Skip to main content

B2B The Grand Strand

Keeping Safe From Cyberattacks

Oct 02, 2024 08:50AM ● By Kevin Dietrich

(123rf.com image)

Years ago, small businesses considered themselves pretty much immune from cybercrime. Hackers, it was thought, were only interested in large, asset-rich targets.

No longer. Mom-and-pop operations and giant corporations alike are vulnerable today because cybercriminals go where the money is – whether it’s a king’s ransom or just a few hundred dollars. 

Many hackers focus on smaller operations to avoid the risk involved with attempting to breach a Fortune 500 company. Instead, they concentrate on fleecing myriad smaller businesses for lesser sums that add up over time.

“What we’ve seen over the past three or four years is a sharp increase in the number of small- and medium-sized businesses being impacted by cybersecurity events, events that used to be reserved for bigger companies,” said Chris Jenkins, a partner with accounting firm Cherry Bekaert in Greenville.

“These companies used to be rarely touched by cybercrime, but now we’re seeing more and more incidents where operations and revenue are negatively impacted,” he added.

This is a significant development for smaller companies. Cyberattacks such as malware, ransomware, phishing, and data breaches can be debilitating for large organizations, but they are often catastrophic for small- and medium-sized businesses. Sixty percent of small businesses end up closing within six months of falling prey to a cyberattack, according to cybersecurity firm StationX.

Nearly three of every four businesses with fewer than 1,000 employees faced a cyberattack last year, and 58 percent of those suffered a breach, StationX reported. Many firms were attacked on a monthly basis. 

Some 61 percent of victim organizations lost a minimum of $10,000 to hackers in 2023, cybersecurity leader Stu Sjouwerman wrote in Forbes earlier this year.

Cyberattacks, defined as computer system breaches by outsiders, are big business. The total cost of cybercrime reached $8 trillion worldwide last year, and it’s anticipated that figure will grow to $10.5 trillion next year, according to USA Today.

Here in South Carolina, more than 3 million residents – individuals and businesses – were affected by security breaches last year, more than triple from 2022, the South Carolina Department of Consumer Affairs reported.

South Carolinians registered nearly $120 million in losses to cybercrime during 2023, according to the Internet Crime Complaint Center, an arm of the FBI. That put the state 26th in the nation, down one place from the previous year even though Palmetto State losses rose 20 percent year over year.

“To be blunt, small businesses in South Carolina and elsewhere have good reason to be worried. Companies of all sizes have reasons to be worried,” said Clemson University Professor of Electrical and Computer Engineering Richard Brooks. “If there’s a place where money can be gotten, cybercriminals will try.”

The most common form of cybercrime that small businesses face is malware (18 percent) phishing (17 percent), data breaches (16 percent) denial of service attacks (12 percent) and ransomware (10 percent). 

Small businesses, particularly those with fewer than 100 employees, are seen as targets of opportunity by hackers because they often fail to implement the cybersecurity precautions of bigger companies. 

This could be because they don’t have dedicated information technology professionals – either on staff or through a vendor – or don’t think they can afford what it costs to beef up security. Some small organizations believe they’re too modest to be a target, while others simply don’t want to go through the work involved with bolstering cybersecurity.

“Over the past 12 months, there has been a dramatic spike in cyberattacks against small businesses,” cybersecurity firm Astra Security wrote in August. “Unfortunately, this trend is only going to continue in the years to come. As small businesses move their operations to the cloud and adopt more advanced technologies, they become increasingly vulnerable to attack.”

Cherry Bekaert has a number of small- and medium-sized business clients that have been attacked, and in some cases the clients’ ability to generate revenue was compromised.

“What we’re seeing now is a pretty prolific impact to businesses,” Jenkins said. “These are companies with, say, $100 million in revenue who are becoming victims of attacks, sometimes by state players in Iran and North Korea. And this is happening because there’s money to be made.”

Small- and medium-sized businesses can be more attractive targets because they’re often easier to hack and perpetrators are less likely to be caught, according to Zach Hogeboom, chief executive of Charleston’s Portside Technology, a computer support and service firm.

“There may be a lot more money in a Bank of America or a Boeing, but it’s also a lot harder to steal from them,” he said. “And if you do manage to hack their systems, you’re more likely to be pursued.”

Phishing, malware and data breaches are regular threats for small- and medium-sized businesses. Of course, these are the same dangers that big organizations face, as well:

Facebook and Google lost more than $100 million in a phishing scam perpetrated by a Lithuanian hacker and his associates a decade ago. With phishing, hackers employ email to try to get employees to reveal sensitive information or download malware. The overseas group created emails using fake email accounts and then sent fake invoices to employees at the tech giants.

