Of course, you’ve heard of cyber criminals, and know you need better cybersecurity. You’ve read the headlines, such as the Colonial Pipeline Ransomware Attack (May 2021), T-Mobile Data Breach (January 2023), MGM Resorts and Caesars Entertainment Attacks (September 2023), the more recent Ransomware Attack on Change Healthcare (February 2024), and many, many others.
The breaches that make the headlines are the big ones, the ones impacting big business and millions of people. The smaller incidents don’t make the headlines, and therefore you may not hear about them. But, that doesn’t mean smaller cyberattacks aren’t happening with frightening frequency.
Business leaders often fail to take precautions against this ever-present threat for a number of reasons. First, they underestimate how big of a threat it is. Or similarly, they undervalue how much their data and connections are to cyber criminals.
Second, they don’t know how to address the threat. They may attempt to increase data security, but become overwhelmed in the process. At this point, they become paralyzed with inaction, due to not having a clear plan.
Last are those leaders that recognize the dangers presented by cyber threats, but fail to protect their businesses. The reasons they fail to protect their businesses vary. It could be they mistakenly believe they have solid defenses already in place. Or, they might believe that the cost of cybersecurity is too high.
In this article, we will address the many types of digital intrusions to businesses in an attempt to illustrate both the magnitude of the threat and the variety of ways criminals can pose a danger.
Keep in mind that this article contains some scary information. The goal here is not to scare you out of sleeping tonight. It’s to raise your awareness of common threats so you can take informed action.
Know that there are strategies you can use to reduce the risk and impact of these threats. However, this article does not address these strategies. Rather, our purpose here is to help you understand the risks, and why it is important to take the time and effort to protect your business.
Section 1: Social Engineering
Social engineering describes a group of techniques criminals use to gain digital information that involve some aspect of human manipulation. They may use emails, phone calls or even in-person communication to trick people into providing confidential information.
Phishing is very impersonal and broad email attack sent to large numbers of people. Phishers generally seek to steal login credentials, which they then use to access and read your email.
Business email compromise also makes use of stolen login credentials, but is even more threatening. With email compromise the attacker takes over the email account, sending emails and otherwise impersonating the victim.
Pretexting, baiting and tailgating are also forms of social engineering, but have a person-to-person component. Criminals call, leave bait or even communicate directly with victims, in attempts to gain access to secured assets.
Phishing
Phishing is the most common form of attack in general, and it’s more dangerous than many people realize. Phishers primarily seek login credentials, usually for email accounts.
Phishing emails are designed to look like legitimate emails from an account you may use. They may tell you your password is expiring and you need to update it, or they may promise a reward. In any case, the email will compel you to click on a link.
When the victim clicks on the link and attempts to login to their account, they submit their username and password to the cyber criminals. The attacker will then use the provided credentials to access email (or sometimes other types of accounts).
Once they have access, they will download all of your emails, contacts, calendars . . . anything they can access, and save it on their system. After doing this, they can continue to mine your account even after you change your password and deny them access.
With that stolen information, they can steal proprietary data, act as a convincing imposter, and dig deeper into your organization. Ultimately, their goal is getting paid. One way they do this is by posing as your accounting department and requesting your clients redirect payments to their bank account, rather than yours.
If they don’t obtain customer information by the first contact, they continue to use phished information to go after more valuable contacts. A successful phishing attack leads to a cascade of problems, and you can’t put the genie back in the bottle.
Business Email Compromise
A successful phishing attempt results in the intruder having access to your email. With that access, they then use the information to dig deeper or trick others into redirecting money.
With business email compromise, the intruder takes over the account, using it to impersonate the owner. Phishers may cast a wide net to capture the credentials of whomever they can. But, criminals seeking to compromise business emails usually target key employees with significant influence.
Once control of a account is obtained, the attacker can easily trick employees, customers or partners into performing harmful actions. When employees receive emails from a boss’s email address, they may carry out requests without question. Similarly, customers receiving emails from a familiar accounting email might redirect payments.
Criminals can also use email compromise to request password resets for financial accounts. This is because many accounts send password resets to the email associated with the account. Because they can intercept the password reset email, they can lock you out of your finances.
Other Social Engineering Methods
Social engineering is broad term that involves not just digital methods, such as email, but also more personal methods, such as phone calls or in-person communication. Pretexting, baiting and tailgating are all social engineering methods that involve more direct interactions.
