When a cybercrime incident makes the headlines it’s almost always because of an attack on a large organization. Because of that, IT leaders at small to midsized organizations have been lulled into believing that their organizations aren’t targets of cybercriminals. They are wrong. Previously, only large businesses were forced to navigate the security risks ensuring the protection of sensitive data, but businesses with less than one thousand employees are now squarely in the sights of cybercriminals. With the burgeoning adoption by small to midsize business of cloud email services such as Office 365 the same attack vectors used against large businesses can now also be used against small and midsized.
With the rise in email phishing, expediency is vital. For the safety of your organization's data and internal systems, the deployment and enforcement of critical solutions are essential to protect all levels of your business now, and for future growth.
Small Businesses Are The Preferred Target For Email Phishing
According to the FBI's Internet crime division (IC3), email phishing attacks are among the most commonly reported cybercrimes because they are extremely profitable for the perpetrators. The estimated loss to businesses (that report the crimes) amount to over a billion dollars annually.
Contrary to popular belief that email attacks require sophisticated levels of technology, they are a relatively low-tech cybercrime, employing psychological clues and deception to defraud victims with very low cost to initiate. Email attacks only require getting the name and contact information for a high-ranking person within an organization and with that – a scheme can be constructed.
Small-to-midsized businesses may not be directly in possession of large-scale data and resources, but they still have valuable business information, such as private customer data that could be used for identity theft not to mention their own private data. They may also have insecure connections to larger companies with which they do business. It has the potential to cost your business millions based on theft or damage to your IT assets, or disruption to your regular business operations.
Classifications of Email Cybercrime
The volume of emails sent each day instantly around the globe makes it the top choice of cybercriminals. This method of communication allows the perpetrator to remain anonymous.
The three most frequent types of attacks are:
- Ransomware: This malware block's the company's access to its own data. Access is restored once the company pays the ransom amount.
- Business Email Compromise (BEC): The perpetrator convinces the target recipient to send money or sensitive data that provides open passage to theft.
- Phishing: Clever social engineering aimed at specific individuals within the company is used to trick the victim into activating the criminal campaign, eventually compromising the entire organization.
Case Studies: Victims of Email Cyberattacks
We hear about large-scale enterprises being hacked, and while smaller organizations are not quite as newsworthy the cyberattacks they suffered were just as crippling. Read about three of them below.
The Town of Matanuska-Susitna
During August 2018, government workers in this small Alaskan borough resorted to using typewriters and hand-written receipts after malware encrypted its email server, internal systems and disaster recovery systems. The town chose not to pay the ransom demand and was forced to completely rebuild its computer systems. The identification and remediation of the town's security vulnerabilities could have prevented this scenario.
Anyone attempting to receive emergency care over a weekend in November 2018 was sent away at East Ohio Regional Hospital and Ohio Valley Medical Center due to a ransomware attack, when the electronic system for admitting emergency patients was disabled. Fortunately, there was no breach to patient information, but the hospitals switched to paper charting as a safety precaution. With adequate security for all data layers, these hospitals could have continued to run their emergency facilities as usual.
Epoch Trading Post
Just prior to the biggest online shopping day of the year in December 2018, a cybercriminal hacked into the emails of a small business in New Jersey, acquiring ownership of its website domain. The offender forwarded the domain to a pornographic site, effectively shutting the business down. The owners were forced to abandon their company and begin anew under a different name. By encrypting their sensitive information, these small business owners could have saved their company.
Small businesses are simply not equipped with an IT department that can deploy the technology in anticipation of devastating data breaches like the ones you’ve read above. Cybercriminals are aware of these low levels of preparedness and use it as a leverage point.
Sixty-two percent of email phishing attacks target small businesses, putting them at the greatest risk. In the cases of the Alaskan borough and the hospitals, they recovered but at tremendous expense. Conversely, the small New Jersey business incurred irreparable financial damage and had to close.
With the increase in cyber attacks, businesses need to assess the risk. Decisions on cyber protection require them to quantify the cost of cyber protection versus the cost to recoup the loss in the event of an attack.
The Value Of A Security Assessment
A security assessment of your company's IT assets will identify vulnerable areas, but is not a cure-all solution. The next step is to address the gaps in security through deployment of proactive initiatives. When exploring pragmatic solutions, consider email security programs that are compatible with your current network resources, address your cybersecurity concerns and work within your budget.
Schedule A Consultation
Lack of financial resources, time, staff and expertise are common challenges faced by small businesses and can make identifying a solution that addresses a businesses unique requirements exceptionally difficult. Our advice is to find a partner with security solutions tailored to restrict attacks on your company at every level because, clearly, small to midsized businesses have become prominent targets for email phishing attacks. Schedule a consultation today with industry leaders in cybersecurity.