Three Haunting SMB Cybersecurity Risks

Maybe it has to do with the price tag associated with well configured cybersecurity defenses, or maybe it has to do with the depth and breadth of action required to secure your IT network and systems. Nonetheless, we all get chills every now and then when faced with daunting business improvement projects. Finding the time, money, and people to implement big changes can cause anyone to put a good improvement project on the back burner

‍Since October is National Cybersecurity Awareness month, we think this is the best time of the year to bring up some spooky cybersecurity topics as we hope to encourage you to take the next step in securing your business data. Today, we bring you three examples of haunting SMB cybersecurity risk which will inspire you to implement good password policy, investigate how you can leverage a SIEM to harden your defenses, and show you where cybersecurity awareness training can help your employees build vigilance against fraudulent communications

Haunting Risk No. 1 – Getting sued by your clients and customers for damages related to a data breach.

After a reported ransomware incident in 2019, the Tampa, Fla. Based Musculoskeletal Institute is being sued for damages by patients who allege the company was, “lackadaisical, cavalier, reckless, or in the very least, negligent” in maintaining the privacy of patients’ information.

- According to an article from july 2020 at DataBreachToday.com.

No one wants to hear this from their clients, but this is the theme of data breach lawsuits in 2020 which, on average, cost a small or mid-market firm about $200,000 according to the insurance firm Hiscox in their annual cyber readiness report from 2019. Additionally, the report found that the number of firms reporting cyber incidents rose from 45% in 2018 to 61% in 2019. You can expect the number of cybersecurity insurance claims to rise again in 2020, and as any seasoned business professional knows, insurance coverage only goes so far.

Haunting Risk No. 2 – Employees getting scammed by phishing lures related to current events. One phish, two phish, red states, blue states.

‍Cybercriminals are not all creeps in hoodies hiding in the shadows. They are sophisticated con artists who understand how to leverage politics, pandemics, and social justice movements to pique the interest of their victims.

Security firm Proofpoint reports spotting thousands of malicious emails that will spread the notorious Trojan malware, Emotet by imitating messages from the Democratic National Committee with the subject “Team Blue Take Action” with a MS Word doc attached that alleges to contain “more info.” However, if the recipient opens the attachment, the attached file will download the Emotet virus onto their computer which using wormlike capabilities will infect other computers and servers on the network. Proofpoint reports that the campaign started Oct. 1, just in time for the peak of election fever, and this is their first known attempt at using a political angle.

Emotet is just one of thousands of known malwares that are being delivered using phishing schemes that rely on powerful psychology and social engineering.

Haunting Risk No. 3 – Allowing a hacker to enter your systems through an employee’s compromised credentials.

‍Every day major corporations experience data breaches. According to a report produced by the Identity Theft Resource Center, in 2019, over 164.68 million sensitive records were exposed in data breaches. You might ask, “What does it matter to me if Marriot gets breached?”

Well, surveys show that 53% of people admit to using the same passwords for personal accounts that they use for work accounts. With those credentials being sold on the dark web, you might want to ask them to change their password regularly where business data is concerned, and while they’re at it, why not increase its length and complexity? Hackers know most people will use their passwords across multiple accounts (62% surveyed admitted to using the same password across 3-7 accounts), and they employ automation to try the stolen passwords on business Office 365 accounts, Exchange server accounts, and remote access programs that are publicly visible. It’s similar to a car thief going through a mall parking lot looking for unlocked cars. Every day, the criminals get lucky, and someone continues to use a compromised password on a work-related account – essentially “leaving the door unlocked.”