suspicious links, but when things just look so real and are so carefully crafted with no spelling errors - and anybody anywhere in the world can write in perfect English with perfect grammar these days with tools like ChatGPT - how do you educate somebody to spot a fake message? That line of defense doesn't really work anymore.

The more people know about the different kinds of attacks that are going to be online, the more they might question for a minute, "Wait a second, just because I'm seeing this video doesn't mean that this person actually created that video."

Cybersecurity Basics That Stop 90% of Attacks

Did you know that cybersecurity basics can stop up to 90% of attacks on local businesses? It's true! Let's talk about some key areas to focus on.

Password Management

Password management is a critical aspect of cybersecurity. The average person has about 100 different passwords to manage, which often leads to the use of weak passwords. Can you guess the most popular passwords according to several studies? "123456" and "password". People may also use a strong password but change it only slightly for different sites, which an AI algorithm could easily crack.

Software Updates

Another common issue is ignoring software updates. In October of this year, Microsoft is ending support for Windows 10, and people will need to move to Windows 11 to continue receiving security patches. Even large cyber incidents can sometimes be traced back to simple oversights, such as:

• A VPN user without two-factor authentication
• A dormant account of a former employee
  
  These are "Security 101" basics! 
  
  

Cybersecurity Awareness Training

Ongoing cybersecurity awareness training is required by every cybersecurity framework. In Massachusetts, the data protection law 201 CMR 17.00 has been in place for 15 years and is well-written and easy to understand. While things are changing rapidly with AI, cybersecurity awareness training remains one of the most important aspects of every protocol, including HIPAA, CMMC, and FTC safeguards.

Your team must understand the impact of cybersecurity threats because there are unknown unknowns. If people in your organization believe that your small business is not a target and use bad software, password practices, and protocols around clicking on email links, you will likely face significant trouble.

Real-Life Examples

Here's a story about a local business owner who called after clicking on a link two weeks prior. They thought they had dodged a bullet when nothing bad happened immediately. However, they didn't realize that hackers had gained access to their system and were conducting reconnaissance. Hackers can go through a whole process once they gain control of a system, looking around to see what's there. It's important to train users that they won't necessarily know right away if they click on something bad.

Another example involves a local business owner who needed to call Bank of America and searched for their customer support on Google, calling the number at the top of the list. However, criminals can create fake ads online, so it's best to call the number on the back of your credit card.

Email Security

Email remains the top way attackers like to break into companies. Educate your employees and put simple defenses in place. For the cost of a latte from Starbucks, you can implement strong defenses for your organization, such as DNS filtering that would prevent someone from clicking on a slightly misspelled link of a major company. Small steps can add up to robust protection for your business in the ever-changing world of cybersecurity and AI.

The Rising Cost of Cybersecurity Incidents

If you are ever called in to handle a cybersecurity incident, one of the first questions that will be asked is, "How did this happen?" There are many things you can do before a cyber incident to help prevent it, such as tracking what's going on, providing log analysis, and strengthening your backups so they are protected and not easily wiped away by cybercriminals. However, if you don't have those things in place and a cyber incident occurs, the incident response is going to be very time-consuming and expensive.

The High Cost of Ransomware Attacks

A local organization that had a ransomware incident shared their experience. They were called in later, so wisely they stepped up a lot of security after the fact. It cost them hundreds of thousands of dollars out of pocket. Had they not had cyber insurance that offset some of the cost, they probably would have gone out of business after that ransomware attack.

This is something that people often say, "I never thought it would happen to me." Because these kinds of incidents don't make national news, folks in smaller, local businesses have a false sense of security, thinking that cybercrime only happens to big companies far away.

Encourage your team to look at the few stories that appear in local news. Anyone who has had a cyber incident or knows somebody close to them who has had one will immediately want to know how fast they can get all these security safeguards into place. However, there is another universe of folks who haven't experienced this and think it won't happen to them.