This summer, the town of Summerville was hit by a ransomware attack that resulted in the “potential exposure of data, which may have included personally identifying information” such as driver’s license numbers and addresses. Ransomware, a type of malware, is malicious software that can block access to some or all of an organization’s data and files. Hackers can encrypt the information or threaten to release it publicly if a ransom isn’t paid.

In South Carolina, there were 70 data breaches that each affected more than 1,000 individuals in the first six months of 2024, according to the S.C. Department of Consumer Affairs. Data breaches are the unauthorized exposure or loss of personal information, such social security numbers. One attack earlier this year affected more than 1 million South Carolinians while another touched nearly 850,000.  

Officials with Portside Technology, which has fewer than 20 employees, understand there are bad actors constantly trying to infiltrate their system.

“I guarantee there are people out there trying to log in as us right now,” Hogeboom said. “But that doesn’t make us special; it’s happening everywhere. I’ve had customers with just 10 employees get attacked by ransomware, with the criminals demanding $100,000 to unencrypt the data.”

One of the problems with cybercrime is that many attacks come from overseas, according to Clemson’s Brooks, who said in some poorer parts of the world individuals who can’t find good jobs after graduating from college will sometimes choose to go into cybercrime.

“There are many countries where if you’re not attacking local companies, (authorities) see computer crime as a good source of income,” he said. “North Korea is funding its nuclear program through cybercrime, and Russian citizens are generally pretty happy to help the government when given the choice between that and jail.”

Among reasons foreign actors are targeting U.S. small businesses is that their cybersecurity posture tends to be poor, and small businesses cannot meet their own IT needs internally, instead relying on outside firms, the Council on Foreign Relations wrote earlier this year.

“Increasingly, small businesses are being farmed by government and criminal groups from China, Iran, North Korea, and Russia via ransomware, business email compromise, and invoice fraud,” the organization stated.

And, as too many business owners have discovered, it’s very difficult to retrieve money and sensitive data from foreign criminals. Ransomware operators often demand payment in cryptocurrencies such as Bitcoin because it’s easier to keep accounts anonymous and hard to track. 

There are remedies companies of all sizes can embrace to reduce their chances of becoming a cyberattack victim:

·        Implement regular cybersecurity training. Teaching employees to recognize and report suspicious emails can go a long way toward preventing phishing attacks

·        Back up data often. Businesses should back up all data to an external hard drive or the cloud. This will ensure an organization’s information is safe even if its systems are attacked

·        Employ multifactor authentication. When companies rely on multifactor authentication, or MFA, to access their information, it adds an extra barrier for unauthorized users to hurdle. MFA can involve requiring users to undergo a second round of authentication after entering a password such as entering a code sent via text message or email

·        Encrypt data. Encrypting sensitive data can keep criminals from accessing and misusing it; and

·        Consider cyber insurance. Cyber insurance is commercial insurance coverage that protects businesses from losses associated with cyberattacks. 

Cloud service providers offer a means for smaller businesses to protect themselves without having to hire dedicated IT professionals. Cloud service providers employ advanced security measures such as advanced encryption, firewalls and regular security audits to protect client data and applications.

Using cloud services offered by large vendors such as Google, Microsoft, and Amazon can improve security and better protect valuable assets because large providers employ massive resources to protect against hackers. Microsoft alone has nearly 1 million security customers, and its security business had revenues of more than $20 billion last year.

But relying on a major company for security isn’t risk-free. Last year, for example, Chinese hackers accessed Microsoft’s systems, problematic because nearly all U.S. government computers run on the tech behemoth’s computers. Criminals were able to access emails from the Secretary of State, the Secretary of Commerce, and other senior officials. 

Early this year, Microsoft discovered that a Russian-based syndicate of cybercriminals had breached the company’s computers to spy on staff email inboxes and steal emails from customers.

Several major companies providing cybersecurity services have been compromised in recent years, Clemson’s Brooks said.

Small firms can’t compete with big cybersecurity providers in terms of protection, so going with one of the big players seems like a wise decision. But if bad actors hack a major provider, those same small companies could be at just as much risk.

“The problem is, if you handle your own security, odds are you’re getting less than great security,” Brooks said. “But if you’re buying top-notch security along with top companies and the U.S. government, you’ve got the same target on your back as they do.”

 

Upcoming Events Near You

No Events in the next 21 days.