Running a business is no easy task. On top of daily operating challenges, small business owners wear multiple hats, from marketing and human resources to bookkeeping and IT. Many lack the time and resources to put a strong cyber security defence in place – yet cyber security attacks continue to be a growing threat as small and mid-size enterprises (SMEs) scale their operations.
A 2020 report by Verizon found that SMEs accounted for nearly 30% of all data breaches resulting from cyber attacks. In fact, an Insurance Bureau of Canada poll revealed that one in five businesses have been impacted by a cyber attack since 2018.
As we head into the second half of 2020 — especially as companies continue to adapt to a work-from-home model — this trend is continuing. Unfortunately, despite this growing risk, many SMEs don’t realize how vulnerable their IT networks are, nor do they understand the full range of cyber threats they face.
The reality is that any business, no matter how big or small, is now a target for cyber attackers looking to ransom your data back to you, lure you into transferring funds, or expose or sell confidential information, or more. The good news is that a little knowledge can go a long way. Understanding the threats facing your business is the first step to protecting your business.
Here are four major cyber threats targeting small businesses in 2020.
At first glance, ransomware attacks might seem to be on a downward trend; after all, between 2018 and 2019, reported attacks declined by six percent, down from over 200 million attacks in 2018 to nearly 190 million in 2019.
But that represents merely a drop in an ocean. Ransomware and related malware attacks still represent the most common threat to SMEs. In 2020, these attacks have become much more sophisticated and far more targeted. SMEs and municipal governments are frequent victims, in large part because past targets have paid the ransom, setting a precedent for future attacks.
The Canadian Internet Registration Authority (CIRA) reports that 71% of Canadian organizations were victims of a cyber attack that impacted operations or their bottom line.
But beyond financial costs, ransomware attacks are getting far more personal, with threats to expose confidential data becoming commonplace as an attempt to extort payment.
For example, in late 2019, Andrews Agencies, a Manitoba-based insurance company, was hit with a ransomware attack and they refused to pay. The company did not initially disclose the attack until their attackers went public with threats to expose the data, alleging they had stolen at least 1.5 gigabytes of data that included confidential personal information.
Under the Personal Information Protection and Electronic Documents Act (PIPEDA), if the attack could have resulted in a real risk of significant harm to an individual, then the company would have been obligated to report the attack to the federal privacy commissioner.
Andrews Agencies claimed that there was no risk, but the situation served as a reminder that ransomware attacks don’t just threaten operations and finances but could result in additional costs from enforcement action and reputational damage if confidential data is exposed.
2. Business email compromise
Sometimes referred to as CEO fraud or an evolution of a phishing attack, business email compromise (BEC) is a top cyber threat for small business. BEC is a highly targeted and carefully planned cyber attack that is estimated to have cost Canadian organizations upwards of $33 million in the last four years alone.
This social engineering scam usually targets the financial and/or procurement departments of a company. The end goal is to get an employee in these departments to make a financial transfer to an account owned by an attacker.
One of the most common ways these transfers are initiated is through impersonation of a CEO or other executive. Attackers will usually either spoof an email address or use spear phishing techniques to obtain the credentials they need to trick employees into making the payment. In some cases, attackers might pose as a vendor, using a falsified invoice to trick someone into making the transfer.
A city treasurer in Ottawa fell victim to such an attack, wiring $100,000 CAD to cyber criminals in the United States before any red flags were raised, showing just how sophisticated these attacks can be.
Beyond the financial loss, these attacks expose businesses to serious legal risk from clients or suppliers that might have been defrauded. These attacks can seriously impact a company’s reputation, making it harder to earn new business or even maintain current customers.
3. Phishing & social engineering
Phishing and social engineering attacks have grown more sophisticated over the years, with tools and techniques becoming harder to spot. In the past year, nearly a quarter of all cyber security data breaches involved some form of phishing or social engineering, and a whopping 52% targeted Canadian businesses.
Phishing attacks are designed to fool users into clicking fraudulent links or downloading attachments that compromise their devices or systems. A major reason why these attacks are so common is because they’re easy: phishing kits — software tools used by cyber criminals — are easy to acquire, letting even the most inexperienced attackers falsify emails and websites at minimal cost with potential for considerable payouts.
No one is immune, either: attackers have been able to abuse legitimate services to steal credentials, with phishing attacks that have fooled experienced IT professionals.
As cyber security training continues to play catch-up, all an attacker needs to do is lure a user into clicking a link or downloading a file. From there, they can access additional accounts and workstations, giving them a foothold to launch a larger attack or gain greater access to cause more damage.
4. Insider & third-party threats
Verizon’s 2020 Data Breach Investigation Report estimates that a third of all data breaches involved insider threats from an organization’s users. These threats encompass everything from everyday human error, such as a misplaced USB drive or accidentally revealing login credentials, to deliberate cyber security compromises from within a network, such as a disgruntled employee selling confidential data to cyber criminals.
The third-party vendors and suppliers you regularly work with also present a potential cyber security risk. This could include vendors you contract services with, as well as the providers of the software systems and services your business uses in its operations. It’s estimated that around 60% of data breaches are linked to third-party vendors.
Assessing and managing third-party risks is a complex process that begins with ensuring your vendors are following strong cyber security best practices. It is critical to understand the policies and measures they are using to keep your software and systems safe while ensuring secure communications and transactions with your vendors.
Securing your small business
Thankfully, these top cyber attacks can be prevented.
Unfortunately, many SMEs may not know where to start when it comes to putting effective cyber security defences in place. They may lack the resources to continually identify and defend against the cyber threats they face.
That’s where Field Effect Covalence can help.
A sophisticated yet easy-to-use cyber threat monitoring and detection platform, Covalence provides ongoing visibility into your network to identify potential threats, vulnerabilities, and other malicious activity to help you improve your security. Backed by expert cyber security analysts, Covalence delivers the insights needed to better secure your business.
To stay informed about cyber risks and ways that the Covalence threat monitoring and detection platform can protect your business from cyber threats, sign up for our newsletter below.