By: Dr. Michael Senft
Michael is a cyberspace operations expert and Army Veteran with nearly two decades of technical leadership experience supporting Academic, Intelligence Community and Special Operations organizations. He is a graduate of Virginia Tech and holds a Ph.D. from the Naval Postgraduate School.
Small and medium-sized businesses (SMB) are vital contributors to our economy, driving innovation, creating jobs and supporting their local communities. Today they face an increasingly ominous challenge, the ever-growing threat of cyber crime and cyberattacks. In just 2022, the Federal Bureau of Investigation Internet Crime Complaint Center (IC3) received over 800,000 complaints reporting $10.3 Billion in losses from cyber crime. SMBs are seen as attractive targets by cybercriminals because they have limited resources for implementing cybersecurity training and controls. Cybercrime as a service (CaaS) further increases the threat to SMBs by providing cyber criminals advanced capabilities to conduct attacks while improving their ability to avoid detection.
The motive for 98% of cyberattacks against SMBs is financial, with 94% of these attacks from external threat actors. According to the 2023 Verizon Data Breach Investigations Report, the three primary ways that cyber-attackers gain access to organizations are stolen credentials, phishing and vulnerability exploitation.
Types of Attacks
Social Engineering attacks exploit human behavior to persuade targets to willingly handover sensitive personal or business information such as passwords. Emotion, trust and urgency can be leveraged to convince targets to take actions that they would otherwise not.
Phishing attacks deceive targets in a variety of ways including masquerading as a coworker or disguising text messages as legitimate communications to get them to also reveal sensitive personal or business information. In contrast, vulnerability exploitation takes advantage of mistakes or flaws in software to allow attackers to gain unauthorized access to systems. While each technique is different, they can result in the same outcome with attackers gaining access to accounts and systems of targeted businesses.
Business Email Compromise (BEC) is a sophisticated Social Engineering attack targeting individuals and businesses performing transfer of funds that have nearly doubled since 2021. Legitimate business email accounts are compromised then used to organize and execute an unauthorized transfer of funds. With a median transaction size of $50,000, BEC attacks can be devastating to SMBs as the loss of funds can imperil execution of business transactions. Beyond the immediate financial losses, damage to a business’s reputation can lead to loss of customer trust and lost revenue.
Phishing attacks can take many forms, from email phishing, to vishing to smishing. Email phishing uses deceptive weblinks to direct victims to malicious sites to steal account login credential or other sensitive information. In vishing, a phone call is used to trick the victim into divulging sensitive information during the conversation. With smishing, victims are sent text messages that look like they were sent by a legitimate business, but are designed to trick the victim to click on a malicious weblink or respond to the attacker with sensitive information. SMBs are frequent targets of phishing campaigns because they often lack the extensive cybersecurity awareness training and robust email filtering systems and that larger businesses have.
Ransomware attacks, which involve an attacker gaining access to a business’s data then encrypting the data to demand a ransom from the business for the decryption key. SMBs are especially vulnerable as they typically lack sufficient data backup and recovery systems. Even when ransoms are paid, there is no guarantee that the data will be recovered.
Insider threats are also a significant concern for SMBs. Insider threats can come from current or former employees misusing their access privileges to gain authorized access to systems or steal sensitive data. SMBs are at greater risk than large businesses because they typically do not have strict access controls or monitoring systems in place to quickly detect fraud or misuse.
Cyberattack Impact
Cyberattacks can be devastating for SMBs with wide-reaching impacts across both core and support functions. These impacts include:
- Financial Loss: Cyberattacks can result in direct financial losses to businesses from incident response costs, ransom payments, legal fees and remediation costs. Additionally, businesses can experience a loss of revenue in the event of disruption or downtime of critical functions.
- Operational Disruption: Cyberattacks can also generate losses in both short-term productivity and create long-term damage to a business’s ability to function effectively.
- Reputational Damage: Trust and reputation for a business can be tarnished following a cyberattack with potential loss of both partners and clients.
- Legal Consequences: Businesses may face legal repercussions if they fail to conduct due care and due diligence in protecting customer data and business assets. This can include penalties, fines and lawsuits.
- Intellectual Property Theft: The loss of a business’s intellectual property, proprietary information or trade secrets could result in competitive disadvantages
Just last month, a cyberattack against Clorox disrupted its manufacturing operations and order-processing resulting in a sales reduction of over 20%. Beyond the $25 million spent by Clorox for the incident response so far, it also warned that the company would post a loss for the quarter instead of an expected profit. A separate cyberattack against MGM Resorts International last month resulting in a $100 million negative impact on third-quarter results. Private customer data was also stolen in the attack.
Conclusion
Cybersecurity is not just a cost; it is an essential investment in the future of any SMB to protect against cyberattacks. A strong cybersecurity posture can also provide a competitive advantage to SMBs by helping to build trust with partners and customers. While not all cyberattacks can be stopped, business executives and boards have a fiduciary responsibility to exercise due care and due diligence for the cybersecurity of their organizations.