Cofounder and chief marketing officer at Coro.
getty Myth: Why would cyber criminals target me? My company is way too small to be on their radar. Myth busted: Think you are flying under a cybercriminal's radar because your company is too niche, your brand is unknown or your operations aren't deemed critical? Think again. Cash App, Microsoft, Uber, Red Cross: It's true that the breaches that garner the most media attention tend to be from large, well-known companies. It's also true that these companies have millions to spend on cybersecurity prevention, detection and remediation. They have the tools in place to know the second an attack happens and put all their resources into stopping it. And if that doesn't work and a breach is successful, they typically have the means to launch an investigation and overcome any regulatory, financial or reputational fallout. On the flip side, small- and mid-market companies often don't have the IT or security teams that enterprises do, not to mention the budget to invest in cybersecurity tech. This is the very reason why cybercriminals attack smaller and mid-size companies with equal vigor—because they often get away with it. SMBs are like fresh meat for cybercriminals. And in today's climate of economic uncertainty, cybercriminals are looking to sneak up on their prey, attack quickly, make a quick buck and move on.
What do I need to look out for?
More than three-quarters of SMBs said they were negatively impacted by cybersecurity attacks in 2022, representing a 20% increase in just two years. If that trend continues, nearly all SMBs will be impacted by a threat soon. While there is no shortage of attack types, there are a few threats that we predict will be of growing concern to SMBs as we head into 2023.
- Ransomware attacks will continue to grow. Ransomware has been around for a long time and shows no signs of slowing down, with global damages forecasted to exceed $30 billion this year. Small businesses and those industries without strong security postures—including manufacturing, education and healthcare—are particularly vulnerable. We'll also see a rise in ransomware as a service (RaaS) among SMBs. RaaS sells ransomware to criminals known as 'affiliates,' enabling anyone with little technical skill to initiate a financially-motivated ransomware attack and hold a company's data hostage. According to TechTarget, 'RaaS expands the accessibility and potential reach of ransomware. Instead of a single group using ransomware code to attack victims, many groups of attackers can use RaaS to exploit victims with a ransomware infection.' Groups such as the Hive ransomware gang have gained notoriety for using RaaS to hit over 1,000 businesses and collect over $100 million in ransom payments over the past year and a half. 2. SMBs will become primary targets in business email compromise (BEC) attacks.
More than one-third of cyberattacks during the first half of 2022 was BEC attacks, and this is only expected to rise in 2023. Small and medium-sized businesses are more often finding themselves the victims of these threats, and they don't have the means to absorb the financial losses as larger enterprises might. The average amount of money requested in wire transfer BEC attacks jumped 69% from Q4 of 2021 to Q1 of 2022 to over $84,000. SMBs need to recognize the red flags and prevent these attacks before they make a huge financial dent.
- Malware will become increasingly polymorphic.
Malware (or malicious software)—which you probably know as a trojan horse or a worm—is most commonly deployed through phishing emails. Though malware is not new, we'll see it evolve further in 2023 and become polymorphic. By making the smallest adjustments to the malware code, it can evade detection from common tools and go on to wreak havoc.
- Deepfake technology will become more widely used.
It's nearly impossible to distinguish deepfake videos and audio from the real thing, making it a great weapon for cybercriminals. For example, cybercriminals can use deepfake tech to impersonate executives and request money transfers as part of a BEC scheme. The FBI is also warning businesses that criminals are using deepfake tech to create fake employees and apply for remote-work positions to gain access to corporate information.
How can I protect my company?
There are steps that SMBs can take to proactively protect themselves from these growing cybersecurity threats, even if they don't have the budget to build out a full-fledged security team.
First and foremost, let's agree that people will always pose the greatest risk. With this in mind, SMBs can put in the work to build a cybersecurity-aware culture. It's critical to continually train all of your staff on your security policies and which red flags and warning signs to look out for. Encourage your employees to question every email, text message or link that comes their way. Prompt them to stay on top of the latest threats and attacks and subscribe to cybersecurity newsletters.
Also, evaluate which technologies might help you safeguard your company and remain compliant without breaking the bank—there are comprehensive tools out there that can provide enterprise-grade cybersecurity at SMB-friendly budgets. Consider that while you need the first line of defense that will hopefully block the threats from the beginning (such as email protection and multi-factor authentication), it's also important to have a tool that will stop any widespread harm if these attacks do get through to your systems (such as data security and end-point protection). Tools that utilize AI and machine learning can help protect against all of these threats as they continue to evolve and become more sophisticated.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?