The numbers are dire and frightening. Of all the cyberattacks committed annually, small businesses account for 43%, and 46% are on small businesses with 1,000 or fewer employees.
As small businesses start using more advanced technologies and rely more on the cloud, that same technology can make them more vulnerable to attacks. In fact, small and medium-sized businesses on average lose approximately $25,000 annually to cybercrime. In 2020 alone, small businesses were the target of more than 700,000 attacks, which caused a total of $2.8 billion in damages, according to an Accenture Cybercrime study released recently.
Thanks to the astronomical growth of artificial intelligence capabilities and the constantly changing nature of these attacks, the problem isn’t going away. In fact, it’s only going to get worse, but there are steps small businesses and businesses of any size can take to reduce the danger.
What are the threats?
Accenture predicts that businesses will see a 15% increase in cybercrime costs by 2025. Elaine Dodd, vice president of the fraud division at the Oklahoma Bankers Association, saw this coming 20 years ago.
“It was a joke when I started up there 20 years ago that I’ll work myself out of a job, but when the internet really kicked in with a surge, it offered an opportunity for criminals to hit everybody,” Dodd said. “So, our small businesses get hit. Every single day.”
While many think of data breaches when it comes to cyberattacks, the majority of crimes are business email compromise, which is a type of phishing attack that targets organizations with the goal of stealing money or critical information. The other common crime is vendor email compromise, which is a subset of business email compromise attacks in which the hacker impersonates a third-party vendor in order to steal from that vendor’s customers.
“There is no way everyone can be completely protected,” Dodd said. “I think that is an impossibility at this point in time, but at the very least, every business should have a policy about who sends money wires based on work, especially if it’s based on an email.”
Ransomware, a malware designed to deny a user or organization access to files on their computer and demanding payment to regain that access, is also on the rise. Because of that threat, all businesses should have a backup system for all important contacts, files and information.
Timothy Fawcett, vice president of cybersecurity at Guernsey, said malware, viruses, ransomware, spyware and phishing are some of the more common threats to any business.
“Cyberattacks are constantly evolving, and business owners should stay informed of the changing landscape,” he said. “Know what you want to protect. You think it sounds obvious, but it is common that both large and small businesses don’t really think about what they are trying to protect or what level of sensitivity that data has.”
AI has made fighting attacks even more complicated. Using social engineering, AI has perfected messages with a sense of urgency and can even mimic an email writing style and even the voice of workers.
“One of the ladies in our office got an email last week that was supposed to be from me, but it wasn’t,” Dodd said. “It sounded like something I’d write.”
Protect your business
While no business will ever be 100% protected, all can take steps to reduce the threat. Dodd reiterated that all businesses should double check the source if asked to send money or a wire.
“Just be sure that before you send out a wire that you are double sure that you want that thing to go out,” she said. “Another big thing that would protect you is that most banks offer what you would call ‘positive pay.’ You tell them checks that you’ve written and amounts and to whom, and the banks will refuse payment if it’s not on that list. That is one of my favorite things to recommend to businesses.”
The Small Business Administration says businesses also can protect themselves against attacks by:
• Securing payment processing with banks and card processors to ensure the most trusted and validated tools.
• Controlling physical access or the use of business computers by unauthorized individuals. Laptops and mobile devices can be particularly easy targets for theft and can be lost, so lock them up when unattended.
• Backing up to cloud storage on a weekly basis.
• Controlling who has data access to files and data.
• Using antivirus software and keeping all software updated.
• Enabling multi-factor authentication.
• Training employees on basic internet usage best practices.
“Don’t trust information from emails, as many financial fraud cases occur when another company’s email is compromised,” Fawcett said. “Picking up the phone and calling to confirm any financial change may save a lot of money and hassle. There are hundreds of practices that companies and individuals can do to protect their systems and data. Don’t hesitate to get a second opinion.”