- Todd Gillespie
2023 Small Business Cyber Threats
The cyber security outlook for small businesses in 2023 is very similar to last year. We’ve rounded up the usual suspects for you here, with a new wrinkle or two mixed in. Be sure to keep reading, as we’ve given you some tips to keep your business safe!
Here is what you and your team need to look out for in 2023:
That’s right, our old favorite is back. OK, its not back, since it never really went away. This guy’s whole purpose is to lock you out of your files and sell you the “key” to get back in. It can get into your computer in a number of ways, but primarily it comes in through an email. An unknowing, and typically, untrained user, clicks on a link in the email, and the next thing he or she knows is that their files are being locked.
Of course, the threat doesn’t stop at just the one computer. Ransomware can travel to network shares and even cloud file services like Microsoft 365 and Google Drive. It’s goal is to spread as far within your organization as possible. The attacker wants to inflict enough pain that you have no other choice but to pay them.
One potential twist in 2023 is we may see more ransomware for hire, or ransomware as a service. This is a scenario where the attacker isn’t sending this out there himself / herself, but instead selling it to “affiliates”. These affiliates are people, organizations or governments that lack the skills to create their own ransomware. They may not have the skills but they have the know-how to get the emails out there to the masses. In some cases the original bad guys sell these based on a percentage of what the other bad guys get in ransom money. The potential damage is scary.
Poorly Trained Employees
Here’s the deal, attackers are getting better and better. Their level of social engineering has elevated. The wording is no longer broken English sprinkled with misspelled words. In short, the bad things are harder to spot than ever, and the consequences are likely more damaging.
You have likely heard the term “human firewall”. If you’re not familiar, the human firewall is simply the line of defense you and your employees provide to the overall security structure. How good are you at picking out the bad things? How good are they?
Poorly trained employees are the single greatest vulnerability to your small business. Three separate reports show that 85% or more (up to 95% in two studies) of all breaches are caused by employee error.
Lack of Multi Factor Authentication (MFA)
You just logged in to some system and you’re proud of yourself for remembering your password! Good on you! Your reward? Waiting for a code to be texted to you for an additional step and more time wasted.
I get it, everyone hates it. But it is so important. In fact, you shouldn’t have a system that isn’t protected by MFA, its just dangerous.
At the end of 2022, we dealt with three separate clients who refused MFA on their Microsoft 365 (M365) accounts. It wasn’t determined how, but their passwords were compromised. It was likely on a phishing attempt (poor employee awareness) or maybe a data breach where the credentials were sold on the dark web. Regardless, the attacker was able to log into their M365 account and comb through their email. They then specifically targeted a client of theirs who regularly paid via wire transfer.
Next, they setup an obscure folder in Outlook that looked like a system folder and buried it a few levels down. They then createda rule to move any email to or from that customer into this folder – thus hiding it from the user. It wasn’t in the inbox and it wasn’t in the sent folder. The attacker then corresponded with the customer as though they were the victim, and in almost every sense they were, as they were right in their email account! These were all classic man in the middle attacks.
The end game was to send the customer a new set of banking details and a fresh invoice. The email claimed the victim was changing out banking details, and have revamped the look of their invoice just a bit. Remember this email didn’t come from an address that was close in spelling to the real one, or from any type of spoofed account. This was from the actual sender's email account.
In one case the victim sent an email to the customer, then went to look for it in sent items for some reason. They couldn’t find it and sent another. Still nothing in the sent items folder. However, when she sent something to other customers, those emails ended up in sent items. She called us and we were able to help her before anything happened.
Our second victim was bailed out by their customer calling to ask questions about their new bank account. They just wanted to make sure everything was on the up and up.
The third victim was not that lucky. They are out nearly $50,000 and are working through litigation now. The litigation isn’t between themselves and the attacker, but rather who is at fault between themselves and their now former customer.
All of these happened in Omaha. All targeted small businesses. All could have been prevented if MFA was in place. These would have never of gotten to the human firewall.
So, what do you do about all of this?
Put in Multi Factor Authentication anywhere you can
This goes both professionally and for your personal applications, accounts, etc.
Cloud computing is fantastic. It allows us to access resources from multiple devices from anywhere with an internet connection and it saves business from huge cash outlays for servers and software. However anyone with the right credentials can access it, and most times your username is just your email address – so an attacker can get that pretty easily. If you don’t have MFA in place all that stands between that attacker and your bank account is your password. Is it strong enough? Have you used it on other websites? Is it exposed in a data breach? Put in MFA.
Train your employees
Once a year or a quarter is not enough. It is much more effective to have quick, more frequent training sessions. Once a week for just a couple of minutes is good. There are some great providers out there. Ask your IT provider for recommendations or see if they can work it into your normal tech stack.
Layer your security
Free Antivirus isn’t enough. Neither is just a paid one! Different IT providers will tell you that you need three, or four, or six or eight layers of security. They’re all right and they’re all wrong.
Small businesses should layer as much as their budget will allow. The spend should make sense. If that means a physical firewall, email filtering and endpoint protection, great. That is much better than any single one of those. If it means adding encryption, real time dark web scanning, limiting admin privileges, and creating policies for work at home users – even better.
The idea here is the attacker has to get through not just one wall, but multiple obstacles.
Patch your Systems
You need to keep Windows and all your software up to date. Mac users – this means you too! Not doing this leaves you vulnerable to attack. Many systems can be put on auto update, but check with your IT provider as it sometimes makes sense to roll these out a few days after their original release.
Back it up
Seriously, this is still one of the best things you can do. Nothing is a matter of “if” anymore. You should be operating on a “when” scenario, because something is going to happen. Make sure you know what you are backing up, how often, and how long it will take you to restore. There are affordable options available.
I know this topic is boring. I know I’ve likely rehashed somethings and that sometimes gets tedious and causes people to lose interest.
If you take anything away from this – make sure you and your employees can spot malicious correspondence and that you’re backing things up!
Have a safe 2023!!!