Cybersecurity threats to small business


28th June, 2022

Top 5 cybersecurity threats to your small business in 2022

Whether you transact with customers online or just use internet banking for business, here are cybersecurity threats you’re potentially exposed to.

If you’re operating in the global economy, you’ll be aware of reports that cybercrime is on the rise. In fact, there has been a whopping 600 percent increase in cybercrime since the start of the COVID-19 pandemic.

In most cases, attackers rarely pay attention to the size of an end-user organisation, and while targeted attacks that pay bigger dividends are on the increase, the current sophistication and proliferation of cyber attacks mean that all companies are facing increasing levels of risk.

Let’s break down the top five cybersecurity threats that are targeting small businesses in 2022.

They are:

  • Phishing attacks
  • Malware attacks
  • Ransomware
  • Web Exploit attacks
  • Insider threats

Phishing attacks

Phishing is when attackers attempt to trick users to click bad links that download malware, or misleading users with a scam website or fake payment gateway.

Arguably the most damaging and widespread threat that faces small businesses come in the form of phishing attacks. Phishing can be conducted via a text message (smishing), social media, or by phone (vishing), but the term ‘phishing’ is mainly used to describe attacks that arrive by email.

Typical defences against phishing often rely exclusively on users being able to spot phishing emails. But with phishing crime accounting for 90 percent of all breaches that organisations face, a wider defence is needed.

Expert Insights recommends having a strong Email Security Gateway like Proofpoint Essentials or Mimecast in place to help prevent phishing emails from reaching your employees inboxes. Cloud-based email security providers such as IRONSCALES can also be to secure your business from phishing attacks.

These kinds of solutions allow users to report phishing emails, and then allow admins to delete them from all user inboxes across your business.

Malware attacks

The second biggest threat facing small businesses comes from malware. Malware, short for “malicious software,” refers to any intrusive software developed by cybercriminals to steal data and damage or destroy computers and computer systems.

These attacks are particularly damaging for small businesses because they can cripple devices, which requires expensive repairs or replacements to fix. They can also give attackers a back door to access data, which can put customers and employees at risk.

Business can prevent malware attacks by having strong technological defences in place. Two commonly used practices to avoid malware come from ‘endpoint protection’ such as that offered by ESET, allowing administrators to manage all devices and keep users’ security up to date, as well as web security like that offered by WebTitan, which stops users from visiting risky sites.

Ransomware attacks

Ransomware is one of the most common cyber attacks, hitting thousands of businesses every year. It is a form of malware, but it is different in the sense that it can lock your company’s devices and then demand a ransom for their release.

Expert Insights reports that small businesses are especially at risk from these types of attack. Reports have shown 71 percent of ransomware attacks target small businesses, with an average ransom demand of $116,000.

Attackers know that smaller businesses are much more likely to pay a ransom, as their data is often not backed-up and they need to be up and running as soon as possible.

To prevent these attacks, again, businesses need a strong endpoint protection, as well as having an effective cloud backup solution in place to mitigate against any data loss.

Web exploit attacks

Web exploit attacks use gaps or flaws in your online software, or the online tools you use, to gain access to your sensitive data.

Mimecast explains in detail: ‘Web applications can be exposed to attacks for a variety of reasons, including system flaws that stem from improper coding, misconfigured web servers, application design flaws or failure to validate forms.

‘These weaknesses and vulnerabilities allow attackers to gain access to databases that can contain sensitive information. Because web applications must be available to customers at all times, they’re an easy target for attackers to exploit.’

So while there’s a large variety of web application attacks, there are application security programs designed to protect against a large portion of them. They include automated vulnerability scanning and security testing that help organisations find, analyse and mitigate vulnerabilities and misconfigurations, web application firewalls to protect and block against malicious traffic.

Some offerings may even provide secure development testing, where security teams will consider the results of attacks on a system and then work to make it as secure as possible.

Insider jobs

While not a common threat, it’s important to understand that insider jobs are growing in frequency, with a Verizon study showing over 30 percent of data breaches were caused by insider threats.

An insider threat is a risk to an organization that is caused by the actions of employees, former employees, business contractors or associates. These actors can access critical data about your company, and they can case harmful effects through greed or malice, or simply through ignorance and carelessness. To block insider threats, small businesses need to ensure that they have a strong culture of security awareness within their organization.

A holistic approach to cybersecurity

While no set of mitigation strategies are guaranteed to protect against all cyber threats, organisations are recommended to implement eight essential mitigation strategies from the Australian Cyber Security Centre’s Strategies to Mitigate Cyber Security Incidents as a baseline. This baseline, known as ‘the Essential Eight’, makes it much harder for adversaries to compromise systems.

In New Zealand, the National Cyber Security Centre offers similar guidance to individuals and businesses on its website.

Tommy Viljoen, Partner of the Risk Advisory team at Deloitte, writes: ‘Most organisations put the castle walls up very high, but if they’re unaware of what’s being planned against them, they can’t adjust. They can only hope that their defences are adequate for the attack. Intelligence is the key.’

Business owners and IT departments need to determine effective strategies for operating securely, knowing which security controls will reduce their exposure to cyber attacks, and how they can establish and maintain shareholder and customer trust in IT systems. This can often be confusing, with multiple program providers and software that requires regular updates to work effectively.

Stay in the know

Sign up for added insights and business-critical news from MYOB.

A valid email is required
Congratulations! You've successfully subscribed to our newsletter!
Something went wrong

One local company offering a holistic approach to thwart cybercriminals is CyberStash.

Loris Minassian, Founder and Director of CyberStash believes cyber security cannot be achieved with tech alone, but that i’s the responsibility of everyone in a business to get it right.

“Technology alone cannot provide high levels of assurance to business and its stakeholders because it often fails or can be evaded by sophisticated attackers,” Minassian said.

“What’s required to establish trust in an IT environment is a supporting methodology that enables security analysts to independently validate the integrity of business systems.”

One thing is for sure, in a world where cyber attacks are bound to happen, businesses need to be prepared.

The dangers of cyberattacks don’t just stop at the loss of personal or company information. They can also cost businesses thousands, and sometimes even millions.

The best way for businesses to protect against these threats is to have a comprehensive set of security tools in place, and to utilise security training for all staff to ensure that users are aware of security threats and how to prevent them.