Cyber Attackers Think Small Businesses Make Easy Targets: Here’s How To Prove Them Wrong
November 08, 2021
Cyber Attackers Think Small Businesses Make Easy Targets: Here’s How To Prove Them Wrong
- Big corporations aren’t the only victims of cyberattacks. Attackers know that small to medium businesses (SMBs) don’t have as many resources to defend against hacks. Small fintech companies in particular can be lucrative targets.
- Some SMB-owners still view cybersecurity as a cost. But a robust cybersecurity program is a selling point with customers. And the financial and reputational repercussions of an attack make these programs major revenue-savers long-term.
- Not all cybersecurity protocols are technically complex. From training staff to be suspicious of the emails they receive, to activating multi-factor authentication, there are relatively simple steps you can take to protect against cyberattacks.
Cybersecurity is having a moment in the spotlight — for all the wrong reasons.
The number of cyberattacks has surged in 2021, and large corporations aren’t the only ones being targeted.
Attackers know that small to medium businesses (SMBs), and fintech companies in particular, have access to valuable data sets and assets — and don’t have as many resources to combat potential threats.
The good news is that more SMBs are waking up to the importance of a robust cybersecurity program as not just an annoying cost, but a selling point that can reassure customers and potentially boost revenue.
Based on an interview with Havoc Shield co-founder and CEO Brian Fritton on an episode of the Go for Launch podcast, here’s what makes SMBs so vulnerable to cyberattacks, the financial benefits of a cybersecurity program for SMBs, and easy steps these businesses can take to defend against cyber attackers.
Small companies — especially in fintech — are tempting targets for ransomware attacks
Only data breaches and ransomware attacks that involve large or high profile organizations typically end up in the news. This gives the impression that attackers are more likely to target major businesses than small companies. The bigger the target, the more data or money the malicious actors can leverage, right?
Brian says that small companies are actually more appealing to attackers, “because traditionally, they haven't put the types of resources into their security programs that larger companies have.”
These smaller companies are referred to as “squishy targets,” he says. With lower budgets and fewer dedicated network security staff, the IT teams at these businesses fall behind on fundamental cybersecurity protocols, e.g. putting out security patches to fix vulnerabilities, training nontechnical staff, and activating two-factor authentication.
Small to medium fintech companies make particularly good targets. These businesses typically don’t have the same levels of security as corporate-sized counterparts, but are still handling significant amounts of money.
Brian knows this first-hand from his time as co-founder and CTO of real estate crowdfunding site Patch of Land. He and his team had a couple of scares, but were saved by precautions they’d taken against cyberattacks.
“If you're a fintech company that processes $2 million dollars through the wire every day, or helps other companies process sensitive data that attackers want access to for financial means, or because they don't like your business or your customers, you’re a much easier target,” he says.
Fortunately, more SMBs are recognizing the need to be proactive about cyberattack defenses. These companies are also beginning to understand that cybersecurity programs are within budget.
“SMB is the largest growing segment of the cybersecurity industry,” Brian says. “Small business owners are getting more proactive and smarter about this every single day. They're willing to put the resources into this, because they see the risk.”
Your business’ cybersecurity safeguards are an incentive for customers
Media stories on cyberattacks against major corporations have made small business owners more aware of the less-expected repercussions of a data breach. You don’t just lose data: You lose trust, credibility, and business.
From the moment the attack happens, it becomes your IT team’s main focus. That time and effort could be going towards other, revenue-generating projects.
Once the immediate threat has been dealt with, there are other potential long term impacts on revenue.
Every U.S. state and certain territories have laws requiring that companies that experience a data breach report it to users, and potentially other stakeholders and the government.
Having a data breach or ransomware attack in your history is a red flag for potential customers — especially if you’re trying to get government contracts. “You're not going to get their business, so it’s really a revenue problem as well,” Brian says.
The flip side is that having a robust cybersecurity program you can tout has become a selling point for potential and existing customers.
“The reality of the security responsibility inside organizations, especially small ones, is that it's still seen as a cost, and not as the revenue-accelerator, customer-converter, or reputation asset that it is,” Brian says.