Pretexting is a technique where the attacker fabricates a scenario to manipulate someone into compromising security. This could be divulging sensitive information or performing an action. The attacker pretends to be a colleague, customer or authority figure, in order to gain the victim’s trust.
Here’s an example. You get an phone call from the FBI. They say that your IP address has been used to commit cyber crimes, so now they’re investigating the whole thing. You need to turn over every account and password that your business uses so they can see who was committing the crime.
Other pretexts might be: impersonating a bank employee, posing as an IT admin or pretending to be a customer. If they have a convincing persona, you can see how this would enable them to pull off their agenda.
Baiting works differently. An attacker entices a victim with something appealing or tempting. It could be simple, such as a digital download or lost USB drive, or it could be an offer for something more valuable.
The bait is placed where people are likely to encounter it, such as a company parking lot or a nearby coffee shop. If the bait is digital, it may be in the form of ad for a free offer on a popular website.
Eventually, curiosity will get the best of someone, and they will pick up the device or click on the ad. In the case of a lost USB drive, once inserted into the victim’s computer, it will automatically install malware. Similarly, clicking on a link might lead to a website that installs malicious software.
Tailgating is the boldest technique of the three, as it is done in-person. An unauthorized person, the criminal, gains physical access to a secure area. This is done by following or gaining the assistance of someone who has legitimate access to the area.
Tailgaters may take advantage of busy entrances or peak hours, hiding in the crowd to sneak by unnoticed. Or they may use the friendliness and helpfulness of passersby to hold open a door while they carry a heavy item. Another means of avoiding suspicion and gaining access is to dress like a delivery person or maintenance worker.
However, unauthorized individuals gain entry, once inside, they can commit theft, vandalize or tamper with security systems.
Section 2: Malware
Although phishing is the most successful means used to commit cyber crime, when most people think of cyber crime, malware is what comes to mind. They think of a software that infects their machine, either completely taking down the computer or silently operating in the background.
Malware is a very common form of attack, and malware comes in a lot of different shapes and sizes. To understand how malware threatens business, we can split it into three groups: ransomware, viruses and spyware.
Ransomware
Ransomware is prolific and devastating. It’s a form of malicious software that can lock you out of your own data. Typically, ransomware will encrypt all of the data it can find on a system, and then you can’t access any of the data unless you know the encryption key.
It’s unlikely that you can just crack this encryption, and that means you’ll have to either pay a ransom to get your data back or cut your losses. On top of that, ransomware is often paired with data exfiltration (more on that in a later section), compounding the issue and overall risk to your business.
What’s more is that ransomware typically doesn’t just infect a single machine. More often, it installs onto a workstation and sits still, hiding inactive in the background. While it is hiding, it scans the network for additional devices to infect. One-by-one, it gains a foothold in each device, and once it has spread through the entire network, a switch will flip.
Like a cascading series of dominoes, all the computers on the network will instantly encrypt. In a matter of minutes, all computers will lock up, unusable. Data cannot be accessed. Applications won’t work. All work screeches to a halt. Leaders begin to panic, but not a lot can be done at this point, if you haven’t made the effort to implement regular backups.
Viruses
Next up are viruses. They’re not quite as common as ransomware — largely because ransomware tends to make criminals a lot of money. Still, viruses are prolific and a problem to take seriously.
Viruses, like ransomware, are malicious software that gets installed on your computer. Its objective, however, is different. Viruses aim to disrupt, damage or steal information without necessarily seeking financial gain.
The impact of a virus can range from annoyance to severe ramifications. There’s plenty of variety, but the goal is to disrupt your technology. Among the more less serious consequences are slowing down a system, annoying popups, random reboots, and changing file associations. Among the more severe ramifications are data corruption, system crashes and unauthorized access to sensitive information.
Spyware
The third major form of malicious software is spyware. Spyware is scary because it’s often difficult to detect. Malicious software could be on your system without leaving obvious traces. Everything works normally, but software is hiding behind the scenes, stealing data at every chance.
Spyware can both record user actions, such as keystrokes or websites visited, and exfiltrate data (more on that in a later section), such as sending files to an attacker.
Recording keystrokes, or keylogging, seems useless at first glance. But, this capability means that spyware is able to capture passwords, credit card numbers and other key information put into forms.
Similarly, monitoring web activity also seems rather useless. However, by recording websites visited, search history, and the content you interact with, spyware can help attackers build user profiles. These profiles can be used, in turn, to understand how best to manipulate users.
Another way spyware compromises privacy is by capturing screenshots or recording audio and video using the device’s camera. That’s downright creepy.
