When it comes to choosing a victim, cybercriminals often look for low-hanging fruit. They seek the path of least resistance to keep their chances of success high and of getting caught low.
This is why so many criminals target small- to medium-sized businesses (SMBs). It is no secret among SMBs that they are frequently targeted by attackers. In fact, a research report from the Better Business Bureau shows that 87 percent of SMBs are aware that they are not safe from cybercrime. Despite this awareness, cyberattacks cost SMBs an average of $2,235,000 in 2017. This means smaller companies are still failing to properly secure their assets.
The types of countermeasures that most SMBs rely on to safeguard their organizations are indicative of what they consider to be their most common IT security threats. According to the Better Business Bureau report, 83 percent of SMBs employ antivirus solutions, and 80 percent use firewalls.
These solutions are good at detecting and safeguarding against known threats; however, attackers often take advantage of this. For starters, attackers know that IT departments in most SMBs lack the technical skill and specialized knowledge to properly configure these solutions. Attackers may also alter the code of their malware or raise the level of sophistication of their attack to bypass these safeguards. Let’s look at some ways they are able to do this.
Currently, thousands of strains of ransomware exist, and new ones are created every day. Once this type of malware infects a vulnerable computer on your network, it can spread to other computers, servers, and storage. Ransomware locks you out of the files on the infected machine using encryption, and then the criminal demands a ransom be paid in exchange for the decryption key. If it is not paid, the files are eventually destroyed. In some cases, the ransom goes up as time passes to create a greater sense of urgency and encourage payment.
CEO fraud emails are sent to individuals in a business, usually someone with the ability to wire money. The email is crafted to look like it came from the CEO and requests that an urgent payment or wire transfer be sent to a bank account for payment. The bank account is actually set up by the criminals, and they make off with the money. According to the FBI, these types of attacks have cost businesses over $12 billion since 2013.
Data breaches are the old standby for cyber-criminals. Attackers look for a weak spot in an organization’s defenses and exploit it to gain access to network resources. Once inside, they can escalate the privileges of the compromised account and have free rein to explore their victim’s network for valuable information, such as:
- Intellectual property
- Personal data
- Customer data
- Financial data
- Resources to use for other attacks
Once attackers have compromised a network, they can go undetected for months, even years, and the cost to eradicate them can put an SMB out of business.
One is hard-pressed these days to find a business that doesn’t have a website or use a customer relationship management or enterprise resource planning solution. Yet, although these tools are almost necessities, they are not the easiest to implement. Even something as easy as a WordPress site requires in-depth knowledge of server and software configuration to properly configure it against vulnerabilities. When software is not properly configured, upgraded, and managed, it leaves gaping holes in your organization for attackers to exploit.
Imagine if your customers could not access your website because it was down, and there was nothing you could do to bring it back up. Or if one of your business-critical applications was suddenly inaccessible to your employees, and nothing you did could restore their access it. Criminals can cripple a business by launching distributed denial of service (DDoS) attacks, which cripple websites and other systems by using up so many resources that they overwhelm their targets and render them useless. Some people launch DDoS attacks just for fun; others, to help a competitor gain an advantage. Without people on your team who know how to protect and thwart these types of attacks, you are looking at a long period of downtime.
The unfortunate reality is that none of these types of attacks require in-depth knowledge to carry out. Malware, DDoS tools, and phishing kits are sold inexpensively on the dark web. Anyone with access to them can successfully launch an attack with little chance of being caught if he or she follows the instructions. Conversely, it takes a great deal of knowledge and specialized skill to defend against them. Simply installing antivirus software and a firewall won’t do the trick.
If you want to truly defend your business against modern-day threats, you need a team of security-minded professionals to do the job right. While most SMBs lack the resources to fight against these attacks, they can turn to a trusted partner to work with them to strengthen their defenses and monitor their systems for malicious activity. By partnering with the right professionals, not only will you ensure that you’ve done everything within your power to prevent attacks, but also—if an attack is successful—you will be able to identify and stop it before any real damage is done.