Cyberattack evolution: What small businesses need to know

Barely a week goes by without news of yet another cyberattack and the subsequent theft of sensitive data. Today’s cyberthreats have become increasingly sophisticated. Despite continued employee education around phishing emails, small businesses can never let their guard down.

For example, attackers are upping the ante around phishing. One technique being used is machine learning to quickly create and distribute realistic fake messages, in hopes of getting recipients to unwittingly compromise their organization’s network and systems, according to Michelle Moore, PhD, academic director of the Master of Science in Cybersecurity Operations and Leadership program at the University of San Diego.

Phishing attacks are also becoming more automated. This is creating an opportunity for “more unsophisticated and malicious cyber actors [to enter] into the cybercriminal ecosystem,’’ as per Connecticut’s Public Utilities Regulatory Authority, which says cyberthreats targeting utilities in the state are increasing and growing more sophisticated.

Similarly, ransomware has become more intricate. A relatively new trend: hackers demanding their ransoms be paid anonymously, thanks to the growing popularity of cryptocurrencies like bitcoin.

However, in many cases, it’s not that the methodology is new, but that attackers have adapted and improved their techniques, notes Candid Wüest, Vice President of Cyber Protection Research at Acronis.

“For example, we have seen that phishing emails increasingly make use of trusted cloud services like Google Docs to send their spam messages,’’ Wüest says. “Personalizing the email with data from previous data breaches is also a common method to increase the click rate.”

“The hard reality,” he continues, “is that many small businesses only discover that they have been compromised when it is too late.” By the time you receive a ransomware demand, or start getting customer complaints about strange malware-laden emails, the damage is already done.

Unfortunately, “the majority of small companies do not have holistic monitoring in place,” says Wüest. “Even if they do have the visibility, they don’t have the resources to manually analyze and follow up on each alert.”

How small companies can respond

Small businesses have moved workloads and data to various cloud services during the pandemic, yet they often don’t fully understand all the interactions and dependencies within these complex environments, Wüest says.

This is where it’s useful to find an external partner who specializes in cloud services. There are also some key steps small businesses can take to protect themselves from a cyberattack. First and foremost, data must be backed up, regardless of where it resides.

Secure your network and all the devices that connect to it. If you’re not already using a firewall, consider installing one. It’s also important to regularly update the software — anti-malware and otherwise — on each of your business’ computer systems. 

Other steps include encrypting sensitive data, using multi-factor authentication, and systems monitoring. It is imperative that you train your staff on how to stay safe online. Don’t think of it as a one-time occurrence. Training and conducting simulations should be ongoing.

This requires staying up to date on the latest cyberthreats. Small business can search online security vendor sites and trade publications to stay educated. Mitigating them is of course, another matter. If your business doesn’t have internal security expertise, find a security-focused managed services provider that does. With the average cost of data breaches now in the millions of dollars, proactive protection is more than worth the investment.

Click here to discover how to protect your business against the top Cyberthreats with Acronis.