In other words, spyware is bad news, and the fallout from undetected spyware can and does shut down businesses.
Section 3: Insider & Other Threats
Insider Threats
Insider threats refers to attacks from someone who works for the business. Why would this happen? There are a lot of reasons, but unfortunately, it’s a real thing. Sometimes, disgruntled employees attack their place of work out of a sense of vengeance. Otherwise, they might have a plan to steal data to make money. It varies.
Insider threats refers to attacks from someone who works for the business. Why would this happen? There are a lot of reasons, but unfortunately, it’s a real thing. Sometimes, disgruntled employees attack their place of work out of a sense of vengeance. Otherwise, they might have a plan to steal data to make money. It varies.
Employees may also commit crimes of opportunity. While attempting to fulfill their responsibilities, they may stumble upon files they shouldn’t have access to. If they realize the files are valuable, they may copy the information onto a USB or email it to someone.
Many times, companies are lacking clear offboarding procedures. If offboarding is not done in a systematic manner, ex-employees may continue to have access to email or other accounts. With email access, they can continue to monitor activities within the business. Or they may even send emails to people who are unaware they are no longer with the company.
Perhaps the employee had access to social media accounts representing the company’s brand. Further, they may have been the primary or only person with access to social media for the company. If that’s the case, and the ex-employee is not cooperative, it may be difficult or even impossible to regain control of the account.
Data Exfiltration
Data exfiltration is the transfer of data from within a private network to an external location. Once the data is stolen, thieves can expose the sensitive information. Frequently, they expose it by posting it on the dark web.
Once stolen, data can be used to steal identities, create phishing opportunities, go after clients, steal competitive advantages and more. The stolen data can hurt not only the company, but also employees, customers and their businesses. The reputational damage this causes could result in significant loss of customers. It will also require time, energy and money to repair and restore reputation.
Sometimes, data is exfiltrated and then exposed behind the scenes, unbeknownst to the victim or business. In other instances, however, hackers pair data exfiltration with ransomware attacks.
As discussed earlier in this article, ransomware will sit inactive, waiting to spread throughout the network. When data exfiltration is paired with ransomware, during this period of “inactivity”, data is transferred out to the criminals’ file server. Then, once all the data is out, the ransomware encrypts the network.
Why would they do this? The reason is ransomware has been a threat for many years, so most businesses backup their data. But, businesses with solid backups have no reason to cooperate with the hackers that encrypted their data. So, hackers needed to come up with leverage to force businesses to pay a ransom.
The threat of having data exposed on the dark web is extremely effective to coerce payment of a ransom. Even if a business is able to recover and continue operations, potential reputational damage means most companies are willing to pay up.
Once stolen, data can be used to steal identities, create phishing opportunities, go after clients, steal competitive advantages and more. The stolen data can hurt not only the company, but also employees, customers and their businesses. The reputational damage this causes could result in significant loss of customers. It will also require time, energy and money to repair and restore reputation.
Cyber Espionage
Cyber espionage combines a variety of techniques to spy on and gather intelligence. The targets are typically geopolitical, economic or strategic. And the perpetrators are often working on behalf of state-sponsored groups or well-funded cybercriminal organizations. Beyond that, their goal is to acquire high profile information, such as government secrets, intellectual property or trade secrets.
The third major form of malicious software is spyware. Spyware is scary because it’s often difficult to detect. Malicious software could be on your system without leaving obvious traces. Everything works normally, but software is hiding behind the scenes, stealing data at every chance.
So, does cyber espionage have anything to do with small business? One reason smaller businesses may be targeted is they are part of a broader strategy to gain access to more powerful entities they work with. Another reason is smaller businesses may research, innovate or develop new technologies that are attractive targets, in and of themselves.
In other words, smaller businesses may be used as a stepping stone to their real targets. For example, a defense contractor might be targeted as part of an larger effort to reach the department of defense.
Another possibility is the small business may own information and technology that is more valuable than they realize. It turns out that a lot of industry disruption actually comes form small businesses, so this is a real possibility.
For these reasons, your business is at risk of espionage regardless of your industry and operation. It’s not necessarily about stealing your information and technology. It’s about using your business to connect to more strategic targets.
Conclusion
There you have it. There are many, many cyber threats to small business, and carried with those threats is the potential for very real damages. But, don’t despair. There are strategies that are accessible, even to smaller businesses, to reduce the likelihood and the impact of a cyber incident.
To request a meeting to discuss a strategy for your business, please schedule a meeting with us using this link.