Image: Jaiz Anuar/Shutterstock

Cybercriminals are constantly looking for the best return on their investment and solutions that lower the chance of being caught. Sadly, that appears to mean small businesses are their current target of opportunity.

Old problems specific to SMBs

Tech media and cybersecurity pundits have been sounding the alarm and offering small businesses specific cybersecurity solutions for a few years now, but it seems to no avail. Nathan Little, vice president of digital forensics and incident response and partner at Tetra Defense, in his CPO Magazine article “Cybersecurity Challenges for SMBs in 2021,” takes a detailed look at why that is. He starts by looking at what he calls “old problems,” the ones smaller companies have a hard time eliminating. Here are some examples:

SEE: Security incident response policy (TechRepublic Premium)

Communication: Cybercriminals often exploit the lack of interdepartmental communications. And, due to limited resources, poor communication is more common in smaller organizations. Little adds, “Without clear communication between teams, knowledge transfer is impossible, and potential incidents become even more chaotic and confusing than they already are.”

Deception: The success of phishing attacks is proof of how well deception works, and, when something works, cybercriminals will test every avenue of fraud available to them. Little mentions, “Even with robust technical safeguards or the latest security solutions, humans behind the screen are often easier to trick, and often allow attackers into networks themselves.”

Cybersecurity education: Once again, SMBs are at a disadvantage compared to large corporations with education departments and training budgets to help employees. The lack of qualified cybersecurity professionals comes into play as well. The appeal of higher salaries and perks sends those who have the qualifications to larger companies.

New problems specific to SMBs

Little next takes on what he calls “new problems:” Challenges facing SMBs that are somewhat obscure, not mainstream, and seldom considered by those responsible for cybersecurity in smaller businesses. What’s interesting is the common thread that runs through Little’s new problem list — company size is not a consideration.

Opportunity: As mentioned earlier, cybercriminals will change their tactics to derive the most benefit and least risk to themselves. Dark-side developers are helping matters by creating tools that require minimal skill and effort to operate.

“Ransomware as a Service (RaaS) has revolutionized the cybercrime industry by providing ready-made malware and even a commission-based structure for threat actors who successfully extort a company,” explains Little. “Armed with an effective ransomware starter pack, attackers cast a much wider net and make nearly every company a target of opportunity.”

Automated scanning: A common misconception related to cyberattacks is that cybercriminals operate by targeting individual companies. Little suggests cyberattacks on specific organizations are becoming rare. With the ability to automatically scan large chunks of the internet for vulnerable computing devices, cybercriminals are not initially concerned about the company.

The following steps are typical of an automated scan attack:

  • Scanning tools are used to find computers in a specified address range having a vulnerability the cybercriminals can exploit.

  • A list of vulnerable devices is compiled.

  • One by one, the cybercriminals will exploit the vulnerable systems.

Little mentions, “Only after they’ve gained access to the network will they find out whose network they’ve compromised.”

Automated extortions: Little is very concerned about a new bad-guy tactic spreading quickly — automated extortion. The idea being once the ransomware attack is successful, the victim is threatened and coerced automatically.

Currently, two threat actors are using automation. One continuously posts data to a leak website, and another employs bots to handle everything from sample file decryption to payment. “This takes the ransomware starter pack to the next level by facilitating payments and essentially automating one of the most lucrative cybercrimes,” Little says.

Final thoughts

Most small business owners believe their companies are not worth the bother. Little’s list of new problems suggests otherwise. Cybercriminals pay little or no attention to company size and structure until access has been achieved, after which it’s easy pickings to steal or freeze data and start the automated extortion process.

“We can expect these problems, both new and old, both human and technical, to persist well beyond 2021,” concludes Little. “No cybersecurity solution is 100% foolproof; but as long as organizations educate their users, their IT teammates, and maintain a healthy amount of skepticism, many problems are solved, and, better yet, potential attacks are thwarted.”

Lance Whitney confirms Little’s prediction in his TechRepublic article Ransomware attackers are now using triple extortion tactics, where he describes yet another new and problematic type of ransomware.