Small Business, Big Cybersecurity Risk

Many cybersecurity technologies focus on defending against specific threats, but targeted phishing is a nuanced problem that lacks a silver bullet. Phishing preys on a combination of human psychology and technological vulnerabilities. Gone are the days when a traditional email security gateway is sufficient to protect against email-borne threats.

According to the 2018 Verizon Data Breach Report, phishing attacks were at the heart of 93% of data breaches.  In fact, the FBI’s 2017 Internet Crime Report indicates that business email compromise (BEC) and phishing drive 48% of ALL internet crime-driven loss — more than all other business-related internet crime combined.  And with $12B lost globally, it’s proving extremely effective.

While these facts indicate defending against phishing attacks need to be a priority for all organizations, many small businesses (SMBs) often underestimate their risk level. “Why would I be a target – I don’t have anything worth stealing?” Unfortunately, that mindset could cripple a small business.   

Why Small Businesses Are Targets

Small businesses are targets simply because they exist. The cybercriminal marketplace, combined with attack automation, makes organizations of all sizes easy targets. Add in the preponderance of readily available information from numerous social media channels, and crafting legitimate-looking phishing email is child’s play. All of which create an environment where unsuspecting (multitasking, overwhelmed, distracted?) users unwittingly fall prey to the latest phishing email. If a cybercriminal can target thousands of organizations with a single campaign, varying the attack just enough to bypass traditional email security technologies, then any business can be a target.

Small businesses need to stop thinking “I’m not a target” and realize that everyone is a target.    

In more advanced scenarios, cybercriminals use small businesses as a gateway to much larger prizes.

With minimal security in place, small businesses are often the entry point to gain access to larger businesses with which they do business.

The massive data breach at a US-based retailer a few years ago is a good example. Through a phishing attack, cybercriminals gained a foothold in a third-party vendor that supplied services to the retailer and used that entry point to get into the IT environment. They went unnoticed for months and exfiltrated enormous amounts of customer data. While the direct financial impact on the small business may have been minimal, the effect on broader relationships could be insurmountable.    

What SMBs Can Do to Protect Themselves from Phishing Attacks

SMBs don’t need large budgets to effectively defend against phishing attacks. However, they need to change their mindset and recognize that it’s no longer if you will be attacked, but when.  

A good starting point is:

1. Understanding the threat landscape
2. Knowing where your sensitive data resides
3. Knowing what could likely cause your business harm

Most successful phishing campaigns tend to be very targeted (Spear Phishing and BEC), going after specific job functions in the organization that have access to or manage critical data and finances – C-level, HR, IT, Accounting and Finance. This is where cybercriminals pull emotional levers like trust and fear to get employees to take the bait.  Focus on securing those areas of the business as an initial priority, yet don’t stop there. Successful anti-phishing programs need to touch all employees through cyber intelligence training. 

SMBs should focus on three key areas to help defend against phishing attacks:

• Understanding the nature of phishing email
• Building a cybersecurity-aware corporate culture
• Deploying relevant anti-phishing security technologies and tools

Understanding the Nature of Phishing Emails

• Always be on your guard. While obvious issues like grammatical errors and spelling mistakes still exist, modern phishing emails look very legitimate. Treat anything from the internet as suspicious.    
• Be cautious of individuals or organizations that ask for personal information or transferring of funds. Don’t click on any links – verify directly with the company itself to avoid any potential issues.
• Take a close look at the sender’s email address (not the display name – this can be easily spoofed) when checking the legitimacy of an email. Would your CEO truly send you an email from their “personal” account asking you to transfer money?
• Don’t be frightened or intimidated by messages that have an alarmist or urgent tone.  Contact the company or individual directly if they are uncertain about the status of their accounts or the request.

Building a Cyber Aware Corporate Culture  

• Leverage free resources like the FTC’s Cybersecurity for Small Business and get educated.
• Make cybersecurity a priority for all employees, not just the IT team, and provide a written cybersecurity policy that all employees must read and acknowledge.
• If your business works with third parties and systems are integrated (e.g. retail POS), make it a policy to ensure their applications are secure – ask them about their security policies before deploying.
• Set formal, explicit security policies to stop BEC or CEO Fraud. For example, all wire transfers or movement of company funds requires verbal and written approval.  

Deploying Relevant Technologies and Tools

• Deploy a multi-layered email security posture including email gateway, anti-phishing and incident response technologies like EdgeWave’s Email Security
• Utilize two-factor authentication to access critical applications and systems
• If you have the budget, consider periodic security audits to identify security gaps

While small businesses tend to be more vulnerable to phishing, there are steps they can take to help protect their organization.  Although there is no silver bullet, a combination of employee education, formal cybersecurity policies and anti-phishing technologies can drastically reduce the risk of falling for a phish.

Authored by: