Running a business is no easy task. On top of daily operating challenges, small business owners wear multiple hats, from marketing and human resources to bookkeeping and IT. Many lack the time and resources to put a strong cybersecurity defence in place; meanwhile, the threat of a cyberattack continues to grow.
Almost half of small businesses experienced a random cyberattack in 2022 and 27% experienced a targeted attack, according to a survey done by the Canadian Federation of Independent Business (CFIB). And while many smaller businesses are beginning to realize the importance of cybersecurity, not all understand the full range of threats they face.
The reality is that every business, big and small, is now a target for threat actors trying to ransom your data back to you, lure you into transferring funds, or expose confidential information. The good news is that a little knowledge can go a long way.
Understanding the threats facing your business is the first step to protecting your business. That said, these are four major cyber threats targeting small businesses in 2023.
Ransomware is a form of malware. As its name suggests, ransomware is designed to lock up data on a victim’s computer, offering to restore user access in exchange for a substantial payment. Ransomware attacks often feature some time-sensitive element to add further pressure to the extortion attempt, such as a threat to publicly expose information.
One of the main reasons why ransomware is so prevalent, in general, is because it's a lucrative industry for cybercriminals. The cost of a ransomware attack can be staggering, hitting north of $4.5 million according to IBM's Cost of a Data Breach report. These totals include the ransom paid to the threat actor, as well as the costs associated with operational downtime, lost productivity, and more.
Smaller businesses in particular are appealing targets as they don't often have the same level of cybersecurity as larger companies, making them comparatively easy targets for cybercriminals.
To pose as executives or vendors, the attacker needs a disguise. They need access to the right account, or at least credentials that look close enough to the real thing, to make the transfer look like the real deal.
Attackers will often gather these credentials through a variety of other low-profile attacks and tactics that might not immediately raise a red flag with a user. For example, spear phishing is commonly used to target specific users (in the case of BEC, C-suite executives) and gain access to their accounts.
Beyond the financial loss, these attacks expose businesses to serious legal risks from clients or suppliers that might have been defrauded. These attacks can seriously impact a company's reputation, making it harder to earn new business or even maintain current customers.
3. Phishing & social engineering
Phishing is a type of cyberattack, usually delivered as an email, used to obtain sensitive information or data such as bank account numbers or passwords. Cybercriminals engineer these messages before broadly and randomly sending them out to trick recipients into performing an action that furthers the attack.
Scammers know that many will ignore their phishing attempt, but they also know they’ll find success with those who don’t.
There are a variety of tactics cybercriminals use to engineer these messages. They may write the email to appear as official correspondence from a well-known, trustworthy company. They may try to create a sense of urgency by using strong language or threats, such as imminent account closure or legal terminology.
Phishing and social engineering attacks have grown more sophisticated over the years, with tools and techniques becoming harder to spot. They're also becoming quicker to launch: phishing kits—software tools used by cybercriminals—are easy to acquire, letting even the most inexperienced attackers falsify emails and websites at minimal cost with the potential for considerable payouts.
4. Insider & third-party threats
Insider threats encompass everything from everyday human error, such as a misplaced USB drive or accidentally revealing login credentials, to deliberate cybersecurity compromises from within a network, such as a disgruntled employee selling private data to cybercriminals.
The third-party vendors and suppliers you regularly work with also present a potential cybersecurity risk. This could include vendors you contract services with, as well as the providers of the software systems and services your business uses in its operations. It’s estimated that around 60% of data breaches are linked to third-party vendors.
Assessing and managing third-party risks is a complex process that begins with ensuring your vendors are following strong cybersecurity best practices. It is critical to understand the policies and measures they are using to keep your software and systems safe while ensuring secure communications and transactions with your vendors.