What your business needs to know in 2023
76% of SMBs in 2022 have been impacted by at least one cybersecurity attack, a considerable increase compared to 55% in 2020.
What is considered to be a cybersecurity attack??
Glad you asked. A cybersecurity attack is considered to have occurred when there are any unwelcome (seriously, who welcomes in the thief?) attempts to steal, expose, disable, or destroy information though an unauthorized (by a single person or a whole group of nefarious actors) access to computer systems.
If you own or are part of a business this can mean that valuable information can be at risk, no matter the size of your business. Increasingly, hackers are targeting smaller businesses with less hurdles and security infrastructure to the data they want.
What kind of data do hackers want?
- Your confidential business information
- Intellectual property
- Asset information
- Identifiable customer information
- And much, much more.
These days, the cyber information can also be tied to warfare and cyberterrorism. The main drivers of cyberattacks are criminal, personal, and political.
Typically, hackers are looking for data that can be valuable, either through financial information or information that can ultimately be sold in the dark web, or worse, information that can be used to play out in the public forum.
Average downtime for ransomware is 21 days.
Twenty-one days. What does 21 days of downtime mean to your business?
For 21 days, your users internally and externally (if your company offers portal access to customers) will be unable to view or retrieve data. Your IT team, assuming you have one, will be tasked with tracking down the cause of the attack. Even worse, if the intrusion is successful, odds are good that the ransomware will start to encrypt the data, making it irretrievable without a decryption key.
Operations can essentially be stopped for an average of 21 days. One day can feel like an eternity. Twenty-one days can shutter a business.
Phishing attacks are costing companies an average of $14.8K, $1500 per employee.
Sadly, this is on the low end. The more sophisticated phishing attacks get, the more money they’re going to cost your business. IBM reports that the average successful phishing attack costs US based business $7.9m. A mega breach could cost as much as $350m.
While this number can fluxuate depending on the source, the question you should be asking is “How much can my business actually afford to lose in a phishing attack?” The answer is probably closer to zero.
More concerning, statics are now showing that a ransomware attack happens every 11 seconds!
Every. 11. Seconds.
Every 11 seconds another hacker is trying to infiltrate your systems. So, what chance do your employees have. Constant bombardment with consistently more clever attempts, eventually even the most seasoned takes the bait.
The strongest recommendation is to consistently alert and train your team as attempts are made.
What are the types of phishing attacks?
While an attack is an attack, the more you know, the more you can protect yourself from phishing attacks.
Your team will likely see this the most. I personally see about 5 attempts a week in my email, you may see more or less. The tactics used in email phishing include fake hyperlinks that entice the user into divulging personal information. The email will appear to be from a known source, although the email address is spoofed, just not quite right. I’ve found the language in these attempts is a bit “off”, as well.
Just like your sales team, hackers like to hunt for “big fish” or the account “whale”. These are high profile, high dollar targets like your CEO, CFO or President of the company. These attacks are executed after researching the targets. The hackers are looking for openings and insight into login credentials or similar types of sensitive information.
You’ve seen it. It’s a random email from a “client’s” admin department, there’s a link to a pdf that reads “invoice”. It could be disguised as a resume, maybe it’s a bank statement. One user bites and the whole organization takes a tumble. Your IT department, assuming you have one, is left stunned.
This type of attempt happens often too. This “smishing” is the marriage of “SMS” and “phishing” and attacks the user through text message. Again, the sender may read similar to someone you know or a trustworthy source but they’re equally dangerous to your organization.
Let’s imagine for a moment that we are literally fishing. Where some of the other types of phishing are casting large nets to attract as many random users as possible, the spear is a more focused, highly targeted attack. The targets personal lives, social lives and presence, and business roles are researched. The attacks are personalized, customized, and extremely difficult to detect.
You may have experience this one too. Vishing attacks are when you receive a call from a fake call center. The goal is to get you to log in to an account while the hacker VPNs into your system essentially “visually eavesdropping” while you provide them with account information and other sensitive information over the phone. They may coerce you into installing malware onto your device.
In most cases, and we certainly won’t judge, after an attempt or two you and your team will become more efficient at recognizing and quarantining or deleting attempts. A few thoughts to keep in an effort to protect you and your team;
- Trust your gut. I can’t tell you how many attempts I’ve seen where the language was close, but just off enough. If it feels off, it likely is. (I typically forward the emails to the IT Team for review, but deleting them is effective enough…just don’t click on anything)
- Look for misspellings and typos. Add to this, words in places they don’t belong…. awkward “pleases” in the text. Grammatical errors and misspellings are worth a flag, especially when just about everyone has a grammatical check and a spell check on their device.
- Look for the intimidating threats in the subject line. Account suspension threats, lock out threats, anything in the text that sets your flight or fight in motion is probably, just another attempt. If you’re typically good with your billing and payments, this is another one to forward onto the IT team.
Review the salutations. Let’s be clear, in today’s technology very few emails should make it to your inbox addressed as “valued customer”, “important customer” and the like. You have relationships with companies, they know who you are, and their systems typically will personalize communications to you.
Communicate with your team and consider your Cyber Insurance options.
There are few things worse, as a business owner, than having to communicate with your customers that their data has been compromised by a breach, especially if you don’t have the proper security barriers in place and the cyber insurance to cover the costs. If you’re operating a small business, you may not have the resources to maintain a full IT team, you may consider outsourcing. If any of your customers are government, healthcare, or education focused then the issue of data compliance is more looming for you.
The more you know…
The truth is, the best way to protect yourself, your company, your data, and the infrastructure of your organization is to stay aware. Learn all that you can. Resources are becoming more and more cost effective, and broader reaching, but they can only be valuable to you if you seek them out. Communicate what you are learning with your team and be aware of the gaps you may have in protections. Seek out a Managed IT Services vendor to complete your team. Start with a risk-free environment assessment to understand what you need and where you need it.
As scary as a breach may be, knowing what types of attacks are out there and how to avoid them is the first step in taking control of your organizational data security.