Your Regular, 'Uninteresting' Business Is a Target for Cybercriminals
Most small and midsize organizations don’t think of themselves as cyber targets because they don’t deal with high-profile people or services. But today’s cybercriminals aren’t just looking for Fortune 500 companies; they’re looking for easy targets. That means local retail shops, restaurants, contractors, nonprofits and offices are vulnerable to cybercriminals.
Smaller businesses and organizations are targets
Businesses with employees who use email and online systems, but that lack cybersecurity protocols, are easy targets for hackers. They break into networks and scan systems for sellable data, such as customer and employee data, credit card numbers, vendor data, and logins. This data can be sold on the dark web. Criminals also use your data against you to create more convincing phishing scams that look and sound like vendors and employees you trust.
What cybercriminals look for
Cyberattacks are increasingly automated, especially with AI-powered tools increasing efficiency. Criminals use software that constantly scans the internet for easy opportunities, such as:
- Weak passwords
- Unpatched software
- Public Wi-Fi connections
- Unsecured email accounts
- Online payment systems without safeguards
- Cloud software or application programming interfaces with weak cybersecurity (APIs let software programs communicate and share data with each other.)
- Mobile apps with poor security
- Employee use of public-facing software, like ChatGPT
Common attacks on businesses
Here are some examples of incidents that happen to businesses:
Stolen customer, vendor, donor or employee data
Names, addresses, payment card numbers, email addresses, account logins, and health and financial details are valuable on the dark web. Criminal operations have niche specializations. Some specialize in obtaining information they can sell to other criminals who run complex phishing scams. Never assume your data isn’t useful to someone.
Email scams and fraud
Hackers can impersonate vendors, executives or staff. A single spoofed email can redirect outgoing payments or trick someone into sending sensitive information. These scams focus on creating the best possible fakes to pique someone’s interest and prompt them to act.
Ransomware
Your networked systems can be locked without warning. These include point-of-sale, scheduling and accounting systems, as well as donor lists, customer files and employee data.
Once you’re locked out, the hackers will demand payment to restore your access. Meanwhile, the downtime halts your operations. The criminals set a ransom amount they believe your company can pay. The goal is a fast payout, which is why ransom demands can range from $1,000 to $100,000 or more. For example, a ransom of $2,000 may seem low, but if you successfully turn 30 companies a week at that price point, you’re talking serious cash.
Business email compromise
Cybercriminals can gain access to an email account and quietly monitor its messages. Then they’ll step in at the right moment to change payment instructions or send fake invoices. Think of this as a switch operation. Rather than launching an entire fake email campaign to many employees in a company, hoping one person will fall for the scam, they focus on an individual’s account.
For example, a scammer might hack into a staff accountant’s email to learn about the typical types of emails the accountant receives from vendors. Then, they create a fake email from a trusted vendor and instruct the accountant to wire cash to the vendor’s “new” account. Meanwhile, the real vendor has no idea it’s occurring, and the scammers make off with the cash.
Website and social media takeovers
Small businesses often rely on a single login to manage webpages or social accounts. If these resources are compromised, an attacker can post harmful content, steal customer information or damage your brand. Think of these as smear campaigns, usually designed to work in tandem with a ransom demand. Other times, they're politically motivated by activist hacking groups, or “hacktivists.”
Practical steps to lower your cyber risk
You don’t need a large IT department to strengthen your defenses. Start with these simple measures:
Use strong passwords and multifactor authentication
Add verification steps to email, payroll systems and online banking. These can block most unauthorized logins.
Update software regularly
When systems remain outdated, cybercriminals can exploit known vulnerabilities. Turn on automatic updates whenever possible.
Train employees
Teach your employees to recognize suspicious emails and to hover over links before clicking. Train them to use strong passwords and never share their login credentials. Make sure they feel comfortable questioning unexpected payment changes or other financial requests. Have a way for them to report phishing attempts and other inbound scams. Here are some free training resources:
- Cybersecurity & Infrastructure Security Agency Learning
- Federal Trade Commission’s Cybersecurity for Small Business
- Amazon Cybersecurity Awareness Training
Back up your data
Schedule routine backups, ideally offline or in a secure cloud environment. This will allow you to recover quickly if your systems become encrypted or damaged.
Limit access to sensitive information
Give employees only the access they need for their roles. Fewer access points mean fewer opportunities for attackers. For example, cybercriminals will leverage lower-level accounts to see if they can access high-value software. From there, they will crawl through the system, creating new accounts and hijacking other logins until they find an admin credential that lets them easily take over your systems.
The indirect cost of a cyberattack
Cyberattacks can be devastating to your finances and operations, especially if you’re a smaller business. Even a short outage can affect your revenue, erode community trust, interrupt scheduled work and put contracts in peril.
Many organizations encounter the following challenges after an attack:
- Lost income due to downed systems
- Emergency IT recovery costs
- Customer or donor notification requirements
- Legal and regulatory fines
- Mandatory credit monitoring for affected accounts
- Reputational harm, especially if payment or personal data is stolen
- Long-term business disruption, including lost contracts
Added costs required to increase cyber defenses
After a hack, you’ll need to invest significant resources to repair compromised systems and improve your cybersecurity. Hiring a forensic IT specialist or an outsourced IT firm is usually necessary to determine how the hackers accessed your network. Even if you paid the ransom or ran anti-malware on your systems after the attack, the hackers may return. They know how to exploit your systems and might do it again just to show they can. Increasing your cyber defenses is critical, but costly.
Why cyber insurance matters
Even with safeguards in place, no business is immune to cyber threats. That’s where cyber liability insurance comes in. Cyber insurance helps you recover after a cyberattack or data breach so you can:
- Restore your data and system
- Replace lost income and pay extra expenses when systems are offline
- Notify affected customers and begin mandatory free credit monitoring
- Pay legal and regulatory fees
- Recoup costs from fraudulent payment losses
- Launch a PR campaign to restore your reputation
Ask yourself these questions
Preparing for your business insurance renewal can strengthen your coverage and reduce surprises:
- How would our business respond if we suddenly couldn’t access our systems?
- Do we store or process any sensitive customer, employee, donor or payment information?
- Has our technology changed (e.g., new software, online sales tools, APIs and integrations, apps, digital payments, or remote workers)?
- Do we have a data breach or incident response plan to follow if we are hacked?
Call us for a cyber review
Cyberattacks are fast, automated and opportunistic. Businesses of all types and sizes are potential targets. Click here to get a quote today.