Small and medium-size businesses are accepting that they are the most popular targets for cyber attacks.
The Verizon Data Breach Investigations Report (DBIR) shined a spotlight on SMB vulnerabilities earlier this year, noting that 61 percent of cyber-attack victims last year were businesses of fewer than 1,000 employees. Another study shows that one in three SMBS suffered a ransomware attack last year.
Marc Spitler, senior manager of Verizon Security Research, spoke to Channel Partners about two specific ways cyber criminals are targeting the demographic. Verizon reports that “threat actors” are more and more often targeting point-of-sale (POS) systems.
Spitler says SMBs are particularly vulnerable in this area because they often don’t have much control over it.
“We’re talking about small mom-and-pop shops, small retailers, food service, and they rely on somebody else manage the technical aspects of how they get paid. They have a point-of-sale vendor, and then they’ll have some level of access into their environment as support, troubleshooting, upgrades, etc.,” Spitler said. “We have seen people go to these point-of-sale vendors, compromise them, and then through that, they’re compromising the passwords they used, and they are using those to access their small and medium business customers.”
Weak authentication often allows criminals to infiltrate POS systems. Spitler defines weak authentication as “any remote access that relies only on a user name and password.” There must be at least an additional layer of authentication, and it almost goes without saying that default passwords are a no-no.
Another common threat facing SMBs is financial pretexting, which we highlighted in our recap of Verizon’s 12 major data breach scenarios. In this method, the perpetrator uses deception to trick an employee into directly wiring over company money. The attacker typically poses as a higher ranking member of the company sending an invoice to a member of the financial department. He or she sometimes create a “spoof” email address that has only one or two different characters from the actual employee’s email, and sometimes the attacker breaks into and takes over an actual company email account.
And the deception takes a lot of effort.
“They typically have done enough research or have enough knowledge to know, ‘Who are people who can push this button that can make this work for us?'” Spitler said. “They can’t just spam everybody in the organization with that. They need to actually have an idea of who the recipient is going to be.”
Channel partners can expect to bear much of the responsibility for educating their SMB customers and making sure proper security processes (including multi-layer authentication) are in place. Small businesses typically lack the resources and know-how to combat these threat actors, and hiring a cybersecurity officer is often out of the question.
“There’s a reliance on third parties a lot of times and a lot of outsourcing that’s done so they can leverage some of these economies of scales for people that are doing this for several people,” Spitler said.