The Long Road to Recovery

It may take weeks to get operational again, and you can calculate the cost of that, but it may take months after that to fully have everything back in action. If it's not completely cleaned up, a very common thing is that the cybercriminals will come back and do a second attack within a few weeks.

Consider this scenario: If your email is compromised, some of your highly sensitive communications to your insurance company could also be intercepted. Think carefully about whether you have a list of everybody's personal cell phones outside of your computer systems just so you could contact everybody in your company. Do you have a designated point person who's going to speak about the event so your employees don't walk around saying, "Hey, yeah, we had this big breach," because they might think it's something out of a movie, but that could cause even more damage if somebody in your organization goes on social media, for example.

Reputation Damage for Smaller Organizations

Reputation damage is something that smaller organizations really need to think about. There may be a perception in the public that bigger companies, even though they make the national news, have more resources to fight cybercrime. Perhaps somebody would be reluctant to work with your 20-person law firm if they feel like they would be more secure at a bigger law firm.

Here are a few examples to consider:

• A real estate office
• An accounting firm
• A medical office

How do your clients think about you? If your prospective community thinks that you are not keeping things secure, is it going to change their willingness to donate to your cause because they don't want their money to be wasted or lost in a cyber incident?

The Long-Term Impact of Cyber Theft

Cyber theft can damage your credit score for many years. If you wind up with fraudulent unpaid bills, this is the one area where it's guilty until proven innocent, and that could take a long time. It could impact your ability to get other funding. You're not going to be able to go to a bank and get a line of credit to cover cybercrime. You have to really think this through in advance.

The average time to restore compromised accounts is increasing. Your insurance company may not actually allow you to restore systems because they want to gather forensics. You may have to get separate new equipment to be able to operate while all the rest of the forensics play out because it could be far more expensive to stay shut down for an extra couple of weeks than it would be to just get new computers. You want to think about this in detail.

Key Takeaways

The key takeaways are:

• The cost of cybersecurity incidents is going way up.
• Cybercriminals are searching for insurance policies stored on computers so they know exactly what the coverage limits are and can strategically ask for ransom that fits into that coverage. It's a really horrible game.
• Cybercrime is the largest form of organized crime.
• Telling folks not to click on suspicious emails just doesn't cut it anymore. There is a lot more to it than that, but cybersecurity awareness training is so important because when your team knows about deep fake videos or audio and the different scams, they're going to pause for just that second and maybe not click on that link.

The Future of Cybersecurity and AI

AI agents are taking cybersecurity to the next level. We're going to start seeing AI agents do cyber attacks in the future. Local businesses need to stay up with what's happening in cybersecurity and the accelerated curve we're on right now with AI.

Larger organizations make the news and have deep pockets to recover from an incident, but online reputation damage for a smaller organization or just the money involved could be devastating. You're going to lose customers who may have to go elsewhere while you're shut down. They may not trust you again if their information was leaked, and it's going to be very tough to win that customer back.

The Importance of Insurance Reviews

Smaller organizations in the greater Boston area have faced a lot of challenging recovery journeys. In some cases, insurance may come back with some of the money, but definitely do an insurance review to understand exactly what your limits are. Insurance policies have different sub-limits for different kinds of cyber incidents.

One thing we do with clients is work with a company that will do a complimentary review. You don't have to get insurance through them, but you could look through and ask questions. It's an educational process, but very important to understand that your million-dollar policy might only protect a fraction of that for business email compromise.

Local businesses, pay attention to this. This is not the time to sit on the sidelines.

Safeguard Your Business with Expert Support

Your business faces cyber threats that require immediate action. We help organizations like yours build effective cybersecurity programs that protect operations, data, and reputation while staying within budget constraints.

Our team applies tested methods to evaluate your risks and strengthen your defenses. We train your staff to recognize threats before they become costly incidents.

Schedule a free consultation to review your current security measures and learn how we can help protect your business. Your next step toward better security starts with a phone call.

 About the author: