- Small business owners are still a target for hackers, largely because of their lack of cybersecurity.
- Phishing, brute-force attacks and ransomware are just some of the cybersecurity threats small business owners face.
- Remote work environments require small business owners to shift tactics in securing their networks.
- This article is for small business owners who want to protect their network and remote workforce from cybercriminals.
Hackers go after the low-hanging fruit, and what could be an easier target than remote workers? With working at home being the new norm amid the COVID-19 pandemic, small businesses remain a prime target for cybersecurity attacks.
It makes sense. Most small businesses don't have a lot of cash to spend on safeguarding their networks, nor were they prepared to shift to a remote work environment so abruptly.
An Accenture report found that 43% of cyberattacks target small businesses, and only a small fraction – 14% – of businesses have the protections in place to stave off an attack. That was before the pandemic, which makes a perilous cybersecurity situation even worse today.
"Small and medium-sized businesses are the No. 1 target for attackers because they don't have the security in place and they haven't deployed the technology they should have years ago," Rob Krug, network security architect at Avast Business, told Business News Daily. "Now everyone is diversified, and security is less enforced."
Types of cybersecurity attacks
Danger abounds for small business owners and their remote workforces as they navigate this new normal. Cybersecurity attacks are coming at them from everywhere. Small business owners need to protect their networks, make sure they're safe when using third-party software, and prevent their remote workers from clicking on the wrong thing. Security is a herculean task, but an important one. Recovering from a cyberattack can be costly and time-consuming. Many small businesses don't survive it.
Staying one step ahead of the bad guys is the first line of defense. That comes from knowing the cybersecurity risks, including the following:
Businesses had to scramble to give employees remote access to their networks because of the COVID-19 pandemic, with many turning to RDP servers – a Microsoft tool for accessing Windows servers and desktops remotely. These RDP servers didn't have the most up-to-date software installed, leaving them vulnerable to cyberattacks. Criminals exploited that, leading to a huge upswing in attacks on these remote access servers.
Cybersecurity firm Kaspersky racked 3.3 billion RDP attacks in 2020, up from 969 million in 2019. Hackers' preferred method of getting into these servers is brute-force attacks – meaning the cybercriminal forces entry into a network by trying known username and password combinations.
"Adding RDP servers opened up businesses to an external world, putting them at risk," said Kurt Baumgartner, principal security researcher at Kaspersky.
[In the market for remote access software? Check out our best picks for remote PC access software.]
Malware and phishing emails and texts
Phishing emails – in which hackers try to trick users into clicking on links – have long been a problem in the business world. It has gotten even worse during the pandemic, as the bad guys peddle fake COVID-19 cures, tests and access to vaccinations. It has gotten so bad that, in late December, the U.S. Department of Health and Human Services warned the public about fraud schemes related to the pandemic.
"The big thing that will continue this year is the constant phishing attacks," said Tiffany Garcia, national cybersecurity practice leader at CBIZ. "They are getting more sophisticated and looking more legit. With the COVID situation, they are really targeting people's hearts."
It doesn't help that many employees are using their personal devices or going rogue with the apps they install to communicate and remain connected to other remote workers. That makes a company more susceptible to malware and other nefarious infections. Since the pandemic, there's been an increase in fake versions of popular messaging and video conference apps that, once clicked on, install malicious software to track your movements and keystrokes. In 2020, Kaspersky spotted 1.66 million unique malicious files spread via fake versions of popular apps.
This type of attack is projected to cost the global economy $20 billion this year alone, as hackers break into company networks and hold their data hostage for a fee. Much of the attention is on big corporations, but small businesses are a prime target for ransomware attacks as well. It's particularly worrisome for smaller companies since the bad guys usually require payment in untraceable cryptocurrency. There's typically a tight deadline, making a difficult situation even worse.
Third-party vendor risk
Small business owners are relying on third-party software more than ever before. That increases the company's risk if the software isn't safe and secure. That was the case with SolarWinds, a software company catering to Fortune 500 and government customers. Earlier in 2020, the SolarWinds network was infiltrated by hackers who secretly installed malware on the company's software, which other companies were using to manage their IT resources. In turn, those customers were compromised.
"As SolarWinds shows, you have to be careful about what software you are installing," said Peter Fidler, partner at WCA Technologies.
Key takeaway: There's a lot of reasons for small business owners to worry about cyberattacks, especially in this remote work environment. Brute-force attacks, phishing and malware, ransomware, and shadow IT apps are all big risks that small businesses face on the cybersecurity front. Understanding the threats is the first step in protecting a business network.
Tips to protect your business from cyberattacks
Protecting your company from cyberattacks is a joint effort, whether your employees are home or in the office. You might have all the safeguards in place, but if you don't set boundaries with employees, you can easily get infected.
1. Control access.
This means segmenting permissions to access your systems and applications, blocking certain websites and apps, and teaching your staff about what to click on and what to avoid. It may be a refresher course for one employee and an eye-opener for another. The idea is to get everyone on the same page when it comes to cybersecurity.
2. Train employees.
Cybersecurity training is extremely important in a remote work environment, yet it's often overlooked. Kaspersky polled workers in April, a month into the pandemic, and found that 73% of those surveyed had yet to receive an IT security awareness update from their employer. The security firm also found that employees were overconfident in their cybersecurity prowess. Calling it "unconscious incompetence," Kaspersky said it's a threat if employees think they are the IT experts.
"There have to be clear policies on what kind of devices, the type of home network that can be set up, what employees are responsible for, and awareness about the shifts in [cyberattack] tactics," Baumgartner said. "The cybercriminals are going after people working from home. They need to be aware of that."
3. Vet your software.
As for using third-party software, cybersecurity analysts said it's important to properly vet the providers. You want to work with a reputable company that has a security policy in place to protect your business and your customers' data.
When you download software, Fidler said, you need to verify that the download link is the correct one and to consider blocking employees from installing it on their own. You can either outfit workers with laptops with preinstalled apps you've vetted or have the software live in the cloud, which employees access via virtual private network. Either way, you want to prevent employees from installing unapproved apps that could infect your network with malware.
"If you use shadow IT, they can get access to the company's file server or wherever the files are kept," Fidler said. "Some of these are reputable, but a lot of them are trying to steal information or get in the system. You have to think before you click and know where it's coming from."
Key takeaway: Your employees need to be your frontline defense against cybercriminals, especially in a remote work environment. To protect your network, you should control access to the network and apps, train employees on how to be safe and smart online and with email, and vet any third-party software you use.