The Top 11 Cybersecurity Risks to Small Businesses

I frequently am asked what the biggest cybersecurity risks are for small businesses. While every business is unique, and, as a result, is vulnerable to somewhat different dangers than every other business, there are certain commonalities across industries and geographies. The following list is not meant to be comprehensive, just to point out what are likely the eleven most common areas of risk.

1. Phishing and related forms of social engineering

Despite being around for decades, phishing remains the primary entry point for a majority of successful cyberattacks; humans are simply gullible. In recent years, however, attackers have dramatically improved their attacks by leveraging generative AI tools to craft both and deep fakes impersonating people of authority as well as hyper-personalized, context-aware, and grammatically flawless phishing emails at scale. These campaigns easily bypass basic filtering technologies, and often look entirely legitimate to employees, dramatically increasing rates of people falling for the scams. Real time, synchronous social engineering attacks are also becoming increasingly common.

2. Ransomware

Ransomware is not a new problem, but, today we face widespread use by criminals of the many ransomware-as-a-service (RaaS) options available on the dark web. These offerings have transformed ransomware from a tool of sophisticated hackers to something that is effectively in the arsenal of any criminal who wants to use it. The ransomware-as-a-service business model allows entry-level attackers to rent sophisticated encryption tools and extortion infrastructure – you can think of the offering as almost being a cloud application for criminals. Also, keep in mind that today’s ransomware attacks are often cases of double extortion – attackers not only encrypt their victim’s data until a ransom is paid, but also pilfer the victim’s data and threaten to threaten to leak it unencrypted to the public if the demanded ransom isn’t paid.

3. Business Email Compromise (BEC)

Business Email Compromise (BEC) attacks come in multiple flavors that blend social engineering and hacking. Attackers spoof and/or gain unauthorized access to email accounts and interject themselves into communications in such a manner so as to cause a victim to either send sensitive information to the criminal, or, more commonly, to redirect payments to the criminals instead of sending them to legitimate parties. Often BEC attacks take the form of seemingly valid requests to change payment instructions – and are sent by the criminals shortly before a payment is scheduled to be made. Likewise, attacks often include the submission by criminals of fraudulent invoices or the impersonation of an executive instructing an employee to make a particular wire transfer or to send copies of sensitive information such as the organizations’ employees’ W2s.

4. Weak Identity Security (including Weak Passwords) and Credential Theft

Yes, there are still environments in which people use weak passwords and/or write their passwords down on notes placed under keyboards, mouse pads, or phone chargers. Furthermore, hackers are well aware that attempting to use a login-password combination stolen from one site on another site is likely to yield some good results – credential stuffing and other related brute-force attacks exploit an effectively unsolvable problem with human-used passwords: password reuse. If an employee uses the same password for their personal social media account, email, or dating app and their corporate workstation or other business system, a breach at a third-party site becomes a ticket for attackers to entre the business as well. This is especially true if Multi-Factor Authentication (MFA) is not in use on the business system. Keep in mind that MFA also suffers from weaknesses; SIM Swaps, for example, are a common problem.

5. Cloud-related Misconfigurations

A growing number of small businesses rely heavily on platforms like Microsoft 365, Google Workspace, and Amazon Web Services (AWS) – but, many small business are not adequately prepared to secure their access to such systems. While the cloud providers have armies of cybersecurity professionals at their disposals and do deliver some aspects of the necessary security – for example, securing the underlying infrastructure – they do not secure everything; Businesses using the platform are, for example, responsible for properly setting up and managing user (and, sometimes, system) access controls. Publicly exposed cloud storage, the failure to change weak default settings in place, and overly permissive user access privileges are mistakes that can easily lead to problems.

6. Supply Chain and Other Third-Party Vendor Risks

You are only as secure as the weakest link in your supply chain. As such, it is important for small business operators to remember that hackers who exploit security weaknesses at the business’s vendors, managed service providers, software providers, and cloud platforms may be able to leverage those compromises in order to find one or more paths into the business’s own systems and data. Infiltrating a vendor trusted by many businesses allows attackers to potentially breach all or many of that vendor’s downstream clients.  It is no secret, therefore, that cybercriminals regularly target smaller managed service providers (MSPs), payroll vendors, and SaaS tools used primarily by small businesses.

7. Remote (and Hybrid) Work Vulnerabilities

Remote work has become quite normal and common since the COVID-19 pandemic that began over half a decade ago, but, remote work stretched organizational networks and placed perimeters at points not under organizational control. Employees accessing corporate resources from their home Wi-Fi networks creates all sorts of new risks – and not every business that allows remote work has adequately addressed such dangers. Employees using outdated home routers, sharing devices with other family members, printing work-related documents on home printers, utilizing personal devices (Bring Your Own Device / BYOD) without any organizational controls and/or endpoint management, or connecting via VPN services not approved by the organization can expose business operations to potential issues including external monitoring and compromise.

8. Unsecured Internet of Things (IoT) Devices

Many of today’s phones, doorbells, watches, cameras, and televisions contain full-blown computers within them – and are hackable or otherwise exploitable by criminals. These devices are frequently mistakenly deployed with factory-default administrative passwords – making them easily manipulatable by anyone who has access. Likewise, many organizations do not regularly apply firmware updates – sometimes leaving dangerous, exploitable vulnerabilities in place. And, in some cases, businesses have connected smart devices to the same network segment as critical business servers and customer databases – meaning that a breach of the former can lead to monitoring of, or attacks being directed at, the latter

9. Unpatched and No-Longer-Supported Software

Cybercriminals use automated scanners to hunt for known software vulnerabilities. When software vendors announce new patches for bugs, they are protecting the public but, simultaneously, offer criminals a roadmap for exploitation. Small business often rely on outside service providers to perform system updates, and, therefore, often delay patching until a specific data and time when the outside party services them, thereby leaving known security flaws in place for hackers to exploit. Likewise, small business tend not to upgrade software often – but using unsupported old versions of software means that if a vulnerability exists it may never get fixed.

10. Insider Risk (Intentional and Accidental)

Insider risk is likely the most dangerous risk to any organization – as insiders know what systems a business has and  what data may be most valuable. They also already have access to systems and data, and don’t need to fight to gain such access. Of course, not all internal threats emanate from people who are malicious or disgruntled. In fact, the vast majority of insider risks stem from unintentional actions, AKA simple human error — such as an employee misconfiguring an access link, emailing sensitive data to the wrong recipient, or accidentally deleting a critical production database.

11. Data Breaches (including privacy violations)

The media regularly reports of large businesses suffering the exposure of their customer, employee, or financial data, and often reports on resulting regulatory penalties, lawsuits, reputational damage, and operational disruption. While the media naturally focuses on large business and large breaches that impact large numbers of people, the reality is that nearly half of all attacks are directed at small business, and, according to many, small businesses are, in fact, breached more often than larger businesses. Worse yet, unlike in the case of large businesses, the consequences to small businesses of a data breach are often existential – a significant percentage or small business that suffer a catastrophic breach close down within six months.

Joseph Steinberg( Cybersecurity Expert Witness and Board Member )

Joseph Steinberg is a cybersecurity expert witness and advisor, and a Lecturer on Cybersecurity at Columbia University in NYC. He has led businesses in the information-security industry for over two decades, and has written books ranging from the best-selling Cybersecurity for Dummies to the official study guide for a CISO certification exam. He is one of only a few dozen people worldwide to hold the suite of advanced information security certifications, CISSP, ISSAP, ISSMP, and CSSLP, indicating that he possesses a rare, robust knowledge of information security that is both broad and deep; his information-security-related inventions are cited in well over 500 US patent filings.

josephsteinberg.com