Failing to put precautions into place might also affect how much you have to pay in cyber incident insurance premiums.
“The premiums for cyber incident insurance are up 200% to 300% just this year alone, and they are covering less and less,” Brian says. “If you cannot prove that you've put forth a diligent level of effort in defending yourself in the first place, they'll deny coverage more than they have before.”
You may think that you can’t afford robust cybersecurity. But if you take that gamble and lose, the repercussions could cost more money and time than investing in the program in the first place.
4 low-tech, low-cost cybersecurity tips
To prove that cybersecurity doesn’t have to be expensive or overly technical, here are four straightforward fundamentals every small business should have in place.
1) Multi-Factor Authentication
Multi-factor authentication requires that users have more than one type of information to log in. The three most common types of authenticator are:
- Something you know (e.g. a password)
- Something you have (e.g. a code sent to your phone)
- Something you are (e.g. fingerprints)
Requiring a user to have more than one of these in order to log in adds another layer of security for an attacker to break through.
Unfortunately, multi-factor isn’t the default access style for some external software commonly used by businesses. Google, for example, announced in May 2021 and reiterated in October that it will only automatically switch all Google Suite users to 2-step verification (a type of multi-factor authentication) by the end of 2021.
Don’t wait for SaaS companies to take the initiative: Make multi-factor authentication part of your security program now.
As Brian explains, “That is one of the most important protections that you could possibly have. It's not a silver bullet, but it will help protect against a bunch of threats.”
2) Train Your Staff in Basic Cybersecurity Protocols
We probably all know someone who has clicked on a seemingly innocuous email, only to realize too late that it was part of a cyberattack. Or maybe you’ve been directly affected by a similar nefarious scheme.
You can take all the technical precautions you like, but if your users aren’t educated about potential risks, they still represent a weak link in the chain of defenses.
“A lot of ransomware gets in from someone clicking on the wrong link, or opening up a bad file,” Brian says. “Train your staff. There's excellent, engaging training out there, as well as simulations of phishing emails, getting people used to being suspicious about the types of emails that are coming into their inboxes.”
3) Operate on the Principle of Least Privilege
One technical step you can take to help mitigate the impact of human error is to limit access to sensitive data to only the people who need it to do their jobs. This extends to administrator privileges on company computers.
This approach is called the principle of least privilege. As Brian explains it, “You should really only have access to what you need to have access to day to day.”
For example, the person in charge of payroll needs access to staff members’ social security numbers: but someone working in the marketing department shouldn’t be able to see these. Similarly, the IT department needs to be able to install updates across all company computers: but individual users shouldn’t have this capability.
The idea is that if an account is compromised, the attacker won’t be able to access every single piece of data, or take control of the network and launch a large-scale ransomware attack.
As more companies have adopted the least privilege approach, more SaaS companies are selling tools that make it easier.
“There are modern tools and processes — and we work with several of them — that make it really convenient to put in place,” Brian says. “It's no longer this inconvenient, Oh, I’ve got to file a ticket with IT and wait days to install a software program.”
4) Stay on Top of Your Data Backups
Keep backups of all the business’s critical files and data in a separate environment, and update them regularly.
This is especially critical in the case of a ransomware attack, in which a bad actor gains access to your files and data, and essentially takes them hostage.
Even if the attacker claims that they’ll return what they stole after you pay them, it’s unwise to take the people who illegally hacked their way into your system at their word. “The best thing to do is try to prevent [an attack] to begin with, and then be able to recover without [the attacker],” Brian says.
Maintaining a backup separate from the rest of your systems means you can isolate a copy of your assets from the threat, and restore them without needing to work with the attackers.
Unfortunately, this doesn’t stop the attackers from leaking your sensitive information if they feel like it. Which is why prevention is the best strategy.
This blog post is based on an interview with Brian Fritton, co-founder and CEO of Havoc Shield, on the Go for Launch podcast. Listen to the episode to hear more from Brian on cybersecurity risks to small businesses. For more on training your staff to spot phishing attacks, read this article from the Havoc Shield blog.