Original text

Your Small Business and Protecting from Cybersecurity Threats

My last column was the start of a few topics about cyber security for small businesses.  It has become a major concern for small business CEOs and a serious threat to their operation.   I shared that Some 76% of cyberattacks occur at businesses with under 100 employees. Cybercriminals know small businesses tend to be easy targets, and that accessing a small business’s computer networks often gives them entrée to client and vendor networks, too.

While digital transformation offers many benefits, it also comes with many challenges.

In this column I will give some further suggestions on this topic and share some information from a resource that SCORE and one of its content partners, Trend MICRO, created on this topic.

For starters I suggest that you first become aware of the three most common cyberthreats.  Cyberthreats grow more sophisticated every year. Here’s what to watch out for.

Ransomware:

1. Ransomware: Hackers get into your system and hold your data hostage until you pay a ransom. If you don’t pay, your business is out of commission. Ransomware cost companies $11.5 billion in 2019. That’s expected to rise to $17 billion in 2020 and $20 billion in 2021. Cybercrooks use various techniques to blend in, including:
   1. Obfuscation: Cybercriminals use obfuscation to conceal information such as files to be downloaded, sites to be visited, etc.
   2. Critical System: Attacks on critical infrastructure
   3. Legitimate Software: Malicious files often coming from software downloaded from URLs that were not whitelisted.
   4. Distribution Model: Popular websites housing malicious files. The digital extortion of businesses will continue. The value will be in ransoming Industrial IoT (IIoT). Attackers are discussing on underground forums to how to monetize IoT infections.

Business Email Compromise:

1. Business Email Compromise: BEC are scams targeting companies that conduct wire transfers and have suppliers abroad. Since 2016 over $9 billion has been lost to business email scams. Email accounts of executives or high-level employees are either spoofed or compromised through keyloggers or phishing attacks to do fraudulent transfers.
   1. According to the FBI, there are 5 types of BEC scams:
      1. The Bogus Invoice Scheme: Attackers pretend to be foreign suppliers requesting fund transfers for payments to an account owned by fraudsters.
      2. CEO Fraud: Attackers posing as the company CEO or other executive send an email to employees in finance, requesting them to transfer money to the account they control.
      3. Account Compromise: An employee’s email account is hacked and used to request invoice payments to vendors listed in their email contacts. Payments are then sent to fraudulent bank accounts.
      4. Attorney Impersonation: Attackers pretend to be from the law firm supposedly in charge of crucial and confidential matters. These requests often are done via email or phone, at the end of the business day.
      5. Data Theft: Employees in HR and bookkeeping are targeted to obtain personally identifiable information
   2. (PII) or tax statements of employees and executives. Such data can be used for future attacks.
   3. Because these scams do not have any malicious links or attachments, they can evade traditional solutions. Employee training and awareness can help enterprises spot this type of scam.
   4. FBI Warning: The FBI has issued a warning anticipating a rise in BEC schemes related to the COVID-19 pandemic. “Fraudsters will take advantage of any opportunity to steal your money, personal information, or both. Right now, they are using the uncertainty surrounding the COVID-19 pandemic to further their efforts.”
   5. According to the FBI, there has already been an increase in BEC frauds targeting municipalities purchasing personal protective equipment (PPE) in the fight against COVID-19. Most of the recent BEC attacks were targeted at financial institutions or banks.

Cryptocurrency Mining:

1. Cryptocurrency mining: These hackers don’t care about your data. They just want to get into your computer system and use its resources to mine cryptocurrency. These attacks target tablets, smartphones, routers, printers and IoT devices— any device with computing capabilities they can leverage.

In conclusion, you need to be aware of these common threats.  The next step is what can you do about these to protect your business?  In my next column I will share with you the two areas of defense against cyberthreats for your users (you and your employees) and your devices.  What I will share is for both to keep your business safe.