Small businesses increasingly vulnerable to cyberattack

Experts say cybercriminals targeting entrepreneurs with ransomware and other tactics


This is the third of several articles to mark Cybersecurity Awareness Month, an annual outreach begun in 2004 by the National Cyber Security Alliance & the U.S. Department of Homeland Security.

Most small business owners love the independence and sense of control their work provides. In fact, 81 percent of business owners say they’re happy in their work.

While small business owners may be free from many of the issues larger companies face, entrepreneurship doesn’t include freedom from cyberattacks. Small businesses need a cybersecurity strategy, not only to protect the business, but their customers’ data.

The Small Business Administration says small businesses make attractive targets. Not only do they have information that cybercriminals want, they typically lack the security infrastructure of larger businesses.

“In 2021, anonymity or size of business is no longer a viable defense,” said Viasat’s Technical Director of Cybersecurity Operations Lee Chieffalo. “If you expose your business to the internet, you will be attacked.”

According to the FCC, theft of digital information has become the most frequently reported fraud, surpassing physical theft.

The most common cyberattacks include malware, viruses, phishing, and ransomware.

Ransomware is a particularly serious threat. This specific type of malware restricts access to a computer until a ransom is paid. And of all the forms of cyberattack, it’s growing the fastest.

“Ransomware has really changed the game in that you’re no longer safe just because you don’t do anything technical or because the things you generate are not worth stealing,” said Alex Amirnovin, director of products and chief architect for Viasat’s Cybersecurity Services. “The data you have, and the business you have, puts you at risk.”

Ransomware gangs

Cybercriminals have even created their own industry, offering “Ransomware-as-a-Service.” Ransomware developers lease their business models, enabling subscribers with minimal technical knowledge to launch their own attacks.

Cyberthieves know that a business owner’s data and the business itself, while less valuable to them, is tremendously valuable to the owner. They often tailor their ransom demands to the businesses they’re attacking.

“There are ransomware gangs that only target businesses of that smaller level because they’re only going to ransom you for a couple hundred bucks,” Chieffalo said. “If you’re a $150,000 company, they’re not going to ask for $150,000; they’ll ask for $500 or $1,000. And in most cases, small businesses can and will pay to just get rid of the headache.”

Cybercriminals will even offer to connect a business owner to a help line that will walk them through setting up bitcoin and paying the ransom.

“It’s a very well-oiled machine working in a target-rich environment on a global scale,” Chieffalo said.

Ongoing shakedown

Too often, the ransom request isn’t a one-time occurrence. Cybercriminals may demand a monthly or quarterly protection fee to ensure a business owner’s operation will not be compromised —and in exchange for keeping other ransomware gangs at bay.

For those working in the ransomware industry, that’s just another day at the office.

“A lot of these young hackers who did this back in the day for the joy of it have grown up to be businesspeople,” he said. “There are now dark-web venture capitalists who are basically shopping out and building an entire organization, like a startup. It’s run like a business, but it’s underground.”

Because they are using cryptocurrency, and because many of the attackers operate outside the U.S., law enforcement typically cannot trace the transactions. That makes it difficult to capture the criminals and stop the activity.

Another obstacle for small business owners: Sophisticated cybersecurity protection doesn’t come cheap. And that’s out of sync with the limited budgets most small business owners have.

“If you don’t have an IT staff, most of the onus for protecting your business is going to come from yourself,” Chieffalo said. “Education is important. Business owners should apply the same level of attention to cybersecurity as they do to locking doors and other physical security.

“With cybersecurity, however, it’s not like you can just put a lock on the front door and leave it. It’s a continuous level of vigilance, especially as you grow in the digital space.”

How businesses can protect themselves

Alarming as it all may sound, Chieffalo and Amirnovin said business owners don’t need to necessarily take dramatic or costly steps. They just need to do enough to make accessing their system a challenge.

“Time is money. So if your door is a little harder to break down, they’re just going to move to your neighbor,” Amirnovin said. “As long as the environment is as target-rich as it is, they’re not going to need to go far to find a target.”

Here are a few tips to help keep your business cybersecure:

  • Keep your operating system updated.

Software updates not only make software and operating systems run more efficiently, they add security and fix vulnerabilities. Updates install over current program versions, and most don’t adjust customized settings or delete saved data. So taking a few minutes to update your programs, or ensuring your devices and programs update automatically, is a simple but effective strategy.

  • Use strong passwords with two-factor authentication, and ensure your employees use them as well.

Require yourself and your employees to use unique passwords and change them regularly. Consider using multi-factor authentication; it requires information beyond a password — like a code sent to your phone — to gain entry to a network.

  • Invest in a good router.

You don’t have to break the bank, but neither should you go for the most inexpensive router for your business. There are many secure routers that feature built-in security controls and services to monitor your network around the clock. Look here for some solid recommendations.

  • Protect your Wi-Fi network.

If you have a Wi-Fi network for your business, make sure it is secure, encrypted, and hidden. Set up your wireless access point or router so it does not broadcast the network name or Service Set Identifier (SSID). Don’t give out the password to too many people, and change it regularly.
The FCC provides a website with tips and resources specifically for small businesses.

For businesses that want to go a step further, Viasat offers enhanced cybersecurity services available to all U.S.-based private and public sector enterprises. Viasat partnered with the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency to create the service.

Through it, Viasat curates DHS-provided sensitive and classified cyber threat information, which it uses to protect a customer’s network. Using a systematic approach to apply specific knowledge of adversary tactics, techniques, and procedures, Viasat can immediately alert the customer if a threat is detected, and then help with the appropriate response.