SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image

Small businesses targeted by cyber criminals for data

Thu, 21st Dec 2023

For much of the last decade, big money in cybercrime came from ransomware attacks against big organisations. That threat persists. But criminals will likely shift their focus towards small and medium-sized businesses (SMB). And the consequences for consumers will be huge.

Crimes of convenience

The use of Software-as-a-Service (SaaS) technology for core business functions continues to integrate SMBs into the global supply chain. And because any vulnerability potentially offers attackers a way into other organisations in the chain, criminals often take advantage of the weaker security measures employed by SMBs.

Meanwhile, the cybercrime black market has mirrored innovations in legitimate services. Cybercrime-as-a-service makes campaigns easier and cheaper to carry out.

Smaller businesses already deal with more breaches than their larger counterparts. This trend is likely to escalate as big cybercrime groups focus on selling hacked accesses to attackers, who will then be able to fully exploit the stolen data to craft hyper-personalised scams, greatly increasing the success rate of their schemes. And that's just the beginning.

A perfect storm

In this evolving landscape, attackers can also exploit the social media or email accounts of compromised businesses. This gives them the ability to weaponise the company's hard-won credibility, creating a perfect storm of deception that can be used to spread disinformation or cybercrime campaigns.

This intersection of compromised business credentials, weaponised credibility, and diversified attack vectors creates a multifaceted threat landscape. The potential for widespread deception and financial losses for consumers is exacerbated by the perfect storm these elements can brew in the hands of cybercriminals.

Consider the scenario where a cybercriminal gains access to a small e-commerce business. Not only can they pilfer customer data for illicit purposes, but they can also infiltrate the company's social media channels. With control over the official accounts, the attacker can impersonate the business, sending out fraudulent messages or advertisements to the unsuspecting customer base. The resulting confusion can lead to a breakdown of trust as consumers struggle to differentiate between legitimate and malicious communications.

While websites have been infected to skim credit card numbers for years, we anticipate a surge in attackers embedding other malicious scripts into SME websites. This could involve mining cryptocurrency or redirecting users to fake updates. As a result, consumers may unwittingly fall victim to scams that operate in plain sight.

Moreover, this perfect storm extends beyond the digital realm. With access to compromised email accounts, cybercriminals can exploit business relationships. Imagine a scenario where an attacker, armed with sensitive information, masquerades as a trusted partner. The potential for fraudulent transactions, misleading communications, or even the sabotage of business deals becomes alarmingly real.

As the storm rages on, businesses face not only financial repercussions but also the daunting task of rebuilding trust and reputation. For consumers, the implications are equally severe. Beyond immediate financial losses, they may find themselves entangled in identity theft, facing a long and arduous journey to reclaim their digital lives.

This multifaceted threat landscape underscores the pressing need for a comprehensive approach to cybersecurity. Businesses, especially SMEs, must fortify their defences against both direct attacks and the insidious aftermath that follows. In a world where digital trust is fragile, proactive measures, such as employee training, robust security protocols, and continuous monitoring, become indispensable. The perfect storm may be brewing, but with strategic preparedness, businesses and consumers alike can weather the tempest of cyber threats on the horizon.

Expert Tip

Small businesses, such as cafes, hotels, or online shops, can strengthen their security defences by emphasising regular, robust consumer security habits. Enabling two-factor authentication across all services, consistently updating and patching software to address potential vulnerabilities exploited by cybercriminals, but being vigilant and aware of how threats spread remain critical.

For SMEs, adopting managed security solutions specifically designed for businesses of their scale is very important. However, it's equally crucial to prioritise ongoing employee education, complemented by standard security practices like regular system updates.
 
The golden rule still stands: know the files you open, the links you click, and the apps you download on your device. It's your primary defence against potential cybersecurity threats.